We have two SPA applications in our tenant. They each use a different database/connection to authenticate users.
There are two issues we are having, one cosmetic and one a serious problem, I think they are both related.
When the user is asked to set up their OTP application, the screen looks the same in both sites and has the same label in the OTP app.
If the user sets up an OTP app with one of our apps and then tries to set up OTP in our other app, the OTP Application will think they are for the same site and possibly overwrite them.
In LastPass Authenticator, they will be given a chose to either overwrite or rename. Google authenticator will add two entries that look identical and Microsoft Authenticator will ask if you want to overwrite it but will not allow you to add the second site if you do not. The means users using MS Authenticator cannot use both of our applications.
Also, I noticed that if I turn on the “Customize MFA Page” option, even without making any changes, the OTP apps will think that the two applications are different. When set up with one of our apps it uses our tenant name “chainio” to identify the token in the OTP app. But with our other app it uses “Chain.io”, our friendly name.
This is apparently enough of a difference that the OTP apps don’t get confused anymore. However, I cannot figure out why they are different.
Is there any way to configure what the identifier is sent to OTP apps on an application by application basis?