1

There are a several Microsoft forum posts on this, such as Microsoft Authenticator: turn off passwordless sign in, and others referencing Azure which is not applicable here, but I have not seen any solution yet. What I want when anyone, including myself, tries to log into my Microsoft Account, is for the system to first require a password. If, and only if, that password is correct, the Microsoft Authenticator then should prompt me to approve the sign-in request in the Authenticator app.

Instead, I am getting random notifications on my phone, from people around the world trying to access my account. I have looked at options on the authenticator app, and found no way to disable passwordless login and instead have a true two-factor authentication.

I also logged into my account on a browser, went into advanced security options, and the screen under "Additional security" looks like the one on the microsoft page about the passwordless future. Except I have:

Passwordless account: OFF
Two-step verification: ON

But hang on, if "passwordless account" is OFF, why am I not being asked for a password ever? It seems that by having the Microsoft Authenticator, passwordless is automatically enabled. Has anyone managed to figure out how to have a password AND the authenticator? I want both. Not just one or the other, both. Two-factor, please. Thank you for sharing your solution.

Improve this question
3
  • Have you used Autofill with Authenticator? It may be the auttofill that cause the problem,
    – Faery
    Commented May 2, 2022 at 6:12
  • Don't think autofill is the culprit here. Some stranger is trying to log in to his account -now either that someone already knows the password but the 2FA is kicking in and sending an authentication to the phone or, as the OP surmised, these random strangers are NOT being asked for a password. SO I would recommend OP to change their password immediately as a first step ,second also trying logging in with a different browser which you have never used before and try logging in again -maybe this time it will ask for a password.
    – kevdez
    Commented May 2, 2022 at 7:40
  • Thanks. I don't use autofill. If I go to login.live.com and enter my email address to sign in I get a notification in the app allowing me to approve or deny. It never prompts me for a password, that's the issue. I'm sure those other users don't know my password, they just know the email address, or it could be a genuine typo or mistake, fortunately it's not that often. In any case, I've changed the password, hoping it would trigger some change, but no, the behavior is still the same. I know I'm not the only one, based on the forum posts.
    – Nagev
    Commented May 2, 2022 at 10:35

2 Answers 2

Reset to default
1

I had the very same problem. Someone with an IP-address from California (around Los Angeles) tried to make me approve a login-request. Given that I have not been to California, and I did not use a VPN to pretend to be there, those attempts were definitely not from me.

After that guy tried this twice within a couple of days in between, I decided to fix this security hole I had been very unhappy with from the very beginning. After all, I started using the Authenticator app to have 2-Factor-Authentification for additional security and not a less secure but more convenient 1-Factor-Authentification.

Before I start describing my workaround: Some here suggested autofill is the cause of the problem. I can assure you that this is most definitly not the case. I have logged in from many different devices and virtual machines, some could not possibly know my password. The problem is that if you add the MS-Authenticator app as a login option, you are no longer being asked for your password. You get straight that prompt on your phone and that's it. Microsoft does not allow you to disable that behavior.

Here is the workaround: Add the MS account to the MS Authenticator app if not already done so, then open the entry for the MS account. There you will find an option called "Update Security Info". Click on it. Remove the authenticator app from the list of log-in options. (Alternatively, you can do the removal part using a browser).

Once you have removed the app from the log-in option list, you will still find the entry in the MS Authenticator-app. While you will no longer get those sign-in requests and have to use your password, that entry will also not do anything else. That one-time password code is only for show. All the 2-FA will be done using your alternative email or text messages send to your phone.

But you will need this otherwise useless entry if you want to enable or keep enabled sync in the authentificator app.

If you prefer not to use sync for security reasons, do not add the account to the MS app and if you have already done so, follow the steps above, then disable backup if enabled and remove the useless entry.

If you are like me, you do not wnat your security codes to be send via alternative email or text message but use the damn authentifcator app. To achieve this, go to your MS account using a browser. Preferably, use a PC so you can use your phone to scan a QR code from the PC's screen.

Once logged in your account, go to Security -> Advanced security options. There you will find an entry "Ways to prove who you are". That's exactly the place you have removed the Authentificator app from. Now we add it back but with a trick. Press on the "+ Add new way to sign in or verify" button. Select "Use an app". On the setup screen DO NOT press on "Get it now". Very important. Press on the blue hyperlink above saying "set up a different Authenticator app". Press on that and follow the instructions. The trick is, use the MS Authentificator app anyways. The QR code will work with it.

Once you are done, you will have a second MS Account entry for the same account (if you use sync). That second entry has working one-time passwords that can actually be used for 2-FA.

Making you jump through all those hoops shows that MS really does not want you to use your passwords anymore but it is still possible if you know how.

Hope you are finding this helpful.

Improve this answer
10
  • Interesting, have to give it a go sometime. I'm assuming that by "sync" you mean the sync of autofill data. I personally don't use that. So my summary of your solution for me if I understand correctly, would be to just remove the authenticator app, and add it again, but through the "other athenticator app" option, even if using the MS Authenticator. That seems like a good idea. Could also actually use another app, like the Google Authenticator. Great stuff, thanks.
    – Nagev
    Commented Jan 25, 2023 at 10:19
  • Yeah, if you read the passwordless future article, it does seem that MS is convinced that bypassing the password is the way to go, but as you correctly summarized, that's just an alternative 1FA, not 2FA at all.
    – Nagev
    Commented Jan 25, 2023 at 10:22
  • It works! To start with a clean slate, I removed the MS Authenticator app altogether. Then I added it again, but as "another authenticator app", as you indicated. Now I am prompted for the password AND the code from the app. Upvoted and accepted, brilliant!
    – Nagev
    Commented Jan 25, 2023 at 10:46
  • 1
    Yeah, MS made it pretty clear in different talks and articles that they want to get rid of passwords. Personally, I would not mind if they found something better. But replacing it with 1FA where criminals cause log-in prompts in the night is not exactly an improvement in my books. And this problem is made worse by the fact that anyone who wants to trick you into allowing them to sign-in only needs your email address. Not exactly a piece of information that most people keep secret.
    – Willi
    Commented Jan 25, 2023 at 17:06
  • 1
    There is also a 1/3 chance that a non-tech savvy person would press the correct number (the kind of person that just agrees without thinking) or a tech savvy person might do it by accident (half-asleep / accidentally hitting the wrong button).
    – Willi
    Commented Jan 25, 2023 at 17:08
0

Have you used Autofill with Authenticator? It may be the Autofill that cause the problem, after setting up the Authenticator app as an autofill provider on your phone, it offers to save your passwords when you enter them on a site or in an app sign-in page.

You can try to stop syncing passwords in the Authenticator app, open Settings > Autofill settings > Sync account. On the next screen, you can select on Stop sync and remove all autofill data. This will remove passwords and other autofill data from the device. Removing autofill data doesn't affect two-step verification.

More information on Common problems with the Microsoft Authenticator app in this article for your reference.

Hope this can help you!

Improve this answer
1
  • I don't use Autofill at all. Couldn't find my issue on the linked page either. Thanks for the info.
    – Nagev
    Commented May 2, 2022 at 10:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .