return to table of content

Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out

SoftTalker
139 replies
1d

"This is a small example of a big problem with usability and cybersecurity. This is what happens when apps are developed by engineers who don’t have a strong knowledge of customers"

This really rings true. Just think of all the nonsense you have to deal with in the name of "security." Mandatory password change intervals. Insane rules for constructing passwords. Completely undocumented password requirements that you just have to figure out by trial and error. Complicated error messages full of security jargon. "Secret Questions" that you can't remember the answers to. And on the other side of the coin, the security of these systems themselves is like a sieve. So many data breaches, information disclosures, they are in the news almost daily. I often wonder how they get away with it all.

brookst
30 replies
20h41m

Completely undocumented password requirements that you just have to figure out by trial and error.

My favorite is:

1. I go to a website I haven’t used in a while but know I have an account on

2. I sign in with my email and what I’m sure is the right password for that site (algorithmically generated from site URL)

3. Password not valid

4. Ok, maybe this was an older version my my algorithm from way back

5. Password not valid

6. Fine, hit password reset

7. Get reset email and click it

8. Enter algorithmically generated password as new password

9. Error, can’t have that special character

10. Fine, per my rules, replace that special character with next one

11. Sorry, can’t reset password to your current password

12. Aaaaaargh.

rightbyte
9 replies
20h27m

This has bugged me a lot. Have I been gaslighted? Like, do sites lose my password? I can swear there have been like 10 occasions in the last 20 years where I had to reset my password where I am pretty sure I knew it.

dataflow
4 replies
15h40m

Just a few hours ago a pretty well-known site was telling me my password was wrong. The same one I'd copy pasted and logged in with for years from my password manager, including as recently as within the past 24h. I tried their app and it logged me in just fine. This wasn't the first time I'd had such issues with the site. Why do these happen? No idea, they must just hate me.

underwater
3 replies
15h21m

I had this with Duolingo. Their login fails if the browser can’t connect to recaptcha.net. But it just shows a generic “incorrect username/password” message.

dataflow
2 replies
13h48m

In my case I'm pretty darn sure it's something on their backend. Some race condition or lock or something that prevents login while stuff is being updated. The most frustrating part is the gaslighting, not the failure.

cbzbc
0 replies
10h30m

Or a backend cache miss

Garlef
0 replies
11h39m

Or it could be bad UX, displaying the same error message for two different errors.

(Not saying that simplifying several errors into one message is always bad. I think it's reasonable to just return a 500 without any info for everything that's caused by an unexpected exception on the backend.)

jasonjayr
1 replies
20h2m

I'd bet that some sites had their DB leaked/hacked, and just marked all the current passwords invalid to force a reset. Hopefully, it wast just the hashes that were leaked...

rightbyte
0 replies
19h29m

Oh ye that is a good theory.

14
1 replies
20h13m

That’s how I lost my Hotmail account.

gerdesj
0 replies
19h58m

They emailed you the password reset link?

Red_Leaves_Flyy
9 replies
16h27m

You want a good one? Silent password truncation on account creation without a required relogin so on return my saved password doesn’t work and I need to reset it.

AnonBanking
2 replies
12h16m

Making a throwaway for this since my main is linked to my real identity.

I worked for the online investment banking arm of one of the big Canadian banks a few years ago. Their passwords could only be eight characters long. At one point, I was tasked to do some work on their IVR system and discovered that your phone password was entered by pressing the corresponding letter key on your phone keypad. But they didn't say "2 for A, 22 for B, etc." which really confused me. How did it know the passwords were correct?

And that's when I had a terrifying realization and tested it out on the website - they weren't magically converting your phone presses into ascii characters. No, they were converting your password into the corresponding numerics and saving that. Every single user password was a 6-8-digit number.

They upgraded their whole login system around the time I left that company, including implementing 2FA. Though their 2FA was SMS-based rather than using an known authenticator app system, so it still wasn't perfect.

noirbot
1 replies
3h19m

I've absolutely had this happen with some US bank in the last 4 years. I can't remember which one, but they had me essentially type in my password over the phone in the same way, with * being the button for any non alphanumeric character.

thoronton
0 replies
2h24m

My password is "***********"

pylua
0 replies
15h45m

This has nothing to do with knowledge of customers but really just a lack of caring.

broknbottle
0 replies
15h34m

ugh this one is by the worst and the only way to discover is knowing your password is 100% correct. I usually will drop the password length from 24 -> 12 to sort it out.

_fat_santa
0 replies
4h13m

Yep I ran into this with an Oracle OpenAir. Needed to reset my password so I fire up 1Password, generate a 50 char PW and set that. It works for the first login but when I logout and log back in it tells me I have an incorrect password. Go through a password reset a few more times before I finally realize that they are just taking the first 12 characters of my PW and using that, and not telling me that they are doing that.

Sylamore
0 replies
12h50m

I had a bank that did this and it took me months to figure out WTH every time I tried to logon it failed, but when you reset the password it accepted longer length passwords while silently truncating them and getting you back into the account. I finally figured out their max password length was 8 characters anything longer would result in failures past the initial logon after a reset.

EvanAnderson
0 replies
15h32m

I had something similar happen with an HP Ethernet switch years ago. I was looking at a factory reset (and had no backup of the config... ugh...). I started re-entering the password with 1 fewer character on each attempt and finally got in. Maddening.

AmericanChopper
0 replies
12h55m

My bank used to do this too, but they were nice enough to silently truncate the password input on the login form as well, so you wouldn’t ever notice unless you accidentally did something to reveal the truncation.

It annoyed the hell out of me though when I was trying to put the required special character on the end of my too-long password after a required password change, and the only error message I got was that the special character was missing.

senectus1
3 replies
16h8m

11. Sorry, can’t reset password to your current password

This sounds like an erronious error, ie the error message displayed is not the correct error message. There was definitely an error but the error was not that you tried the same password as your current.

I hate erronious errors with a vengance, because they not only break user workflow but they break helpdesk work flow as well then it gets escellated to an engineer who quite often cant fix the actual erronious error but knows what the actual issue is and fixes that anyway.. meaning the erronious error never gets fixed and will mow hang around to chew up everyones time all over again.

such a silly way to waste so much time, over and over.

brookst
1 replies
13h28m

I disagree. It’s pretty normal to invalidate the current password on password reset, and to also not allow the same password to be reused.

KMag
0 replies
10h57m

I agree with you, but would phrase it differently.

You want some indication that any leak of your current password actually hasn't been mitigated. A failure message that your password hasn't actually changed (due to being identical) is functionally the same as allowing the password change and giving a warning that the passwords were identical (modulo some back-end details like if the password salt has changed and if the password change date has been updated).

tbrownaw
0 replies
15h52m

This sounds like an erronious error, ie the error message displayed is not the correct error message. There was definitely an error but the error was not that you tried the same password as your current.

What exactly is this based on?

I know I've seen that listed as a requirement (well, actually can't be one of the last 3) on some systems that have annoying password requirements.

SAI_Peregrinus
3 replies
4h38m

This is (part of) why we recommend password managers to people, not deterministic generation algorithms that still require keeping a list of logins with exceptions.

AtlasBarfed
2 replies
3h43m

Except the password manager becomes a central point of failure. If someone gets your phone, opens your password manager, boom they have keys to the castle. Because let's be honest, the password manager is on the phone, and there's no way keyloggers or screenshot backdoors get on there, and there's no way someone isn't looking over your shoulder with the latest iPhone Pixel Galaxy supercamera across the room.

It is really hard to listen to any security recommendation from anyone in the industry when there are SO MANY bad password rules that restrict what actual good long passwords are. Length restrictions, restrictions on special characters or UTF-8, password rotation rules. These examples of bank logins at major banks absolutely blow my mind.

https://xkcd.com/936/

and is site-specific with some leetcode subs or a magic number suffix is about the strongest password for login and for long-term user security and usability.

Maybe in another 15 years the security people at corporations will get their act together?

Maybe sometime we'll get legislation with some actual teeth on login security?

anamexis
0 replies
2h57m

Deterministic generation algorithms are also a central point of failure - if your key gets leaked, you're cooked.

AshamedCaptain
0 replies
3h16m

Except the password manager becomes a central point of failure. If someone gets your phone, opens your password manager, boom they have keys to the castle. Because let's be honest, the password manager is on the phone, and there's no way keyloggers or screenshot backdoors get on there, and there's no way someone isn't looking over your shoulder with the latest iPhone Pixel Galaxy supercamera across the room.

Password managers usually are either password-protected themselves or have biometrics, which suffice to deter random thieves. In fact, password managers are not going to show your password in the first place, they are going to silently fill in password prompts. The password cannot be clipboard-stolen, screen captured, or key logged. It is even more difficult to fish you (if the password manager doesn't detect the right program id/URL, it won't fill your password in -- unlike you).

If someone is looking over your shoulder with a supercamera he can get one password. If you are using a password manager, that's it. If you were using "an algorithm" to derive your passwords it is now possible he can now easily guess ALL your passwords. Most people aren't that good remembering good "algorithms" anyway. Maybe he needs to capture two passwords to do so?

Unless your algorithm is truly good, in which case you likely have to store it somewhere and that becomes your "password manager", which shares the same cons as a password manager itself. You are even at risk of your "algorithm" being guessed through a couple big password DB leaks, which are sadly ridiculous common, and this by itself puts you more at risk than worrying about supercameras.

I however don't have anything good to say re password managers that sync passwords over a centralized service, or worse, do so without proven E2EE.

usrusr
1 replies
11h45m

Oh yes, you're not alone! That secret battle between "must have" character classes and "can't have" character classes is the bane of all mental password algorithms. Where do the "can't have" rules come from, anyways? Smells like not using hashing (and even then, those rules would still be weird). But it can get even better, when the site refuses to accept third level domain email addresses. Bonus points when it did, but at some point stopped.

mschuster91
0 replies
11h27m

Where do the "can't have" rules come from, anyways?

For umlauts, restricting the amount of support calls from people abroad where the keyboard doesn't have them.

For others, particularly when mainframes or other truly old legacy systems are involved, encoding issues somewhere along the transport chain.

buro9
20 replies
4h48m

Yesterday I had a good example of this.

Website: "Please choose a complex password of at least 8 characters including special characters and numbers"

Me: Fires up the password manager, generates a 128 character random password, feels smug.

Website on next visit: "Please enter the characters in the 31, 98, 102 position from your password"

Me: WTAF

Context: Mortgage website in the UK

Edit: It's now dawned on me that they're storing this plain text so that they can do this... or at least encrypting rather than hashing, meaning that they can always decrypt the password.

thedanbob
9 replies
4h39m

Maybe we need a corollary to "don't roll your own crypto": "don't roll your own password scheme".

lazide
7 replies
3h22m

So what is the ‘standard’ then that doesn’t suck?

Morpholemew
6 replies
2h50m

https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

Basically, 8 characters or more, but prevent the user from picking a password that appears on any of the leaked password lists. Store in pbkdf2 or better; use argon2id per https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...

That's it. Simple. No mandatory symbols. No mandatory changes after a period of time. A password strength estimation meter is optional.

If it needs to be more secure, I might require more minimum characters, but no other restrictions.

lazide
2 replies
2h31m

Ah, yet another standard. How many years do you think before it’s obsolete?

Also, the ‘no previously leaked passwords’ are gonna piss off a lot of customers.

smrq
1 replies
2h10m

I think you just picked up the goalposts and brought them home with you. Why ask for a standard in the first place?

lazide
0 replies
1h53m

Because this is what, the third NIST standard on it?

compootr
1 replies
1h20m

What's your opinion on zxcvbn[0]?

It dynamically analyzes a password's cracking time, score, and gives feedback based on the password. imo it's a pretty good ux if used right

[0]: https://github.com/dropbox/zxcvbn

lynndotpy
0 replies
26m

Misused, zxcvbn offers its own security issues.

First, it's not either-or. You can match against zxcvbn strength and some passwordlist.

Second, think of the output of zxcvbn as a very weak hash with a low collision rate. E.g. 'correct-battery-horse-staple' maps to an estimated 213811968952000000000 guesses. In addition to being potentially algorithmically reversible, attackers can simply perform an offline attack against the value 213811968952000000000. So, this metric should never be exposed (e.g. in log files, on screen, etc.)

Third, having the estimated entropy helps a lot when password cracking. If you have the password hash digest and the zxcvbn metrics, then it makes the cracker's job much easier by reducing the search space. (Think, going from checking each molecule of an apple to checking only each molecule on the peel of an apple.)

Further, it's not perfect. The zxcvbn library I used suggests 'correct-battery-horse-staple' is a very strong password!

kevin_thibedeau
0 replies
1h54m

8 chars is not sufficient. The Hive strength estimates switched to Bcrypt this year but there are still weak systems out there and you should set passwords assuming MD5 which currently demands at least 12 chars for typical users.

xyst
0 replies
33m

Better yet, don’t use passwords at all. I’m personally fond of the magic link sent to email method of authN

deepsquirrelnet
6 replies
4h12m

Until recently, treasurydirect made you login using your mouse by pressing a keyboard laid out on a screen. This is a government website in the US for buying treasury bonds.

I didn’t know this when I made my account and fired up keepass per usual to create a massive random password. It takes me nearly 5 minutes of carefully pressing buttons on the screen and trying to keep my location in the password (you can’t see what you entered) just to get in.

salil999
2 replies
4h2m

I got around this by just editing the HTML. Worked like a charm

ericd
0 replies
3h40m

Yeah, you could just delete "readonly" from the input, then try the password manager autofill again. Thankfully no longer necessary.

Someone1234
0 replies
2h15m

Also demonstrates how pointless that theater was.

A lot of GOOD malware don't "sniff keys" because that gives them random stream of garbage that has little value. No human is going to sit there and hand-decipher that garbage. Instead, they either inject browser extensions, intercept at the Win32 layer, or intercept the HTTP traffic upstream of the browser giving them the raw form-fields with URL which can be packaged and sold.

So all TreasuryDirect was doing, when they were doing this, was inconveniencing real people while the malware didn't even notice. Utterly insane. Glad someone had them quit it.

mwexler
0 replies
4h1m

Both of these reflect a security approach from early 2010s when keyboard sniffing was the worry-of-the-week. The idea was that even with all keystrokes intercepted, the full pw was never sent via keypresses.

One of my pals around that time turned on accessibility features like onscreen keyboards and diligently never typed a password. In a shell, a site, whatever.

It's unfortunate that these sites (Treasury and UK mortgage) were built around this time, but also shows that with all the progress with tech, security is still glacial in places. And like all tech, we get stuck with trends for a while (like skeumorphism in ux design).

christophilus
0 replies
14m

Incidentally, you could find the hidden input in developer tools, and just type your password there like a normal person. But yeah. That site is so bad that I never bought more ibonds even though they were a great deal.

PKop
0 replies
3h42m

You could open dev tools and modify the input then pasting worked.

xyst
0 replies
35m

“Please enter the characters in the 31, 98, 102 position…”

I think this is a “the password game” requirement.

kevin_nisbet
0 replies
3h17m

That's a good one. One of my personal favorites was a device that truncated long passwords in the set password function. Didn't take too long to figure out what happened but I was worried for a moment I wouldn't be able to unbrick that device.

Seanambers
0 replies
4h37m

Ran into the same thing with Santander Bank in Poland. I have been online since the 90s never seen that password scheme ever anyplace else. It´s like who comes up with this insane shit.

delecti
18 replies
14h50m

My bank introduced "usernames" at some point, breaking login with email addresses, but didn't document this fact, or enforce that usernames not be set to email addresses. For a few months, every time I went to login, I had to use the "find my account" function, and each time I would again set my username to my email address (and why wouldn't I, it had been my login credential for nearly a decade by that point). At no point did it ever enforce a restriction on the @ or . in the username, until I went to login. It took me literal months to figure out and set it to something else.

This is Capital One by the way. My account was originally ING Direct, then Capital One 360, before being fully incorporated into the rest of their nonsense, and I assume that's related to the username situation.

EduardoBautista
12 replies
13h9m

At a Mexican bank, Banregio, there was a character limit to the username on mobile but not on web. So I originally had a username that was accepted at registration but not when I tried to log in on my phone and it wouldn’t allow me to input my entire username.

Edit: The issue was with the password field, not the username.

cuu508
7 replies
12h16m

Speaking of character limits, my bank, Swedbank Latvia, used to have a 16-character limit on passwords. After lots and lots and lots of pestering over various channels, they finally fixed it. But the "fix" was to add a maxlength attribute on an input field. So the field will accept the 16 first characters and ignore the rest (password fields are masked so the user cannot see the field is not accepting their input). So yes, I could now set my password to "SwedbankSecurityExperts", yay. But I could later log in with "SwedbankSecurityIncompetence" as well...

vladvasiliu
4 replies
11h20m

Well, 16 isn't so bad. Here, in France, BNP accounts must have exactly six digit passwords. They're also incompatible with password managers: you have to click the number on a visual number pad.

sebastiennight
1 replies
1h1m

Maybe it's a French law or something.

I've had business and personal accounts with SG, La Banque Postale, BoursoBank and CIC and they all worked with those 6-character "visual number pad" logins.

vladvasiliu
0 replies
43m

I doubt it. N26, which is granted a "new bank", doesn't have that, even though it now has an actual French subsidiary, complete with French account numbers. My password with them is way above 6 characters, and contains numbers, letters and symbols. The login page has a regular password field.

I think the others are just copycats. Someone must have come up with this first, and the others figured "yeah, that looks so secure, let's do that, too". If I had a penny for every CSO who justified some stupid "security" idea with "everybody does it, why shouldn't we?" I'd be so rich I wouldn't care about this crap anymore.

Teever
1 replies
4h48m

Surely that must afoul of some sort of French laws regarding accessibility?

How are blind people supposed to use this UI?

vladvasiliu
0 replies
1h18m

To be honest, I'm neither a web dev/designer nor do I have bad sight, so I admit I don't really know how accessibility works. I expect this to be compatible with screen readers somehow, they even say they take this seriously. But from a quick glance at the Accessibility tab in Firefox, I see many complaints about "interactive elements must be labeled".

Obviously, if the computer reads aloud the password as you type it, it's an absolute win for security, and I'm sure some PMs somewhere are quite content with a job well done.

For the curious, here's the login page: https://mabanque.bnpparibas/fr/connexion

CorrectHorseBat
1 replies
7h20m

At least you can login. Alipay in China has (or had, it's been a while) a max length of about 16 characters for your full name, but when linking to your bank account it compares with the whole string, so any name longer than 16 characters will always return false.

Apfel
0 replies
4h42m

I've spent a lot of time in China over the years and most of their tech systems are built on the assumption that only Chinese folk will ever use it. In this case, the vast majority of Chinese people have a 2, 3 or 4 character name ('why would you EVER need 16, silly 老外?')

It's a bit of a 'Foreigner in China' stereotype to whine about how absurdly difficult it is to go to e.g. the bank or a hospital as a non-native because it happens so often.

waterproof
1 replies
12h52m

USAA had a similar issue for some time, but with the password field. One interface (web or mobile, I don’t remember) would silently truncate the password. You couldn’t even tell it was being truncated because it was all **!

EduardoBautista
0 replies
11h20m

Actually, looking at the credentials in 1Password for this bank, my issue was with the password field, so similar to USAA. Mobile had a 15 character limit.

fragmede
0 replies
11h10m

I had that problem with a major US bank. Copy and pasting or retyping the password worked, because doing so hit the client side JavaScript that truncated the password. If the password manager filled it out, it wouldn't work because it bypassed that JavaScript.

MSFT_Edging
0 replies
3h26m

At some point paypal had a character limit on the password, but wouldn't warn you when you set the password. So I set a long password, and was denied entry when using it, until i figured out the limit.

Ex, i created the account with "mySuperAwesomeHunter2Password".

But the limit was somewhere in the middle so I had to enter "MySuperAweso" to log in.

They fixed it since then but I stopped using it except as a payment proxy. No money will ever be stored on paypal after that nonsense.

dilawar
3 replies
11h46m

This is nothing.

My bank account (HDFC india) starts with 00. Dare send it to any accounting person who will copy paste it into an excel sheet and bang.. the prefix 00 is gone. Now they will complain that your account details are wrong. Took me a few months to figure out what was really going on.

toss1
0 replies
4h3m

Yup.

Here in USA, Citizen's bank, iirc a subsidiary of Royal Bank Of Scotland, has had a bug for years that prevents me from changing my password. The only way to do it is via a series of tech support calls, despite the fact that they've had an open ticket for years. The source of the problem? Can't do it on an account where the email address (not the username) has a less-than-3-character-long name, as in "ab@mycomain.com". I own a small company and setup initials for easy-to-use email addresses, and found zero problems anywhere else in the world. But these clowns seem to need "abc@..." to function correctly.

I've found bankers tend to not be the brightest bulbs in the box, and this is but one example.

ryoshu
0 replies
5h20m

Had a similar thing happen when my small regional bank was rolled up through a couple M&A's and I have 00s and my regional account number remained. If I ever have to call them I have to explain the situation because when I start with 0s they don't believe me.

ctxc
0 replies
6h6m

Not to mention the disabled copy pasting.

hypercube33
0 replies
2h6m

Up until a few years ago WF didn't process case in passwords. you could set your password to Hello and log in with hello

bongodongobob
10 replies
14h18m

Mandatory password change intervals.

Hasn't been best practice for a decade.

Insane rules for constructing passwords.

There needs to be a minimum standard. Generally length is enough, but the special character type stuff is annoying.

Completely undocumented password requirements that you just have to figure out by trial and error.

I haven't come across this.

Complicated error messages full of security jargon. "Secret Questions" that you can't remember the answers to.

That's a you problem.

Y'all complain about password breaches but want to use Mypassword69! for everything. Pick a lane.

smohare
5 replies
14h3m

I encounter some bogus undocumented password constraints probably half the time I create an account. Usually it is a maximal length requirement that is not mentioned in the error message.

Don’t defend these idiotic practices.

bongodongobob
3 replies
13h14m

I'm not. The only time I've seen a maximum length password was like 10 years ago on Dell's IDRAC I think? I just don't think the complaints being thrown out here are good arguments.

pasquinelli
1 replies
13h9m

i just had it happen day before yesterday to create an account for a service to do a background check for a new job. it rejected my password without saying why and i could only get past it by shortening it to 15 characters.

and then the deeper question is, why do i need to create an account for this?

bongodongobob
0 replies
12h49m

Not defending the max length, that's stupid and probably some old AS400 thing that got built into the system, but the account is for auditing obviously.

tsimionescu
0 replies
12h10m

Look at Microsoft's personal accounts (live.com or whatever they are calling it this week) - they still have this limit.

pasquinelli
0 replies
13h12m

password too long is such a stupid reason to reject a password

troupo
2 replies
13h13m

but want to use Mypassword69! for everything

That... That is literally what these "security practices" force you to use. You literally used an example of the ubiquitous "at least one uppercase letter, one special character, and one digit" requirement

bongodongobob
1 replies
12h55m

And I think that's fine. Unless you're going to ask for 24 character passwords. Pick one.

maratc
0 replies
6h46m

correcthorsebatterystaple is 25 characters though.

gpvos
0 replies
8h45m

> Hasn't been best practice for a decade.

This entire thread is about places that clearly have no clue about best practices.

> I haven't come across this.

You sweet summer child...

robertlagrant
9 replies
23h0m

This isn't engineers doing that. It's CYA IT cyber policies.

SahAssar
7 replies
21h51m

Sure, but a lot of engineers aren't completely blameless. They should push back and explain why these are bad choices just like I would expect a building engineer to say to me that cardboard is not the ideal load bearing element for my skyscraper.

If the company still pushes forward with bad choices its on them, but they should be clearly informed how and why those choices are bad.

harimau777
6 replies
21h1m

Pushing back is a great way to lose your job or get past over for pay raises.

SahAssar
5 replies
20h29m

In bad orgs, yes. In good orgs you get appreciated for speaking up and communicating what will be future problems.

recursive
1 replies
14h57m

Ok and? Some people work in "bad" orgs.

stoperaticless
0 replies
13h19m

We all can choose to either just follow orders or try to influence the direction.

Some caveats: 1. Nobody will be convinced to change the position on the first attempt, but seeds of knowledge can be planted in other peoples heads and some of those seeds will bear fruit later. 2. Being not nice, shuts down the passageway of ideas.

Spooky23
1 replies
9h21m

Usually this nonsense is driven by regulatory inertia out of control of the org.

SAI_Peregrinus
0 replies
4h30m

It's usually driven by industry standards, not government regulations.

sigseg1v
0 replies
5h0m

Many large orgs, even if individual companies are doing "fine" (not gonna say perfect, but also generally competent) have a parent organization that manages all this audit and policy stuff. In my experience the parent org is nearly impossible to change from the direction of bottom-up. I can get someone to forward an inquiry to them but it takes forever and from their side it's going to look like "hey boss, so, 4 of the 5 subsidiary companies passed the security audit already 2 months ago and the 1 that didn't pass is trying to tell us to modify the policy" to which they'd say "how did nobody else mention this? sounds like they are being difficult. Can we just hurry them along? The audit is already overdue and we need all companies passing for this quarter" and the response you'll get back is essentially "deal with it"

vips7L
0 replies
13h57m

All in the name of audit check boxes.

meroes
9 replies
22h45m

So far https://studentaid.gov/ is the worst I've come across (I don't want to enter fake info^ and I can't duplicate my account to double check the requirements). From memory it was something like:

1) No words! 2) Can't reuse last 24 passwords 3) Excludes some special characters 4) 5 Security questions 5-10) Several other password requirements

Are the security questions case sensitive? Who knows.

^ "I understand that I’ll be required to certify that the information I provide to create an account is true and correct and that I’m the individual I claim to be. If I’m not the person I claim to be, I understand that I’m not authorized to proceed and that I should exit this form now. If I provide false or misleading information, I understand that I might be subject to a fine, prison time, or both."

wizzwizz4
5 replies
21h49m

Hopefully "Fakename Q Notarealperson" won't get me arrested… Here's the password help message:

---

Your password must be 8 to 30 characters in length and must contain at least one uppercase letter, one lowercase letter, and one number.

Your password is case-sensitive.

You can’t use personal identifiers such as your first or last name, date of birth, or Social Security number in your password.

---

Here are some error codes the API returns:

  ["NULL_USERNAME", "NULL_EMAIL", "PWD_ILLEGAL_CHARACTERS", "PWD_CONTAINS_SPACE", "NULL_CHALLENGE_QAS"]
The UI doesn't expose the password error codes. It just says “You entered an invalid response. For more info, select the help (?) icon.” (The NULL_USERNAME and NULL_EMAIL errors seem to be spurious in this context.)

airtonix
1 replies
10h11m

thank god it returns error codes.

i hate apis that only return strings meant for UI display only.

notpushkin
0 replies
3h30m

If only the UI did display anything useful here too!

meroes
0 replies
21h42m

Hmm I just made an account two days ago and it told me no words allowed in the own. The email link they sent me to sign up no longer works, so maybe they changed something?

mejthemage
0 replies
5h36m

Reminds me when my daughter made her Roblox account. They had some rule "don't use your real name" but they never asked her for her real name, so couldn't validate. They would arbitrarily fail a lot of chosen usernames that were made up fake names.

When she tried a variation of "Taylor Swift" it worked fine.

jagged-chisel
0 replies
21h30m

So I had to guess that spaces weren't allowed?

lostlogin
1 replies
22h7m

If I provide false or misleading information, I understand that I might be subject to a fine, prison time, or both

Enter your password wrong and you're off to jail?

thaumasiotes
0 replies
11h2m

Might, not will.

globalise83
0 replies
11h58m

Stud3ntA1d24 here we come!

tetrep
8 replies
21h11m

Just think of all the nonsense you have to deal with in the name of "security."

Well, the good news is that everything you listed is known as a bad idea to both end users and people who understand security (which is, sadly, not most people who implement security policies).

Using 4 or more dictionary words provides excellent password security and you can do the same for all of your security answers too. There's a variety of free and paid for password managers that solve the issue of trying to remember all your secrets (great for backing up 2FA secrets too).

I'm not sure what you mean by "complicated error messages" but I assume it's errors that they expect the user to fix themselves, otherwise they could return a generic nonspecific error and a unique ID for you to provide when you contact support to get help. While it sucks to get jargon spammed, I feel like pretty standard human ineptitude at explaining an error rather than anything specific to security. I also think it's how many people feel about any error message that contains computer jargon (PC LOAD LETTER!?!?).

I often wonder how they get away with it all.

My thinking (and experience...) is that most organizations are failing at a lot of things at any given time, even if the business overall is successful. Security is just one of those things. I wouldn't be surprised at a small elite organization not following that trend, but any sufficiently large organization is going to have incompetent people doing incompetent things.

tdiff
4 replies
11h7m

Is there actually some "professional consensus" on password reset policies (in form of report or journal article or something similar)? If someone could share, I'd love to refer to it in my org to stop resetting passwords every n months.

pdw
1 replies
9h13m

There are the NIST guidelines on "memorized secrets" (passwords): https://pages.nist.gov/800-63-3/sp800-63b.html#5-authenticat...

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

It has much to say on all kinds of other password nonsense:

Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well.

Truncation of the secret SHALL NOT be performed.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret.

In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered.
tdiff
0 replies
1h50m

Thanks!

tdiff
0 replies
1h47m

Thanks!

Dylan16807
2 replies
15h56m

Using 4 or more dictionary words provides excellent password security

I would not call 44-48 bits "excellent". It works if there's a good password hash being used, but if someone left PBKDF on basic settings then a GPU might be able to do 50 million guesses per second, or for a plain old salted hash 50 billion guesses per second.

norgie
1 replies
13h6m

How does that math work?

Dylan16807
0 replies
12h53m

The bits, I'm assuming a list of about 2k-4k words. The XKCD example is 2k, so 11 bits per word.

The guesses per second, I looked up some hashcat benchmarks to get a rough range.

racked
5 replies
13h52m

Microsoft SSO/auth flows have that feel in general. Really feels like something hacked together. Some examples from the top off my mind:

- In MS Authenticator, having to click on each subject rather than just showing the code immediately. If Google's Authenticator can show the code, why can't MS's?

- Azure DevOps randomly redirecting to the login form and back while already logged in.

- Azure DevOps randomly opening an authentication popup (presumably some SSO stuff) and closing it again

- Clunky-looking Office365 account management flows

Sylamore
1 replies
12h36m

MS Authenticator will show the codes for TOTP if you go to the hamburger menu and select "show codes".

racked
0 replies
12h24m

Hah, you're right. Thanks!

vladvasiliu
0 replies
11h4m

I only very rarely use Azure DevOps, but that seems tame.

If you have multiple accounts open in the same browser session, regular Azure portal won't remember which one you chose when opening in a new tab. If you got to a new tab by clicking a link, it will send you to select which account you want, then helpfully send you to the portal homepage, forgetting the initial URL.

Well, that was before. Since a few days, they seem to have improved the experience, since they no longer ask which account I want to use, but helpfully pick the first on the list. No, they still don't remember which account was already being used when clicking the link. And no, switching accounts from the top-right icon doesn't keep you on your current page but sends you back to the portal homepage.

Then there are other webapps which seem to implement their own login flow: they figure your session is expired, but don't allow you to switch accounts. The only way to use a different account from this flow is to sign out of the current one, which, of course, signs you out from everywhere. The solution is going to a different site, say myaccount, login with the second one, go back to the first site which now allows you to choose.

hypeatei
0 replies
6h9m

Yeah, DevOps is extremely bad with credential caching and refreshes. Sometimes after you elevate privileges, you'll see the privileged UI options and then they'll disappear on next page load.

Spooky23
0 replies
9h18m

Authenticator is buggy. When they made it easy to report vulnerabilities back in 2016-17, a colleague and I were able to pretty trivially compromise the product about 5 times during a PoC - and we weren’t trying to do so!

The worst one involved hitting cancel 8 times in a certain window, which you let you in. Lol

blackeyeblitzar
5 replies
12h13m

A few years ago Yahoo forced a password reset on old accounts. People had to remember the answer to secret questions from many years back, instead of the password they could enter correctly. And if they couldn’t guess the secret question, they were simply locked out of their email account. Utter insanity, but these types of quirks are everywhere still. Banks have strange password rules very often. And they may support only SMS 2FA. United Airlines still forces users to enter secret questions and answers. Medium has a bizarre “magic link” workflow. Etcetera.

thaumasiotes
4 replies
10h53m

What's especially terrible about this is that secret questions only weaken the security of your account, so someone doing the right thing will have provided a random answer unrelated to their life.

Years ago, I went through this process with Blizzard:

1. Blizzard started deactivating my World of Warcraft account on the grounds that I hadn't paid my subscription.

2. I would log in and pay for a subscription, reenabling the account.

3. (Steps 1-2 repeated several times. Blizzard never provided any explanation beyond the fact that, in their opinion, my payment was invalid, which it wasn't.)

4. After several rounds, Blizzard disabled the account completely, requiring me to contact customer support.

5. Customer support, for the first time, informed me that the reason my payment was viewed as invalid was that the preferred payment card on my account was set to a different card. The card I was actually using was also listed on my account, but it wasn't the preferred card, which made it invalid.

6. Since my account was disabled, I didn't have the option of paying with my preferred card. I had to answer my secret question.

7. Since I am not stupid, my secret question didn't have an answer. It was a long string of random characters which I didn't know. But customer service happily accepted my oral answer of "it's gibberish", defeating the purpose of the secret question.

So I guess the lesson here is that the correct way to answer a secret question is that you need to provide an answer which...

(1) Looks like a real answer when customer service looks at it, so that they have a better chance of rejecting someone who doesn't know the answer; but also

(2) Doesn't belong to the class of answers that would be easy for someone to guess, such as a car model when they ask you for the model of your first car.

These requirements are incompatible with each other. I don't know what secret questions are supposed to be doing. And I have to note that my assumption that there was no reason for anyone, including myself, to know the answer to my secret question would have been completely correct if Blizzard hadn't made the decision that using a payment card that was already registered to my Blizzard account was a sign of fraud.

gpvos
2 replies
8h52m

I generate five random words and store them in the comment field of my password manager. It ensures they are at least pronounceable when asked over the phone.

thaumasiotes
1 replies
7h44m

Have you tried providing five different random words and seeing whether the person on the other end will take them?

gpvos
0 replies
4h39m

The chance to do so hasn't occurred yet. Might be interesting to try, but it doesn't happen often enough and my priorities tend to be different when it does.

I thought up this schema after the last and only time I needed to use a secret question over the phone, when I read 32 ASCII characters to an Apple employee (which didn't work, but then they enabled a skip button for me to use).

amlib
0 replies
3h14m

You've probably just solved a mystery with my Minecraft account. A good while ago it got "hacked" while having a strong password (random and unique), plus all security answers were filled with gibberish, which I diligently kept backed up somewhere. At that time I also hadn't logged in for over 2 or more years. Eventually I got it back through a proof of purchase process, but I couldn't ever figure out why it was taken over. Since no other account got compromised, I could reasonably assume my computer wasn't either.

So I guess in the end their recovery process was susceptible to some good old-fashioned social engineering.

laserbeam
2 replies
5h45m

My bank password is 5 digits + MFA. I am FORCED to have it 5 digits. I can’t use any other type of passwords with them.

8organicbits
0 replies
4h42m

That has some nice attributes though. Five digits should be quite easy to memorize, avoiding written down passwords. Most phone PINS are four digits, so you avoid phone PIN reuse. Realistically, the second factor is providing the bulk of the security. If that's a typical six digit TOTP, and they validate the PIN and TOTP together then an attacker has a one in one hundred billion chance of guessing correctly (10^5 + 10^6). Add in rate limiting by account and IP address, account locking, and other tools and that's extremely secure.

You COULD have a longer password, but the extra entropy is probably excessive. It probably increases the chance of password reuse problems, so pragmatically it may be worse.

I wouldn't recommend this approach in general, however.

ahoka
2 replies
8h37m

“Mandatory password change intervals”

This is against all current commonly applied security recommendations (NIST, OWASP).

kayodelycaon
1 replies
5h47m

And the rest of the world hasn’t gotten the memo. Rotating passwords was best practice for so long that every standard required it. Those haven’t been updated. Until it’s considered to be actively harmful and you fail audits for it, it won’t die. :(

Tostino
0 replies
5h19m

I had to push back at my company after getting acquired multiple times that no, I am not implementing your much worse password policies that NIST has argued against for years.

All because some 15 year old security document said that's what all their products adhere to.

jlarocco
1 replies
19h40m

"This is what happens when apps are developed by engineers who don’t have a strong knowledge of customers"

I'd replace "engineers" with "product owners". I'm sure the engineers at Microsoft know some of the stuff they're doing is braindead and are unable to do anything about it.

surfingdino
0 replies
10h25m

It's likely that the subject of overwriting accounts has been discussed with business more than once, but the business are so stupid that they do not see it as a problem, or think that if anything goes wrong (as it inevitably will) they will loose their pension. So nothing changes. All software companies have an expiry date and Microsoft is a couple of decades past its own.

surfingdino
0 replies
10h32m

Don't forget "business objectives" i.e. making it work, but be incompatible with other authenticators and claim that other authenticators are inferior. Classic Microsoft FUD combined with low quality of product.

sgbeal
0 replies
7h41m

So many data breaches, information disclosures, they are in the news almost daily.

#YesterdayILearned the highly-appropriate phrase "breach fatigue."

mirekrusin
0 replies
3h11m

Something tells me those kind of mistakes are not done "by engineers" / "by developers" – who rarely have any saying at all and if they do they are ignored more often than not – more likely that's incompetent pseudo-architects and/or product owners/managers.

mejthemage
0 replies
5h46m

Those rules sound more like they were developed by admins that don't know proper security and so they add complicated rules to feel like they are improving security.

The only password rule that needs to exist is "use something you've never used before". That really does make it difficult for most users though.

indymike
0 replies
3h47m

Complexity is the enemy of both security and usability. I had a day last week where I had to authenticate 28 times to different services due to forced re-auths. No security benefit. None. It cost me 2-3 hours of my life. The IT team needs to realize their security is costing our company 4102avg_hourly_pay*26 for this. That’s a lot of money for zero benefit.

danparsonson
0 replies
2h19m

My favourite recent example was an app that made me create an account, and allowed me to provide a 24 character password, which then sent me a validation email requiring a login on their website, where a 20 character password limit was in force.

bgro
0 replies
2h25m

I’ve been reporting major problems nonstop for the past like 20 years. It usually takes me less than 5 minutes when I first learn of some new security feature to find a problem with it. Most of that 5 minutes is physically writing my email to security highlighting major oversights. I don’t know how these people get jobs and gatekeep me out of both hiring or my scientifically accurate and backed feedback for not passing the buzzfeed security quizzes for certifications. I’m otherwise a full stack software engineer.

Even my simple requests like not auto flagging emails from confirmed and fully validated Microsoft services gets denied because it’s “too hard” so everything except internal users and random whitelisted services like github and azure AWS is instead flagged as suspicious, causing alertness fatigue.

I’ve reported major logic problems to many major companies and usually the only response I get is an indirect followup email through HR or some other non technical people sent to the entire distribution list as a followup saying how it’s technically better than what was there before (it’s scientifically and mathematically not) and that we just need to do it.

I never get recognized or win bug bounties because there’s always some loophole where I didn’t actually help them and they just magically fixed the long standing issue by coincidence after I reported it.

Most recently, I discovered a “feature” with Microsoft OAuth that has a severe flaw and could essentially shut down all MS OAuth functionality, and all consequences branching from that. Still no response.

I’m not even trying to find these. They just keep getting in my way of trying to do work.

For example, I have to authenticate up to FIVE times per authentication, per authentication —- Auth syncing can be slow leading to multiple auth requests that would otherwise only need a single one to propegate.

5 authentications * 5 programs needing individual (slow-sync) auth = 25 authentications I have to already pass to be able to start standup or pass in order to un-hard-freeze my live demo to potentially hundreds of engineers.

Imagine driving your car, and the steering wheel locks when it loses internet connection (like in a tunnel or just randomly) or because the re-auth period has passed. Security devs don’t want to full stop the car because they’ll get yelled at, so just lock steering so they can’t steer home.

Well now if you’re on a highway, that’s pretty stressful and dangerous. But it’s like they are just salting the wound by adding a series of glitchy minigames where you have to first read all the spammy popup dialogs, and then solve a Baldi’s Basics math puzzle, and then rotate a ball to not be upside down (?) and then manually match a missile launch code.

8gt786gv87g
0 replies
3h52m

engineers typically do not understand people very well as a baseline. i think engineering attracts the type of people who struggle with social behavior. you can't make it work unless you filter those engineers out and companies do not hire engineers to understand the customer anyways.

companies hire data science to ascertain human behavior, but this is not understanding the customer. if you want to improve your products and actually understand the customer then start giving your customer service or customer experience departments a financial boost instead of treating them like the bottom feeders of the entire company.

I often wonder how they get away with it all.

unregulated industry + no union. tech workers practically beg to be exploited.

worble
25 replies
1d

This boggles my brain on so many levels - are you telling me Microsoft Authenticator only stores the entry based on label? It doesn't generate an internal key or anything? And then they claim that the issue is websites not putting the issuer in the label, but in the issuer field, where it belongs?

Is no-one at Microsoft actually using their own Authenticator? Unless I'm missing something, this would make it nearly unusable for almost all applications - as soon as you've used your email for one site you wouldn't be able to add it for any others?

alienchow
10 replies
15h35m

Along the same grain, Google, the search powerhouse, releases Google Authenticator with no search bar in the Android version. And continues to wilfully not include one despite multiple feature requests.

Yet there's a search bar in the iOS version. Just why?

I'm willing to bet that in that gigantic Piper repo, there's already a local search library that they could just drop in in a single CL. But that's not LLM.

whartung
9 replies
15h26m

When I bought a new phone and moved all my stuff over from a backup of my original phone, apparently the Google Authenticator doesn’t back something up.

When I launched GA all of my 2FA data was gone.

Thankfully I had my backup codes. And I could also still use the old one on the old phone. But the nightmare potential is quite high.

josteink
3 replies
10h27m

apparently the Google Authenticator doesn’t back something up.

This is widely known and IMO a very good argument to use a different TOTP/2FA app than Google Authenticator. There's plenty out.

Personally I use Bitwarden pro, which lets you add TOTP keys directly to the account you're using it for, integrating it into the login-process. Very smooth.

And it sync/backs up across all my devices.

felipelemos
2 replies
4h25m

One could say you shouldn't store the 2FA along with your password.

smitelli
0 replies
3h33m

Not the parent, but I look at it this way…

Something I have: the database file.

Something I know: the master password to that file.

I figure the sprit of the advice is preserved for the most part. (Doesn’t keep me awake at night, anyway.)

numpad0
0 replies
2h47m

But 2FA on a phone had been awkwardly okay. Could be because it's just too silly that adversaries can't take it seriously, but it's been okay.

ClassyJacket
1 replies
10h30m

Google authenticator is absolutely horrible. Until recently there was just no way to back it up, at all. If you were getting rid of your phone, well, tough shit.

alienchow
0 replies
8h32m

You just need to export it using QR codes. My keys were paginated into 11 QR codes when transferring devices.

They now have cloud sync, which I don't really think is a good idea. But it solves your problem of migrating devices. However I've already moved on to Aegis, because I'm done fling scrolling through my Mahabharata of TOTPs to find the correct account.

remolueoend
0 replies
10h42m

Aegis [1] seems to be a great alternative, at least on Android. Besides a search bar, it allows you to backup or export all your entries in an ecrypted vault. You can also include them in the Android cloud backups.

[1] https://github.com/beemdevelopment/Aegis

beng-nl
0 replies
9h13m

Yes, I was shocked by this too moving phones many years ago. I’m surprised things haven’t improved. I switched to 1Password for this reason; it backs up the 2FA seeds, and I only use it for storing the 2FA seeds, and when I need to use it, I copy-paste the numbers, and I don’t use it for passwords, retaining most of the 2FA factor separation. Switching phones worked (after entering my login, pw, and long master key in the new 1P install).

(My passwords are copy pasted from somewhere else, so admittedly not 2 different factors, but at least 2 independent ones.)

So in short, even though I probably use 1% of the 1P functionality, I can recommend 1P for replacing GA.

Cyykratahk
0 replies
13h54m

For a long time GA had no method to back up or extract the data. It also excluded itself from ADB backups. One had to root their phone to extract the data.

SoftTalker
9 replies
23h21m

From the article: "Microsoft hasn’t bothered to fix it because Microsoft Authenticator is a free product and therefore doesn’t generate revenue."

lostlogin
7 replies
22h5m

It’s actually worse than that. Given the opportunity to escape, I’m sure many would pay to to allowed to do so.

Entering multi factor hell just to get into Teams is something I’d happily pay to avoid.

tialaramex
6 replies
21h14m

Assuming you use Microsoft Entra ("Azure Active Directory" as was), get your employer to enable the "preview" support for Security Keys. Why is it off by default? Well it's actually secure, and it would never do to provide a feature out of the box that actually works without lots of fiddling about, this is Microsoft, the consultant's friend.

These seem to be relatively current instructions: https://learn.microsoft.com/en-us/entra/identity/authenticat...

Having found a friendly sysadmin to do this, ask them to specifically not "Enforce key restrictions" which is theory could let your empoloyer require employees to use a specific issued authenticator credential - are they going to buy every employee an authenticator from a named brand? No? Then this must not be switched on, easy.

Once this feature is enabled for you (you may be able to get them to switch it on for the whole org, or maybe for IT or whatever department you work in) you should be able to enrol a new Security Key the same way you'd add other MFA.

So why go to all this bother? Because you can buy a Security Key that works how you want, a physical piece of hardware you own and can re-use - if you buy say the Yubico Security Key 2 in USB A, that goes in your USB A port on the laptop or dock and it just stays there. Its job is to be "Something you have" and the "Something you know" will be a PIN of your choosing (it literally doesn't leave your device, so corporate can't decide it should be the Password Game on steroids)

No need for a phone or other unrelated device, no opening fiddly apps, no transcribing codes, you type your PIN and touch the sensor. If a PIN is too much, some pricier options take fingerprints, so then you just touch the sensor (with the correct finger)

technion
1 replies
19h42m

Security keys don't work with android phones when you want to logon to m365 email. This is a showstopper for a lot of people.

fragmede
0 replies
12h35m

I moved the usb-c yubikey in my laptop to my Android phone and was able to login to my m365 calendar/mail/teams there, so it does work, as long as IT supports it.

franga2000
1 replies
9h59m

goes in your USB A port on the laptop or dock and it just stays there

If it's always there, then why isn't it just a file on the disk? Why should I need to buy a new piece of hardware and permanently sacrifice one of my USB ports. Client certs have been the "something you own" for decades and the main problem with them was that using them didn't involve any JavaScript, which is blasphemy in modern web dev and so they were killed (with the help of EU bureaucrats). And now that basically every computer has a TPM, you can even satisfy the "not extractable" requirement, which was the only actual advantage of a yubikey.

fragmede
0 replies
9h54m

That's what passkeys are.

userbinator
0 replies
15h36m

Or enable the option to use any standard TOTP authenticator.

lostlogin
0 replies
18h10m

Thank you.

mihaaly
0 replies
8h56m

Hermione Granger would say: What an idiot!

Only almost all and increasing number of their revenue producing product depends on this being reliable, or at least have no bad reputation being unreliable. As the reputation is what many corporate ballonheads only care about. Still, hurt that too in their incompetent bencounter singlemindedness.

tzs
1 replies
22h51m

Unless I'm missing something, this would make it nearly unusable for almost all applications - as soon as you've used your email for one site you wouldn't be able to add it for any others?

Yeah, something is not making sense here. I've got multiple accounts with the same email and just compared the codes from Authenticator, which is my backup TOTP app, with the correct codes and Authenticator agreed.

I did find a UI problem that could lead to a user getting the wrong code. When the first few accounts are on the screen and it is time to refresh the codes the ones on screen refresh every 30 seconds.

The ones offscreen do not. When I scroll to bring offscreen codes into view they show an older code. In one case the code that scrolled in was 4 codes behind the correct code.

Mathnerd314
0 replies
5h22m

I've scanned two Facebook codes in sequence, the second Facebook code overwrote the first. Maybe that is the issue.

mihaaly
0 replies
9h2m

They likely use for one account only, their MS account at work, where it is forced, but not elsewhere because they know it suck.

marcosdumay
0 replies
23h16m

Is no-one at Microsoft actually using their own Authenticator?

At most, I'd expect people to only use it for work, where Microsoft is the only issuer.

I also expect lots and lots of people to not use it.

franga2000
11 replies
11h1m

leaving IT experts wondering, ‘Why would you pick Microsoft?’

Well I can tell you why people pick MS Authenticator - it's because microsoft basically forces it on you, uses dark patterns to avoid letting you use any other standard OTP app and doesn't give admins the tools to disable it.

As an admin, I can disable every single MFA method individually, including TOTP, but Microsoft Authenticator is force-enabled. When users go to enable TOTP (or are forced to), the option is called "Microsoft Authenticator", not something more generic. The QR code they get is not a standard TOTP one, so any other client will reject it. There's a small link below it letting you "use another app" which finally gives you a real TOTP QR code. This is INSANE!

tjoff
1 replies
7h11m

And you have to do the "use another app" dance on every single login too... You know I have TOTP setup, you know I'm not using MS Authenticator.

To make matters worse(?), I have not been able to login to Teams at all in the last two weeks. I select "use another app" ... and nothing happens. Sigh.

It is astonishing how bad we can make software today. We used to at least try.

creshal
0 replies
6h1m

Works On My Machine (tm), your org's admin team probably missed a hidden checkbox that gets moved around between admin pages every odd hour (except on days divisible by 4, where it's missing entirely) (except during chinese new year) (except when that overlaps with a leap year) (except when an odd-numbered amount of users has the wrong license), but you can probably also do it powershell (except it's undocumented) (and deprecated)

...yeah, I don't know either why peopler dislike modern Microsoft.

devjab
1 replies
9h10m

I use the MS app for work, as it’s required as you say. I’m not sure our first-line support really minds though, as if people weren’t using this then they would be supporting a range of apps. It’s obviously unfortunate that it sort of sucks for them that they have to reset these things for people all the time, but I guess it’s the lesser of multiple evils.

That being said, maybe we should advise employees that they shouldn’t use it for personal things even though they have it as it sucks.

reaperducer
0 replies
6h5m

if people weren’t using this then they would be supporting a range of apps.

Or one single better non-Microsoft app.

But making people fear that using something else is complicated or expensive is how Microsoft makes money.

If you can't compete, confuse.

xorcist
0 replies
7h36m

Is this not how pretty much all IT megacorps operate?

Microsoft has historically pursued these aggressive embrace-and-extend tactics very successfully.

sschueller
0 replies
5h29m

We noticed this crap when we rolled out MS365. We immediately told all users to not use the MS authenticator.

The fact that Microsofts still hasn't fixed this should put in question their priorities in security and safety of all other products as well. This is just unacceptable.

ncr100
0 replies
10h37m

Lawsuit? Were these folks defrauded out of money due to the extra costs incurred?

kaveet
0 replies
10h43m

Microsoft admin isn’t my day job, but I dealt with this exact thing the other day—the toggles for Microsoft Defender MFA are spread across Entra ID policies, Registration Campaigns, per-user settings, and more Microsoft subdomains I’d never heard of. After two hours the best I could do was add a Skip button to the MFA prompt when our users sign in.

devjab
0 replies
9h10m

I use the MS app for work, as it’s required as you say. I’m not sure our first-line support really minds though, as if people weren’t using this then they would be supporting a range of apps. It’s obviously unfortunate that it sort of sucks for them that they have to reset these things for people all the time, but I guess it’s the lesser of multiple evils.

That being said, maybe we should advise employees that they shouldn’t use it for personal things even though they have it as it sucks.

Spooky23
0 replies
9h24m

In enterprise, subscription utilization is what pays the sales team. They are eventually get canned if you don’t use the suite.

They’ll send some goons to let the CEO/CFO know you are a spendthrift.

RcouF1uZ4gsC
10 replies
1d

Incidentally, this is why SMS MFA is so popular with users despite its security vulnerabilities.

Generally, unless you are targeted by someone with a sim swap, it is good enough. Most people won't be targeted, but do have a good chance of something going wrong that makes them lose their MFA key.

SoftTalker
7 replies
1d

Yep. It's simple, and almost everyone understands it. Like passwords themselves. Also the reason more secure approaches such as YubiKeys have never taken off in the general public -- they are just cumbersome and confusing.

leftbehind
4 replies
23h57m

We haven't had any issue getting all of our staff -- nontechnical users alike -- on yubikeys. As part of education we skip the PKI portion and just point out that it is "like your physical house key. You plug it in and touch it to turn the key to unlock"

close04
1 replies
23h40m

You probably use certificates and a company PKI to manage them. No need to stress if one is lost or locked, just revoke and whip up a new certificate.

At home Yubikey is probably synonymous to FIDO not PIV/PKI. No whipping up a new one if you lose it. You better have 3 of them enrolled at any time, and have at least one stored off site.

leftbehind
0 replies
23h18m

We enroll them as standard fido/webauthn - I hate the other modes.

I agree it requires significantly more work when you can't just call the locksmith for a new one -- IT -- if you lose one on your personal account you can only go get the spare key hidden under the doormat, a printed code in your safe, or lose the account.

SoftTalker
0 replies
23h42m

Yes, and our staff uses ssh keys (generally but not always without issue) and a commercial MFA app. It's one thing to get this stuff used in a controlled environemnt where you have a help desk or administrators who can do a lot of the setup. You just hand the employee their YubiKey or smart card and say "use this."

Trying to imagine your grandmother setting it up herself to be able to log in to her Facebook is another matter, and why these things have never worked for the general public.

Groxx
0 replies
13h16m

For business use, handing out yubikeys is completely reasonable - if they're lost or broken, the company is the authority and they can (and do) just re-issue a new one and work goes on with only a temporary interruption. They're easy to explain, fast to use, provide practical security, and are simple to recover in case of total failure.

For personal use, that equation is wildly different. Google isn't going to let you attach a brand new key, you've just lost your account forever because it rained.

JackSlateur
1 replies
23h43m

Most importantly: yubikeys must be bought

alistairSH
0 replies
23h13m

And carried around.

peanut-walrus
0 replies
22h31m

Honestly, the only way I see forward is FIDO with dirt cheap NFC cards as keys. Need to log in to somewhere? Get the card from your wallet and touch it to your phone/laptop. It has to be cheap enough that for any company with paying customers it makes more sense to physically mail them a card if they don't already have one than to support any alternative auth methods.

Most services won't even need a second layer of auth, if someone steals your wallet - do they really care about your reddit account?

immibis
0 replies
14h35m

I've tried enabling it two times. The first time my phone permanently broke immediately after enabling it. The second time it was stolen. Now I just rely on randomly generated passwords.

chaz6
8 replies
23h20m

When asked to set up TOTP, the first thing I do is scan the QR code with a QR code reader, and save the secret into my password manager, before adding it to my authenticator app.

gleenn
3 replies
23h17m

Does this actually work? I thought most TOTP codes were single use. Have you actually tried re-using them?

userbinator
0 replies
15h38m

The QR code contains the TOTP key, which is the seed that's used to generate the codes, which form a time-based pseudorandom sequence.

smitelli
0 replies
3h29m

You can absolutely scan the QR code with multiple authenticator apps (or copy paste the seed value into them) and they will all produce the same codes in the same order going forward.

Rychard
0 replies
23h13m

The initial QR code isn't a TOTP code, it contains the secret used to generate the TOTP codes.

esafak
1 replies
23h0m

1password lets you see it after you've saved it too.

n8henrie
0 replies
20h58m

As does Bitwarden (just "edit" and it is revealed)

sleepycatgirl
0 replies
23h16m

Oh, that's actually really nice, I should start doing the same thing myself

Nextgrid
0 replies
21h5m

However, this does reduce the separation of factors, if that password manager is the same one containing your actual password.

Depending on your threat model this may be an issue.

napsterbr
7 replies
23h47m

Something similar happened to me about a year ago when the Google Authenticator app automatically updated to a new version. I lost all my accounts in the update process. Definitely learned a few lessons there.

xandrius
6 replies
23h39m

This nightmare is why I always backup MFA QR codes and use those to add them to an open source app which let's me backup the data elsewhere too.

Sorry to hear that!

SoftTalker
3 replies
23h23m

Yep, any time I use an authenticator with an account I generate "backup codes" and keep them in my password manager. This saved me when I got a new phone and for some reason my Google Authenticator did not transfer to the new phone properly.

lostlogin
1 replies
22h4m

Google Authenticator did not transfer to the new phone properly.

This seems to be my normal experience with a new phone for MFA apps. I’m doing something wrong. That and setting up email are so dreaded that I hold off updating.

knallfrosch
0 replies
21h14m

Switching from Android to iOS for a phone, I found that Microsoft Authenticator officially doesn't support this. You can't backup, you can't transfer. Everything is lost, please start anew.

mook
0 replies
14h19m

I think they finally managed that last year, but only by syncing to your Google account: https://security.googleblog.com/2023/04/google-authenticator...

… Yeah I'm not sure that's very good for a 2FA app either. Offline backups feel better for me. I use something else for 2FA.

alchemist1e9
1 replies
4h55m

I’d be interested to hear details on that. I’ve been thinking of printing QR codes as backups.

xandrius
0 replies
3h27m

For crucial stuff, I take photos first and store them on my own nextcloud (with its own replication) and also copy them on a physical device. And my Android authenticator (andOTP) allows me to export encrypted backups (with password saved on password manager, ofc), which I then save on Dropbox.

If it's a MFA I actually don't care much about (security-wise), I simply save the token on bitwarden so it autocompletes for me (it defeats most of the main point of "multi" FA but I don't care about it to begin with).

Printing is not a bad idea, especially for backup, if you put them in a fire-proof safe or something. Make sure to give each a name to know which service they are for.

magicalhippo
6 replies
1d

I've been using Microsoft's one for my work accounts because, well, we're elbow deep into Office365 so why not.

I've never gotten that dialog, and have not had any issues with the accounts I've added. Since they're my work accounts, 99% of them share my work email as account name.

So does that mean I've just been lucky, in that the sites I've signed with have provided a sufficiently unique label? I feel I didn't fully get what the issue is.

prng2021
3 replies
20h51m

Seems like the bug is specific to the iOS app when scanning QR codes.

magicalhippo
1 replies
18h27m

Ah, using Android so I guess that's why. Weird though, given that Microsoft claims it's an intentional feature. Why wouldn't a feature like that be implemented in both platforms?

Even though it might be a dumb feature as seen from the users POV, it seems sufficiently special that it's something that I would assume one would want to have feature parity on.

mattmaroon
0 replies
2h44m

I’ve been using MS Authenticator for a long time, mainly on iOS and I’ve never experienced this bug.

trustinmenowpls
0 replies
12h8m

That's me (iOS scan the QR code) and I've never encountered the bug either.

muststopmyths
0 replies
23h53m

Same. 3 personal accounts use the same email address. Two of them are FAANG and it all seems to fine (for going on a decade)

mihaaly
0 replies
1h42m

I wanted to use a hardware key as 2FA but naturelly not all systems support it or not well enough (maximum of 1 key to register, are you f serious!!?), then had to choose something beacuse tick tock, this is not something that brings in bread to the family just a f nuisance to dig myself into what is out there and how good they are, just to be able to log in, what the hell, MS was mandated in a previous place, lets go for it, I wasted too much time already by trying to use my online accounts, not using it for meaningful work while playing with this sh around.

The whole online identification is seriously unreliable and full of big wholes, and much bigger risks, yet we build our whole life on top of it. Still using passwords after decades (Yes. Decades!) of serious harm caused by insecurities with it, and trying to patch with plasters or just some paint?! We are so damn stupid, almost no week goes by without some online system gives away serious bits or complete set of personal details of the masses easy to abuse and we just sit in the middle of the burning room like the coffee sipping doggy with that stupid hat and smile in the meme 'this is fine, this is fine'. Lets choose some longer than 8 character password, different for all system just to be safe, we are going to be fine, we are going to be fine.

KMag
5 replies
11h19m

I lost a few GMail accounts because I changed countries and computers since I created them. I tried logging in, Google said my password was correct, but both the device and the IP were unfamiliar. I don't recall exactly what was wrong with using the recovery address to recover from the problem, but that didn't work, despite my still having access to my recovery email address. I think I might need to be able to tell Google what my recovery email address is, and I may have used one of those randomized + suffixes to my recovery address.

I used to use Google Authenticator with my GMail accounts, but disabled that out of fears it's just one more thing to go wrong, with Google providing little recourse.

My password is a bit over 96 bits of entropy, generated by extracting 256 bits from /dev/urandom as a multi-precision integer, divmod'ing to extract one instance from each of the character classes (digit, lower, uppper, symbol) and then the rest from the combined alphabet (digit + lower + upper + symbol), and finally the leftover entropy used for Fisher-Yates shuffle of the password so the first digit isn't always a digit, etc. Passwords are per-site, stored using a gpg-based password manager I wrote in the early 2000s.

MFA would still help for some types of ongoing active compromise, but not for dumps of password hashes from a DB compromise. It really kills me that recovery from my recovery email address doesn't work, even though I know my password.

Honestly, if you haven't logged in from anywhere in a few months and you have the correct password, they should at least just send some verification link/code to your recovery address without requiring you to tell them your recovery address. Sure, maybe don't say where you're sending the recovery link, but turning the recovery address into another password you need to memorize without ever telling you it's some weird combination of recovery email address and recovery password is just highly annoying.

aflag
2 replies
9h15m

And the fact that there's no one to talk to means that if computer says no, that's it.

alchemist1e9
0 replies
4h59m

There is absolutely nobody. It’s crazy. Realizing how dependent I am on gmail has been scary.

I’ve started a project to attempt to move to my own domain and self hosting full email stack. It’s a huge amount of work. However the power Google has over me, should my gmail account be hijacked or turned off is incredible.

Starting from the bottom is the security of the domain registrar and DNS records. It looks like there are some good options, though obviously with additional price. Basically you have to use the corporate services with additional security features.

The self-hosting email and server security is something I have the background to handle.

8organicbits
0 replies
3h59m

I recently tried Google support for an issue with an out of support Pixel I was messing with. I assumed I'd get a "sorry that device isn't supported" response, but they gas-lit me, claimed that they could help, and proceeded to send me completely unrelated links until I gave up. Links unrelated to the Pixel and the problem I was facing.

I think I was talking to a bot and they made it appear human by slowing everything down so the whole exchange took 30 minutes, but maybe it was just a human following a script. Either way, it was worse than if they didn't have support since they just wasted my time.

notRobot
0 replies
5h9m

You would have received a notice to your recovery email when you added it to the account in question and you might be able to find that email in your inbox and figure out the randomised suffix in the "to" field.

mihaaly
0 replies
1h55m

Damn! I did not know that.

I set recovery address to an other (dormant) gmail account, just to aggravate the risk put upon me! :D (I do not trust google now with more data than I already given and must give, see later)

I need to speed up the migration of my email life to the paid account I initiated and testing (protonmail) because some serious problem could emerge otherwise (there is an international move on the horizon). I started to give gmail to various governmental (taxation, healthcare, authorities) organizations when it was innocent, as contact of the account used for light things at the time, when everyone started to discover how to manage bureaucracy online. Which succeeded and my gmail became an important tool managing matters throughout some international moves. Some accounts here and there are dormant but still with important matters that I might need once (how is it with that many years valid Australian travel authorisation or what that I did not need last year?...). Still gmail was innocent enough, despite the mass surveillance sped up, which was a bit inconvenient feeling but rarely got any real secrets or deeply persoanl matters apart from the fact I have dealings with that organization here and there. But now, as online administration is borderline mandatory being other means left to the bare minimum (when I am sent online in an office for something, that's a turning point in mind) or in other country. Gmail is very inconveniently in the center with all the worrysome things their automated bots carry out against unsuspecting user without mercy and appeal, that the migration process had to be started. Hence test with protonmail. But it so damn widespread now, I have not enough time going through all, some forgotten and need to dig into faint memories, it is torture. But has to be done. Has to be done.

Our twin girls should not be put up with the mercy of google bots when they get into the age of requiring email for official matters.

vladvasiliu
2 replies
11h23m

Interesting, on iOS it didn't even ask to use the location.

Do they do it because they can? Haven't used Android in a long time, but I had the impression that they also introduced finer-grained permissions, as opposed to blanket approve / deny everything the app asks for.

rmholt
1 replies
7h26m

Android definitely has fine grained permissions. In fact my phone asks me each time a new app wants to use my location. Interestingly enough, I don't recall seeing a location prompt for Google's services

vladvasiliu
0 replies
6h44m

I don't recall seeing a location prompt for Google's services

I don't recall a prompt for Apple's services, either. But you can revoke the permission, at least for some of them.

Mathnerd314
0 replies
5h21m

This report lists trackers signatures found by static analysis in this APK. This is not a proof of activity of these trackers.
jokethrowaway
2 replies
19h48m

Are we again in a Microsoft 2000 phase? It seems like everything Microsoft is broken these days.

GitHub barely works after the acquisition. Azure is a joke. Teams is the bane of my existance. Outlook is the second one.

Do they need to ask harder leetcoding problems during the interviews?

resource_waste
0 replies
3h7m

Microsoft is a legacy company and soon to be zombie company.

I think you'd be out of your mind to start a new company and use Microsoft for anything except Excel.

The only reason my company seems to use it, we have software from the 2000s that only runs on Windows. Maybe there is some backdoor bribery going on, because someone decided sharepoint was a good idea.

FridgeSeal
0 replies
9h24m

Are they actually capable of releasing anything good?

I guess C# isn’t horrible? It’s far from a language I want to use, but it’s not teams level of atrocious, so they’ve got that going for them I guess.

VSCode is pretty good, but not good enough to stop me migrating off the second a more viable editor arrived.

Word and office have degraded into a “doesn’t aggressively fail” sort of scenario, so they’re not “good” they’re just incumbent.

concernedctzn
2 replies
14h59m

using microsoft authenticator I just ran into this recently and searched to find it's a known issue that microsoft has no announced plan of fixing. Strange to see it pop up here separately, I guess it's becoming more common. I knew to cancel the dialogue and manually add the account without the QR code to workaround it but I'm sure plenty of people will have their accounts locked because of this

datavirtue
1 replies
14h23m

I need a good authenticator app, I guess. I'm using Microsoft's and have a lot of different stuff in there. I may have run into this already but don't know it.

pndy
0 replies
5h38m

Try 2FAS - it works without cloud, can import from few other apps (sadly not from Microsoft one) and can export from and import to a file. Works on Android and iOS

https://2fas.com/

__jonas
2 replies
8h12m

Odd, I just received this email from MS that looks a lot like phishing but seems not to be?

Action required: Enable multifactor authentication for your tenant by 15 October 2024

You’re receiving this email because you’re a global administrator for [Literally a UUID here, no organization name or anything] Starting 15 October 2024, we will require users to use multifactor authentication (MFA) to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center. To ensure your users maintain access, you’ll need to enable MFA by 15 October 2024.

If you can’t enable MFA for your users by that date, you’ll need to apply to postpone the enforcement date. If you don’t, your users will be required to set up MFA.

Action required

To identify which users are signing into Azure with and without MFA, refer to our documentation. > To ensure your users can access the Azure portal, Microsoft Entra admin center, and Intune admin center, enable MFA for your users by 15 October 2024. > If you can’t enable MFA by 15 October 2024, apply to postpone the enforcement date.

The thing is, I'm not administrating any organization with Microsoft.

I have a private office365 family account or whatever it's called, and I have 2FA set up for my account, I have no idea what they are on about, especially because the email doesn't contain even my name or the name of the supposed organization, just some ID.

It's definitely an Email from Microsoft though.

cheschire
1 replies
7h31m

Login to azure portal. You should see a similar message that redirects you to the relevant resource

__jonas
0 replies
4h7m

Spot on! It was in fact some Azure account I made years ago, in hindsight, it did say to log into the azure portal right in the email. The random UUID instead of salutation threw me off a bit.

NotACracker
2 replies
22h19m

I've just made a test: multiple accounts using the same account/email and there is no conflict.

I even have a matching icon of the issuer for each entry; the issuer is registered for each entry.

I am using the MS Authenticator for years and I've never had any problem of that sort, and of course, I am always using the same email as my account/username.

Anyway, I'm just putting the result of my test. It's not like this going to change your mind about the authenticator or Microsoft itself here...

3np
1 replies
15h40m

Which platform? Supposedly the issue ("feature") is specific to the iOS version?

NotACracker
0 replies
14h3m

Android

CatWChainsaw
2 replies
21h44m

A whole different type of "too big to fail", and a great demonstration of why putting the keys to your kingdom in Microsoft's/Google's/Apple's hands is a stupid idea.

halfcat
1 replies
21h8m

Is AWS any better, or what’s the solution? Most businesses aren’t technical and don’t need to be in the authentication/security business.

CatWChainsaw
0 replies
20h50m

Greetings fellow feline, I am a microbiologist not IT. In that capacity, the only general suggestion is to have redundant authentication measures that cannot all be crippled by one source like this. I can't imagine it's popular, or easy, for a company to want to be able to use multiple authentication schemes, but this sort of situation shows why lock-in is a bad idea.

todotask
1 replies
8h25m

When I tried to sign up for Hotmail account, the challenging step I have to solve isn't friendly for my impaired eyesight.

tropicalfruit
0 replies
8h16m

this is really a serious problem.

some of those captchas are bordering on hostile.

a lot of things are designed with total disregard for access

try to zoom your phone and half the buttons your apps will disappear

enable "zoomed" on iPadOS and you can longer scroll to the bottom of long settings menus.

so many things

briffid
1 replies
9h3m

I have many accounts with the same user names, and they don't get overwritten. There might be some design flaw somewhere, but it's surely not what the article states, ie. that you cannot have the same username on different sites.

mattmaroon
0 replies
2h43m

Same. I mean I don’t doubt some bug exists, but I use it on iOS, almost always with QR codes and the same email address with no issues. I quite like the product. I switched from Google and it’s been much better.

I am sure whatever is going on, it’s a bug and not a feature.

xattt
0 replies
4h50m

I don’t see what the issue is. People could plan ahead and just write the six digit code in a notebook as a backup.

/s

websap
0 replies
28m

wait a second, what? If I use the same email for another account, I could get randomly locked out from some other account.

I just checked my app., there are 2 different emails for 2 entries, other entries are provider specific.

Is there a good way to migrate from MS Authenticator and what options do I have?

One of the entries without the Issuer correctly set is Outlook.com itself. WTF!

todotask
0 replies
14h31m

One of this reason, I can think of having Passkey can be a better advantage over relying on centralised account management?

ta988
0 replies
3h48m

This is not a software engineer issue, it is a product manager issue, whom relentlessly ignored users' complaints.

t00
0 replies
12h4m

Even for Microsoft accounts, use an alternative app for 2FA/MFA. Recently I switched to the open source Aegis, which allows encrypted backups and does not have the issue described.

nottorp
0 replies
10h16m

Yes, when you add one more device between you and your data you are now dependent on it functioning correctly.

Today it's a MS fuckup, but any such system could malfunction.

motohagiography
0 replies
20h31m

some security products seem like they are designed to discredit security as a field. imo the market is just at the point of backlash against the decadent stupidity in that cost centre. if you are going to humiliate people by making them jump through hoops 10x a day with context switching 2FA tokens and make serious people with educations and responsibilities use words like "smishing," you better be sure that hoop is the finest example of engineering anywhere. the solution has become the problem. I'm calling the peak.

mihaaly
0 replies
9h10m

"it was the fault of users or companies that use the app for authentication" MS said.

Spot on right. They should have been more prudent in selecting services. Absolutely right, users' and clients' fault it is!

You see a smug bastard company that hurts the client they live on because they provide faulty service, they hurt repeatedly, in thick queue throughout time, for long time, fault after fault after fault and just release the smear the responsibility elsewhere department on the clients complaining, whatever the official title of this department is, PR or whatever, while the issues are reported in news everywhere, publicised, then who would you blame? The company, or the clients still choosing the company against common sense and own experience?

The case touches me because I am approaching a job where I would not use Windows anymore, I am tired of the Windows ecosystem. It only makes life differently complicated, or many times more complicated, more difficult to do my job than without it. I have not enough time listing how many things they made much worse in the past decade or more that my every day is a swimm through the flow of piss MS releases day after day at all of us. They were better in some short period long ago, only partially still, after some very bad historic period, now they are determined that with hard work they will f up all what is left.

I have a friend working on the MS Teams. He is very busy, working hard, they will release some sort of AR meet feature, packed with complex and revolutionary (i.e. experimental) approaches so you could enjoy solutions that probably will work ok and not annoy you with visual artefacts and problems not eliminated before release, with the headset you require for it, probably will not be forced on you but likely annoy the hell out of you by the pop up promotions when you try to do your urgent job after a critical update. Who the f needs that? While the Teams is a mess to work with already with lots of noise and half cooked bloated whatevers already being a distaction, not helpful, not at all. Probably only the call quality is the only good in it by now, but that was purchased from elsewhere, that was given to them. They are so good making things too complicated and being unable making it well because it is too complicated to do well, too expensive, so let's just release a half cooked one and leave it there for decades (like the dialogs in Windows) and put the blame on elsewhere by the put the blame on elsewhere department put together precisely for this.

markuta
0 replies
30m

What's also annoying is that some MFA providers like Microsoft Authenticator and Authy lock you into their platforms, no export or offline backups features, at least without a rooted phone.

justinclift
0 replies
13h11m

"Microsoft is the Boeing of software."

Seems like an apt description. :)

issafram
0 replies
23h43m

ymmv, but I've never had this issue.

coding123
0 replies
15h23m

Has anyone else noticed it's not possible to have an account that you can log in anymore? Locked out by AI, locked out by suspicious activity, locked out due to lost phone, lost authy, broken everything. You drive an RV? locked out due to location change. You have a common name? Locked out. Have a foreign name? Locked out.

causality0
0 replies
4h1m

Well damn. I've used Microsoft Authenticator for years and just happened to have never used the QR code feature. Is there an easy way to migrate all the data into Google Authenticator?

breadwinner
0 replies
23h53m

This happened to me when I updated MS Authenticator after not updating it for a while. It wiped out all data, and I got locked out of all accounts. MS Authenticator is not a carefully written product.

arianvanp
0 replies
8h15m

Safari had a similar bug where it would just overwrite your passkey with no warning whatsoever -- completely locking you out of your account. It has since then be fixed but this caused me to lose access to my GitHub

https://bugs.webkit.org/show_bug.cgi?id=270553

Safari still has some bugs where it can't discern between websites hosted on different Subdomains except for hardcoded exceptions and it will override password of one subdomain with the other. Happens to me on a monthly basis.

ReptileMan
0 replies
21h19m

And keepass keeps complete history since the file was created. Someone was really sloppy in Microsoft in the design phase.

Obscurity4340
0 replies
3h39m

KeePass, peeps

NikhilVerma
0 replies
14h11m

A similar thing has happened with Twitter. After the Musk takeover and the removal of SMS for auth something has changed they keys of the 2FA authenticator. My old keys don't work and my "ticket" has been waiting on Twitter support (which were probably all fired) for resolution.

EGreg
0 replies
10h11m

I have been recommending for years that people have a DIFFERENT email alias for evey service

Email aliases look like yourname+somealias@gmail.com

This also helps avoid social engineering attacks when people call into your provider:

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...