User locked out of Microsoft account by MFA bug, complains of customer-hostile support • The RegisterOctober 13, 2021
Interview Konstantin Gizdov, an IT professional, was locked out of his Microsoft account by a bug in the company’s Multi-Factor Authentication (MFA), but says support refused to acknowledge the bug or recover his account.
Gizdov is founder of KGE Consultancy Ltd in Edinburgh and an Arch Linux Trusted User.
His problems began when he received an email informing him that his Microsoft account had been renamed. “I immediately clicked on the ‘That was not me’ button,” he said in a post, after which he managed to contact support.
He already had two-factor authentication on his Microsoft account. He still does not know why he received this email, which the support person implausibly claimed was because of someone else’s sign-in mistake, but could not see any sign of compromise.
A Microsoft account is distinct from a Microsoft 365 account, and although it is mainly aimed at consumers it is hard to avoid, for logging onto a new Windows PC or obtaining apps from the Microsoft Store. “This specific Microsoft account is very important to me personally and professionally,” Gizdov tells The Reg.
“Not only that, but Microsoft by policy require a personal account in order to be able to back up MFA and sync between devices.”
If he lost access, “I’d have lost all my stuff and [it would have had] great impact on my starting business,” he says.
Assets protected by a Microsoft account can include OneDrive files, Outlook.com or Hotmail email accounts, and even the Bitlocker key for an encrypted hard drive.
Gizdov decided to tighten the security on the account, by removing the option to sign in using his phone number, which Microsoft added automatically when he was forcibly migrated to use the Microsoft Authenticator app. He says he did not remove the phone number, merely the option to use it as a sign-in alias.
At that point, things went downhill fast. The page went blank and said “the URL is no longer available.” Further, says Gizdov, “in under 30 seconds, all my devices were automatically logged out.”
He drew on his extensive background experience with Microsoft’s systems to fix the issue. Nothing worked. He could not log in; he could not reset the password; he got misleading errors like “we could not find an account with that username.”
In the end he diagnosed the problem as “the account login still thinks that MFA should happen. However it cannot. I’ve been locked out of the account for good.”
Time to contact support, for which he had to open a…