0
Pending Review

The embedded MFA signature embedded into the generated QR Code should be unique for each site

OWEN BRUNKER 2 years ago 0

I use Microsoft Authenticator for my MFA configurations.  When presented with a QR Code to scan, there is a text signature identifying the site, and a secret.  The text signature should be unique to the site, allowing for different codes to be generated for each site.

ie.

cloud.screenconnect.com is one site

mycompany.screenconnect.com is another site.

I have have attempted to set up a record for each site, only to accidentally lock myself out of cloud.screenconnect.com.


I set up cloud.screenconnect.com first.  I then set up MFA for mycompany.screenconnect.com

Because the signatures used for the two sites are the same, one overwrote the other.  This locked me out of cloud.screenconnect.com.

I don't like the idea of having a common secret between the two sites.  Either site requires its own login with a different password.  It is obvious that the secret for Authenticator should be different too.  So the text signatures between the two sites should also be different.

Thank you.