This morning I started setting up two-factor authentication for my Microsoft account. They support the Google authenticator application on Android however I stumbled on a major design flaw.
If you have registered with Microsoft with a Google Account email address when you scan the QR code the default name of the code is your email address which overwrites without warning your Google code.
So both Google and Microsoft save the two factor code with the name [email protected] in my case which results in the first one being overwritten by the second. When I realised what happened, I was quick to fix the Google one while I was still logged. Then I decided to manually enter the Microsoft one with a different name to work around it, but still…
Google’s Authenticator application should warn the user that a code is about to be overwritten by the scanned QR code.
You visually can’t read what is in the QR code so most users won’t realise that if the account name is the same as something you already have it will overwrite it without warning. Currently I have seven codes on my Authenticator but as more websites implement two-factor authentication this is going to be an issue more often. The application really should warn users or offer to rename a code rather than overwrite it.
At least now I know, but such things tend to give me a scare as the idea of losing access to my Google account sends shivers down my spine. There was no real risk as I have backup codes and backup telephone numbers but its still unsettling.