0

I have an iPhone XR with the latest updates. I use Microsoft Authenticator for some 2 step verification for work related stuff.

Today I enabled the Instagram two factor security option and choose the app authentication. This prompted me to download an authenticator by DUO security. So I gave that a try.

Once downloaded I enabled Instagram 2 factor again. It now noticed I had installed the DUO authenticator, but instead opened the Microsoft authenticator. I went through the steps of the Microsoft authenticator and instagram accepted it. Instagram now uses the Microsoft authenticator whilst it did not recognize it at first.

I am wondering if, somebody with malicious intent, can exploit this.

schroeder
  • 123,438
  • 55
  • 284
  • 319
CaptainAhab
  • 101
  • 1
    Exploit what..? – vidarlo Oct 10 '20 at 09:14
  • Well... could one put a fake authenticator (instead of the Microsoft one) on a phone and fool instagram in using the fake authenticator and thus extracting user login/password – CaptainAhab Oct 10 '20 at 09:17
  • 2
    As far as I'm aware, Microsoft Authenticator is calculating TOTP codes. It doesn't ever see username and password. In fact, users *should* be free to pick their choice of TOTP apps, to suit their needs. I for instance store some TOTP tokens in a Yubikey... – vidarlo Oct 10 '20 at 09:20
  • Ok, thnx for the answer. It just felt weird that Instagram prompted me to install an authenticator and then accepts the automatic takeover from an already installed authenticator without warning and accept the process – CaptainAhab Oct 10 '20 at 09:24

1 Answers1

1

This prompted me to download an authenticator by DUO security

This was merely a suggested app. It was basically an ad.

It now noticed I had installed the DUO authenticator, but instead opened the Microsoft authenticator.

No, it didn't. I do not have DUO installed, but on my Instagram, when I tried to set up 2FA, it mentioned DUO, but it opened my Google Authenticator. It looks like the DUO mention is hard-coded on that page of the app.

could one put a fake authenticator (instead of the Microsoft one) on a phone and fool instagram in using the fake authenticator and thus extracting user login/password

Yes, it would be possible to put a fake 2FA app on a phone that might be recognised by another app. No, the app is not tied to the password, so there would be no risk to the password.

schroeder
  • 123,438
  • 55
  • 284
  • 319