Transcript
A wafrn woot (post) by @[email protected] saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
If we’re headed into a chaotic and terrible time of uprising and war these next few decades, I hope among the things that get shelled and flattened, all of Microsoft’s offices are among them. It would be a shame if, like IBM nearly a century ago, Microsoft remains in the aftermath.
This is why I hate passkeys and authenticators (as mandatory requirements). The moment I lose my phone I’m just completely fucked with no recourse, in actual use case.
I use vaultwarden (passwords, mfa, etc), which moves the point of failure from a device I hold and am at constant risk of dropping, to the server it’s running on that has no risk of being dropped. There are people that will scream ‘you shouldn’t store mfa with your passwords’ but if someone already breaches my vault then I have WAY bigger problems, so the argument is moot. Just secure your shit correctly and it’s nbd.
Then it becomes a case of data safety and integrity, so raid, snapshots, encrypted backups on and off-site, having those encryption keys accessible in a physical form near the server for recovery…
Yeah I had a beautiful moment trying to use Google’s find my phone feature in another country when it asked me to use MFA on…my fucking phone. Turned off Google MFA forever after that near nightmare. Luckily another kind tourist found and turned in my phone to the nearest worker at the place I was visiting
This is where you’re supposed to run the find my phone from another device where you’re already signed in, such as your laptop at the hotel room. Or alternatively have one of your partner’s accounts as a backup 2FA method since your partner probably didn’t lose their phone at the same time.
If anyone can sign into the account and lock the phone as lost with just a username and password then the moment your username and password are breached/guessed your entire account is as good as gone
A lot of people here are treating me like I’m stupid when my only point really is that Google knows the one way I cannot recover my phone was with the phone itself so it’s not a smart design to offer that. Carrying more devices isn’t a real option either, so I get that technically it’s possible, but smarter people than I should’ve come up with something better by now. No one can carry or afford a backup phone.
It’s ultimately the challenge that 2FA is a combination of 2 of the following: something you have, something you are, or something you know. Or as a Cisco security engineer once put it in a talk, a combination of something you’ve lost, something you’ve forgotten or something you were at one time but are no longer.
Ultimately, authentication sucks and there’s really no better way to do it for individuals than just having multiple backup methods, which of course is more opportunities for account compromise. It’s a lose-lose-lose situation
Yeah, I also had a beautiful moment trying to use Google’s find my phone feature in another country when I didn’t know my password. Used “password123” after that near nightmare.
Security works best when it’s really easy to get into my account even though I don’t remember my credentials.
Bit of a shit take there really, that’s not the same thing at all.
No, it’s not the same thing at all. It’s an analogous thing. Reducing account security because you lost your credential isn’t very smart and that’s the common denominator in both examples.
The commenter above you had lost their phone and was supposed to log in using this same phone.
They only got access to the account again due to chance, i.e. someone else found their phone.
(There likely is some sort of backup mechanism, but apparently it’s sufficiently well hidden.)
Google has really good support for backup 2FA and will actually nag users to add backup methods from time to time. Add another account or your partner’s account as a backup method yesterday if you don’t have any backup 2FA
Yeah, I read the story, so I’m aware of the plot.
My comment was aimed at removing MFA completely because OP had a problem once. That is a bad idea and I expressed that by making a joke about using a very bad password because I couldn’t remember my actual password which is also a bad idea.
Google (as any other provider) used the phone option for MFA first because that’s what OP had been using multiple times before they lost their phone. OP wasn’t “supposed to log in using the same phone”, Google just offered the default way that had been used before. OP didn’t see the other login options and went on the internet to tell everybody how stupid Google is and proceeded to smugly proclaim they removed MFA entirely due to Google’s stupidity which inadvertantly revealed OP’s less smart decision I made fun of.
The “Try another way” option is literally right below the input field and one of two links displayed at this point (try it out, go to google.com in a private window and enter your password. The other link is “Resend it”.). It’s not hidden at all and OP had more choices than a stranger finding their phone but they never realized it. But again, that’s not my point. My point is that removing MFA because you had trouble logging in without your phone one time is a bad idea which is why I made a joke about that.
Yeah you know everything, asshole. Including when my story occurred and that nothing has changed about the UI since. You also know that panicking that your trip being ruined by a lost phone is no reason to have trouble using a shitty UI which is so densely created that it mirrors the post we are commenting on.
The way you said everything in this thread assures everyone you’re a prick. I’m glad you feel so good about it though
I broke my phone, and this actually happened to me. Google had set my old broken phone as a default passkey without my knowledge, back when they were rolling it out. My sim card was retrievable, so I used SMS to get in after my password. Turns out, that’s not good enough. It took me days to get into my idiotic accounts (including Google authenticator for work) because of all the security hoops, even with backup codes, password managers, and a SIM card.
My saving grace was Firefox Sync, which allowed me to get into Microsoft accounts and slowly start unwinding Google’s insane requirements.
Perfect Security. Nobody gets in.
Oh that’s reassuring, I thought maybe it was just because I’m using it on Huawei.
This isn’t a Microsoft issue. This is a stupidity issue. Any authenticator you add 2 factor to, and then put the 2 factor in that same app will do this.
Even better/worse, Microsoft will never send 2FA requests to the app that is requesting them. This user has a second copy of Authenticator installed somewhere else which they forgot about.
I just switched to aegis when authy went to light mode. I like it.
One of the main feature of MS Authenticator is native integration with the MS authentication system. Aegis doesn’t have such integration
I’ve honestly found in my professional experience that Microsoft Authenticator has random times it just fails to register (usually on iPhones specifically) as well as other occasional problems which are annoying as heck when you’re just trying to get someone signed in. Personally it just seems a lot cleaner to just use a TOTP 2FA and call it a day, but for end users I’ll stick to the company line and direct them to Microsoft Authenticator
There are plenty of FOSS authenticator apps that can authenticate Microsoft account hassle free. I have been using one for years now.
Which?
Microsoft accounts support the open TOTP standard for rolling 2FA codes, so there’s tons of apps that support storing TOTP codes
Issue is that my work has some kind of bullshit set up which doesn’t make it purely totp
There’s so many tunables for M365 account requirements (and thats not even touching on third party security integrations like Duo) I’m not shocked
I am using an app called QR & Barcode Scanner.
Currently doing an internship at an establishment with 1300+ users using Microsoft authenticator (required by policy). The amount of times I’ve had this same issue is insane. Worst part is, when we provision someone with a new company phone, they have to go to the Google play store to download Microsoft authenticator. The play store however, requires a google login to download apps, but the users cannot log in to their company Google account without authenticator, creating a circular dependency. This unintentionally means every employee HAS to have a personal google account to set up their company google account… Stupid as hell.
Logically it should be perfectly fine to install authenticator app on a personal device, if that suits the user. 2FA adds security to the password, but the password itself is not meant to be known by anyone else, including any other employee or any other company owned device.
Also, you can enroll mobile devices to Intune and have the authenticator app installed before the employee receives it.
Pretty sure you have another device registered with Authenticator here, and it is asking you to verify against that.
It would be bad if somebody could just steal your username/password and then register their own MFA, right?
thanks for claryfing that, it makes the post really dumb
This is a legit problem with authenticator. My work phone was wiped and I had to have my authenticator reset because it got stuck in the same loop.
Well, if the MFA device is not available, reset is the only way. If user would be able to bypass the lost device, the whole thing would be vulnerable.
Whole MFA is of course really f stupid, but it is best we got against phishing.
Keeper does the same. Because that’s sane security.
Lemmy: $MS dumb and bad! (Please clap.)
I had an issue with this a few weeks ago, my old phone the charging port broke and I couldn’t get back into it. On my new phone it needed me to use the authenticator to log in to the authenticator. Made it my uni’s problem to solve the authenticator paradox
It’s a security feature.
If it was easy to get into without the authenticator, then it would be useless.
Usually a simple fix on their end. Verify something like your school ID, go to the O365 admin portal remove the old phone (don’t have to) and send out a QR code to scan on the new phone. Depending on security measures you can assign a sms message code but many insurance companies have made requirements to phase those out. Sucks, because I liked those better, but I guess risk analysis was higher with them.
One thing I did notice though was tokens in the authenticator app would carry over to new phones, where RSA securID tokens usually would not because they were tied to an ID number on the device. But those are just as easy to manage, but they will definitely piss people off. Now the Comp Portal app in government contracts, those are a bitch. You can spend an hour redoing everything just because a user forgot their password and all the apps aren’t linking the authenticator token with the portal.
Usually a simple fix on their end. Verify something like your school ID, go to the O365 admin portal remove the old phone (don’t have to) and send out a QR code to scan on the new phone.
It’s even easier than that. There’s a handy “reset MFA” button in the admin portal which deletes all existing MFA methods for the M365 account and prompts re-enrolling into MFA on the next user sign-in. It’s honestly the cleanest approach since one could potentially have old MFA methods saved for the account, so resetting cleans all of them up
https://mysignins.microsoft.com/security-info
Obviously it’s very fashionable to bang two saucepans together while chanting “microsoft baaaaad”, but for anyone interested in actually learning about how this stuff works: Authenticator will never use ‘itself’ to authenticate, but you can use a second, seperate instance of Authenticator on another device to authenticate which is what is happening here. If you use Entra (or whatever it’s called this week), go to that URL to see which MFA methods Microsoft thinks you have and if, say, there’s a copy of Authenticator on a phone you no longer own, or an outdated phone number, or whatever, you can delete it.
Nothing in the UX here conveys that you should open a second Authenticator on a second device. And what if you aren’t logged into the second Authenticator? Is a third one needed on a third device? And if you aren’t logged into the third?
The original TOTP phone apps don’t require their own login. The protection is provided by the mobile OS.
Microsoft is making this complex it’s not usable.
