The Phantom Authenticator Problem: When IT Automation Goes Wrong

In the world of IT administration, automation is often seen as the holy grail - a way to save time, reduce errors, and streamline user experiences. However, when automation is applied without understanding the underlying security principles, it can create more problems than it solves. This blog post examines a real-world case where well-intentioned automation created "phantom" Microsoft Authenticator entries that confused users and generated unnecessary support tickets.

This post was created because I’ve got drafted in to clean up the mess created by deployment automation policies without a comprehension of what that would do to the unfortunate end users

The Problem: Authenticator Entries That Don't Work

Users at Severn Trent Water discovered Microsoft Authenticator entries on their phones that appeared to be configured for their work accounts. These entries showed one-time passwords in the format xxx-xxx, but when users tried to sign in, they were still prompted for SMS verification. The authenticator entries existed on their devices but weren't recognized by Microsoft Entra ID (formerly Azure AD).

This created a perfect storm of confusion:

• Users saw what looked like a working authenticator setup
• The system didn't recognize these entries
• Authentication still fell back to SMS

The Misguided Automation Attempt

Based on our investigation, here's what likely occurred:

1. An IT administrator discovered Intune App Configuration Policies

   • These policies can push settings to apps automatically when installed
   • They saw this as an opportunity to "help" users by pre-configuring authenticator

2. Configuration policy containing, but not limited to:

   • Organization name: "<Name>"
   • User email addresses
   • Account type settings
   • TOTP secret keys

3. The policy was deployed via Intune/MDM

   • Settings were pushed to devices automatically
   • Microsoft Authenticator accepted the configuration
   • Local entries were created on devices

Why This Approach Was Fundamentally Flawed

The administrator who implemented this failed to understand a critical security principle: Multi-Factor Authentication registration is a security ceremony that requires user interaction by design.

Here's what they missed:

1. MFA Registration is Not Just Configuration

   • It's a cryptographic trust establishment between three parties:
     • The user
     • The authenticator app
     • Microsoft Entra ID
   • This process CANNOT be fully automated for security reasons

2. Local Entries ≠ Cloud Registration

   • Pushing configuration creates only local entries
   • Without user verification, Entra ID has no record of these authenticators
   • The entries generate codes locally but aren't valid for authentication

3. Security by Design

   • Microsoft deliberately requires user interaction to prevent:
     • Unauthorized MFA enrollment
     • Man-in-the-middle attacks
     • Administrative abuse

The Technical Explanation

When Microsoft Authenticator receives configuration via MDM:

1. It creates a local entry with the provided data
2. It can generate TOTP codes using the secret key
3. However, it has NOT completed registration with Entra ID

The missing critical step is:

• User must scan a QR code from the Entra portal
• User must complete a test notification
• This creates bidirectional trust between the app and cloud service

Without this step, you have a "phantom" entry - visible locally but invisible to the authentication service.

How to Prevent This in Your Organization

1. Understand Before You Automate

Never implement automation without understanding:

• What the process actually does
• Why certain steps exist
• What security controls are in place
• What can and cannot be automated

2. Research Best Practices

Before implementing any authentication-related automation:

• Read Microsoft's official documentation thoroughly
• Understand the security implications
• Test in a lab environment first
• Consider the user experience end-to-end

3. Recognize What Should Not Be Automated

Certain processes are manual by design for security reasons:

• MFA registration
• Password resets
• Biometric enrollment
• Certificate enrollment
• Any process involving cryptographic key generation

The Correct Approach

Rather than attempting to automate MFA enrollment, organizations should:

1. Communicate clearly about the MFA requirement
2. Provide step-by-step guides with screenshots
3. Offer support sessions during rollout
4. Use Conditional Access policies to enforce MFA gradually
5. Monitor adoption rates and follow up with stragglers

The Fix: How Users Can Resolve Phantom Entries

If your organization has been affected by phantom authenticator entries, here's the user-friendly solution:

Subject: Update Your Microsoft Authenticator Setup

Dear User,

We need you to update your Microsoft Authenticator setup to ensure secure access to your account. Please follow these steps:

Step 1: Check Your Current Setup

1. Visit https://myaccount.microsoft.com/?ref=MeControl
2. Click "Security Options"
3. If prompted for an authenticator code (not SMS), stop here - you're all set!
4. If asked for SMS verification, continue below

Step 2: Remove Inactive Entry

1. Open Microsoft Authenticator on your phone
2. Find "Severn Trent Water" with your email
3. Tap the entry, then tap the cog icon (⚙️)
4. Select "Remove Account"
5. If asked about backup, select "No"

Step 3: Add Authenticator Properly

1. Return to https://myaccount.microsoft.com/?ref=MeControl
2. Click "Security Options" and complete SMS verification
3. Click "Add sign-in method"
4. Select "Microsoft Authenticator"
5. Skip the download step and click "Next"
6. A QR code will appear

Step 4: Complete Setup

1. In Authenticator, tap the + symbol
2. Select "Work account"
3. Choose "Scan QR code"
4. Scan the code on your screen
5. Complete the test notification

Optional: Enable Passwordless Sign-in

1. In Authenticator, tap "Severn Trent Water"
2. Select "Setup passwordless sign-in requests"
3. Follow the prompts to complete setup

For assistance, please reply to this email

Conclusion

This incident serves as a valuable lesson in the importance of understanding security principles before implementing automation. While the intention was to help users, the lack of understanding created confusion and additional work for everyone involved.

Remember: Not everything that can be automated should be automated. Some processes are manual by design, and attempting to bypass these controls often creates more problems than it solves. When in doubt, take the time to understand why a process works the way it does before trying to "improve" it.