Interview Konstantin Gizdov, an IT professional, was locked out of his Microsoft account by a bug in the company's Multi-Factor Authentication (MFA), but says support refused to acknowledge the bug or recover his account.
Gizdov is founder of KGE Consultancy Ltd in Edinburgh and an Arch Linux Trusted User.
His problems began when he received an email informing him that his Microsoft account had been renamed. "I immediately clicked on the 'That was not me' button," he said in a post, after which he managed to contact support.
He already had two-factor authentication on his Microsoft account. He still does not know why he received this email, which the support person implausibly claimed was because of someone else's sign-in mistake, but could not see any sign of compromise.
A Microsoft account is distinct from a Microsoft 365 account, and although it is mainly aimed at consumers it is hard to avoid, for logging onto a new Windows PC or obtaining apps from the Microsoft Store. "This specific Microsoft account is very important to me personally and professionally," Gizdov tells The Reg.
"Not only that, but Microsoft by policy require a personal account in order to be able to back up MFA and sync between devices."
If he lost access, "I'd have lost all my stuff and [it would have had] great impact on my starting business," he says.
Assets protected by a Microsoft account can include OneDrive files, Outlook.com or Hotmail email accounts, and even the Bitlocker key for an encrypted hard drive.
Gizdov decided to tighten the security on the account, by removing the option to sign in using his phone number, which Microsoft added automatically when he was forcibly migrated to use the Microsoft Authenticator app. He says he did not remove the phone number, merely the option to use it as a sign-in alias.
At that point, things went downhill fast. The page went blank and said "the URL is no longer available." Further, says Gizdov, "in under 30 seconds, all my devices were automatically logged out."
He drew on his extensive background experience with Microsoft's systems to fix the issue. Nothing worked. He could not log in; he could not reset the password; he got misleading errors like "we could not find an account with that username."
In the end he diagnosed the problem as "the account login still thinks that MFA should happen. However it cannot. I've been locked out of the account for good."
Time to contact support, for which he had to open a new Microsoft account. He says he spent "literally hours in the online chat" and was finally asked to submit an account recovery form. He did so, supplied all sorts of personal information, but "the automated recovery program" rejected all his efforts.
He contacted support again, was given a new account reinstatement form, but that did not work because… the account was not suspended.
Gizdov got in touch with a human support person (itself an achievement) and was told: "We have no reports of issues on our platform. There are no bugs. Please login with the required credentials as your account is set up for MFA. We will not escalate your issue as it is not a hacking attempt. Goodbye and have a nice day!"
Make sure you have a recovery code
Gizdov's account was saved by two things, he says. First, he remembered that he had stored an account recovery code in his password manager. A recovery code can be obtained via "Advanced security options" and then "Recovery code." This would have allowed him to recover the account but only after 30 days.
"Why would I give a 30-day notice to my hacker to secure their new account or wait 30 days to access my account in an emergency?" he says.
Second, his story was widely circulated and was spotted by Microsoft Identity VP Alex Simons, who responded this morning on Twitter. "I am SO sorry. Please accept my apologies. Thank you for surfacing & including the details. The team has diagnosed. Was caused by a recent regression. Fix is being deployed. Will go live worldwide overnight. We will also debug and fix the support experience as well."
The bug was fixed and Gizdov says he was able to log in, though the system is still buggy and he gets errors like "we couldn't send a notification to your phone at this time", for example when trying to set up passwordless login. "It is a crazy loop of madness," he says.
What does he think of the support experience? "Microsoft support is trained and held up to the standard to refuse help and deny everything. Even to explicitly not listen to new reports by individuals," he tells us.
That makes no sense; but recall that the support agent specially refused to accept his bug report or help him resolve it. "Bugs will always arise, it's how they deal with them that's the problem," Gizdov tells us. "I'd had to rely on the luck of my post being popular on Hackernews to get anyone that can address the issue to see it."
Is part of the problem that Microsoft accounts are treated as a free offering? "I believe yes. Part of the problem is that even though I'm paying for lots of Microsoft services they treat all personal accounts as free and on top of that they do not have a dedicated team dealing with the issues," he says.
- It's time to delete that hunter2 password from your Microsoft account, says IT giant
- Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped
- COVID-19 security tips: Ensure you sack your staff without leaving their IT access enabled, says Secureworks
Is Microsoft worse than other companies? The closest equivalent perhaps is a Google account, although in our experience it is easier to contact someone at Microsoft than at Google (for consumer accounts). "I'd say Google has a better overall policy on MFA and more modern procedures, which reduces the chance of users ending up in that situation," says Gizdov, though he adds that his view is anecdotal.
He notes that Microsoft itself recommends against using a phone for authentication, yet its own consumer system pushes users towards it. "The GSM and phone systems are inherently insecure as they've not kept up to date with the growth of security threats," he says.
Gizdov is indignant that "[Microsoft] claimed they hold no responsibility and it's all my fault. I believe that when I'm paying for a service and enter in a contract with a company, the company is responsible for delivering that service. Microsoft has failed on delivering their service and thus should be responsible."
Will he continue to use a Microsoft account? "Yes, I will as unfortunately Microsoft is so big and seeps into everything, so barely any IT professional nowadays can get by without a Microsoft account." His advice to others, though, is that "people need to create and keep safe an account recovery code."
The problem is a tough one for the identity provider, as making account recovery too easy could help hackers, and providing human support is expensive, but that does not excuse the factors in Gizdov's experience.
Simons was the right person to reach, and the speed of the fix was in a sense impressive. The issue about debugging "the support experience" is a bigger challenge though, and there are others less expert than Gizdov, or less fortunate on social media, who have unresolved issues. ®