Authentication flow leading to wrong authenticator app – what happened, and how to prevent?
Someone I know ended up installing a sketchy authenticator app while going through Microsoft's SSO authentication flow, and I'm trying to understand how this happened exactly.
- The user's organization started requiring 2FA, so the login flow requested setting up a second factor. Somewhere, a QR code was displayed in relation to the MS Authenticator app. I cannot say more because we cannot reproduce this scenario anymore (a second factor has been set up in the meantime).
- After scanning the code (through the camera app on a Pixel phone), the user's phone ended up on a Google search for the following query (ids redacted):
phonefactor://activate_account?code=123456789&url=https%3A%2F%2Fmobileappcommunicator.auth.microsoft.com%2Factivate%2F987654321%2FWEU - One of the top paid results (ads) was a link to the Play store for something named "Authenticator App".
- Upon opening, the app showed a full-screen ad with misleading information (requesting the user's phone number and trying to trick them into a subscription).
How did this happen?
My hypothesis is that the SSO authentication flow showed a QR code containing a deep link into Microsoft's Authenticator app - however, since that app was not installed, the camera app fell back to googling for the string found in the QR code. Attackers know of this pattern and buy highly targeted ads trying to lead misguided users to their fraudulent app.
How to prevent?
As far as I understand, the SSO flow could just have used HTTP(S) links pointing to a domain owned by them, and have the Authenticator app register deep links for that pattern. For users who don't have the app installed, a server could redirect requests to the Play store.
Does my reconstruction of events sound accurate? Am I missing something, e.g. why the developers went with a custom URL scheme instead of HTTP(S)?
