Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
Yo dawg
If we’re headed into a chaotic and terrible time of uprising and war these next few decades, I hope among the things that get shelled and flattened, all of Microsoft’s offices are among them. It would be a shame if, like IBM nearly a century ago, Microsoft remains in the aftermath.
Oh that’s reassuring, I thought maybe it was just because I’m using it on Huawei.
https://mysignins.microsoft.com/security-info
Obviously it’s very fashionable to bang two saucepans together while chanting “microsoft baaaaad”, but for anyone interested in actually learning about how this stuff works: Authenticator will never use ‘itself’ to authenticate, but you can use a second, seperate instance of Authenticator on another device to authenticate which is what is happening here. If you use Entra (or whatever it’s called this week), go to that URL to see which MFA methods Microsoft thinks you have and if, say, there’s a copy of Authenticator on a phone you no longer own, or an outdated phone number, or whatever, you can delete it.
Nothing in the UX here conveys that you should open a second Authenticator on a second device. And what if you aren’t logged into the second Authenticator? Is a third one needed on a third device? And if you aren’t logged into the third?
The original TOTP phone apps don’t require their own login. The protection is provided by the mobile OS.
Microsoft is making this complex it’s not usable.
MS Authenticator also uses the phone’s built-in security and can also be used for plain TOTP without sign-in if you want. If you aren’t signed in on a separate instance it won’t offer Authenticator as an option. I think a reasonable person would have realised that based on my answer or, if you were really interested in finding out, from the documentation but I guess you bought those saucepans so you might as well use them. I suppose you’re right in a sense; if Microsoft really wanted to make the UX idiot-proof they’d have a link that says something like “I can’t use my Microsoft Authenticator app right now.”
Out of interest, what happens if you lock yourself out of the completely free, open source and self-hosted app that has your TOTP codes? What recource would you have that isn’t also true for MS Authenticator, or Google Authenticator, or any of the other ones?
or request/get a keyfob for the 2nd authentication?
had to do that shit at my last job. and although tedious, it was better than installing an MS app on my phone
Seems like someone took DRY too far…
The authenticator itself is not supposed to use the same auth dialog than everything else 😅
This isn’t a Microsoft issue. This is a stupidity issue. Any authenticator you add 2 factor to, and then put the 2 factor in that same app will do this.
Even better/worse, Microsoft will never send 2FA requests to the app that is requesting them. This user has a second copy of Authenticator installed somewhere else which they forgot about.
in a sandbox or VM? or perhaps a rooted phone which does all that and more.
I just switched to aegis when authy went to light mode. I like it.
One of the main feature of MS Authenticator is native integration with the MS authentication system. Aegis doesn’t have such integration
That’s kind of the point…
The less of their stuff I have in my life, the better.
funny to me when people are like “I need that integration to automatically approve all auth requests because typing that six digit number in is JUST TOO MUCH MAN!!!”
That sounds like a bug in waiting honestly. I don’t trust Microsoft that much
Enteauth is also pretty good
Currently doing an internship at an establishment with 1300+ users using Microsoft authenticator (required by policy). The amount of times I’ve had this same issue is insane. Worst part is, when we provision someone with a new company phone, they have to go to the Google play store to download Microsoft authenticator. The play store however, requires a google login to download apps, but the users cannot log in to their company Google account without authenticator, creating a circular dependency. This unintentionally means every employee HAS to have a personal google account to set up their company google account… Stupid as hell.
Why not just install the Authenticator APK some other way initially? Just give people a download from some random server you control.
Logically it should be perfectly fine to install authenticator app on a personal device, if that suits the user. 2FA adds security to the password, but the password itself is not meant to be known by anyone else, including any other employee or any other company owned device.
Also, you can enroll mobile devices to Intune and have the authenticator app installed before the employee receives it.
There are plenty of FOSS authenticator apps that can authenticate Microsoft account hassle free. I have been using one for years now.
Which?
I am using an app called QR & Barcode Scanner.
Perfect Security. Nobody gets in.
False positives are way more important to prevent than false negatives anyways.
Pretty sure you have another device registered with Authenticator here, and it is asking you to verify against that.
It would be bad if somebody could just steal your username/password and then register their own MFA, right?
So i recently had this happen. I set up Microsoft authenticator on my phone, found out our IT team wants us to use Google authenticator for some reason, hit the disconnect from device button… And got an infinite loop of being redirected to the Microsoft app, and clicking the “cant access” button brought me back to… The Microsoft authenticator app.
Had to ask IT to delete my 2fa on their end and try again.
This happens when your Microsoft account password is externally managed by your employer. If the password is changed externally, then authenticator needs to re-authenticate… with itself.
Keeper does the same. Because that’s sane security.
Lemmy: $MS dumb and bad! (Please clap.)
thanks for claryfing that, it makes the post really dumb
This is a legit problem with authenticator. My work phone was wiped and I had to have my authenticator reset because it got stuck in the same loop.
Well, if the MFA device is not available, reset is the only way. If user would be able to bypass the lost device, the whole thing would be vulnerable.
Whole MFA is of course really f stupid, but it is best we got against phishing.
This is why I hate passkeys and authenticators (as mandatory requirements). The moment I lose my phone I’m just completely fucked with no recourse, in actual use case.
You’re supposed to have backups for MFA. Though for passkeys (specifically ones for yubikey) are really hard to backup.
I am not always going to remember to register my primary yubikey and my two backups that are physically never together.
That’s why you always register a second hardware token. Those things could get lost.
I’ve started employing one physical hardware token as my primary means of MFA and a TOTP or backup codes if the website provides them.
I have two backup hardware tokens (so three total) but it’s become impractical to keep them all in sync. And not all websites support multiple hardware tokens.
My initial idea is to have a key locked at home in the event that I lose my primary key. The third was just a spare I got at work.
Also the number of websites that don’t have proper MFA that really should amazes me.
E-Trade has that shitty symanticVIP MFA. My primary bank still does cell phone MFA with no plans to do TOTP.
Honestly, the bare minimum should be TOTP.
And remember kids: passkeys by themselves are not MFA.
I use andOTP for two factor authentication. It’s free and open source, and available from the F-Droid app store. It allows you to backup your cryptographic keys in plaintext, with a password, or asymmetrically encrypted using OpenPGP. I keep my backups in a fireproof safe on two flash drives.
Thank you for the resources, I’ll be sure to check them out.
Unfortunately I’m still on iOS atm (hoping to switch to Android -> GrapheneOS down the line, when I have the finances), so I’m stuck trying to find something that’ll work between that and my Linux desktop, with GoogleAuth being my primary OTP app.
Cursory Internet search suggests something called 2FAS for mobile so I’ll see if it’s a cross platform option. I actually didn’t know non-corpo authenticators existed until today so it’s an exciting path to explore. /gen /pos
I would highly recommend Ente Auth for 2FA on iOS devices.
It allows for export to a file that you can then import into other apps. You can also use their own sync service.
Personally I use Ente Auth on iOS and Aegis on Android. Both support backups to files (I back up to my own nextcloud) and imports from each other. I could just use Ente Auth on my android devices too, but I just prefer Aegis.
Yeah I had a beautiful moment trying to use Google’s find my phone feature in another country when it asked me to use MFA on…my fucking phone. Turned off Google MFA forever after that near nightmare. Luckily another kind tourist found and turned in my phone to the nearest worker at the place I was visiting
Yeah, I also had a beautiful moment trying to use Google’s find my phone feature in another country when I didn’t know my password. Used “password123” after that near nightmare.
Security works best when it’s really easy to get into my account even though I don’t remember my credentials.
Bit of a shit take there really, that’s not the same thing at all.
No, it’s not the same thing at all. It’s an analogous thing. Reducing account security because you lost your credential isn’t very smart and that’s the common denominator in both examples.
The commenter above you had lost their phone and was supposed to log in using this same phone.
They only got access to the account again due to chance, i.e. someone else found their phone.
(There likely is some sort of backup mechanism, but apparently it’s sufficiently well hidden.)
Yeah, I read the story, so I’m aware of the plot.
My comment was aimed at removing MFA completely because OP had a problem once. That is a bad idea and I expressed that by making a joke about using a very bad password because I couldn’t remember my actual password which is also a bad idea.
Google (as any other provider) used the phone option for MFA first because that’s what OP had been using multiple times before they lost their phone. OP wasn’t “supposed to log in using the same phone”, Google just offered the default way that had been used before. OP didn’t see the other login options and went on the internet to tell everybody how stupid Google is and proceeded to smugly proclaim they removed MFA entirely due to Google’s stupidity which inadvertantly revealed OP’s less smart decision I made fun of.
The “Try another way” option is literally right below the input field and one of two links displayed at this point (try it out, go to google.com in a private window and enter your password. The other link is “Resend it”.). It’s not hidden at all and OP had more choices than a stranger finding their phone but they never realized it. But again, that’s not my point. My point is that removing MFA because you had trouble logging in without your phone one time is a bad idea which is why I made a joke about that.
Yeah you know everything, asshole. Including when my story occurred and that nothing has changed about the UI since. You also know that panicking that your trip being ruined by a lost phone is no reason to have trouble using a shitty UI which is so densely created that it mirrors the post we are commenting on.
The way you said everything in this thread assures everyone you’re a prick. I’m glad you feel so good about it though
No the best system is if you try to find your phone without having your phone, a cybernetic lifeform should track you down and rip your spine out for trying to find your phone. Then some dipshit on the Internet without a shred of humanity can feel smugly superior about it
some dipshit on the Internet without a shred of humanity
Fuck right off, buddy. You confessed to making dumb security choices on the internet and got mocked for it, yeah. This has nothing to do with “oh the humanity!”
You admitted to being a huge asshole so you get a response reflecting that and now you’re crying about it
Someone made you the butt of a joke on the internet. Please get over it and don’t go shoot up your school.
FuCk RiGhT oFf
I guess using strong and unique passwords on every account is the mark of a moron but true genius? That’s a company with some of the supposed best engineers in the world who needs you to have your fucking phone to find your fucking phone. What a great system! All hail Google and flawless security practice!
Believe it or not, the best engineers in the world can’t help if you lose your backup codes. You know, the ones that you can use when you need MFA but don’t have your phone? Removing MFA because you had trouble one time “is the mark of a moron but true genius”.
Believe it or not, some people are only better with their security practices than 99.99% of humans instead of 99.999%. pfft, total idiots, right? Now let us pretend we are 100% muahahhahah so smart
I have no idea what you’re trying to tell me, sorry. I do assume it was something totally devastating, though, so consider me totally devastated. You can stop the hostility now, I just made a joke at your expense, it’s not a big deal, honestly.
Also, I highly recommend reactivating MFA on your account. It’s a good thing to have, generally. Yeah, it can suck when it doesn’t work but now you know how hard it is for someone unauthorized to get into your account.
There are multiple other security measures in place on my account thanks.
It does seem like you were a little upset by my joke. Probably because the imagery of a Terminator coming to kill a person over a find my phone request is an actual joke. Not just sarcasm designed to shame someone. Whatever, jerky weirdo.
I broke my phone, and this actually happened to me. Google had set my old broken phone as a default passkey without my knowledge, back when they were rolling it out. My sim card was retrievable, so I used SMS to get in after my password. Turns out, that’s not good enough. It took me days to get into my idiotic accounts (including Google authenticator for work) because of all the security hoops, even with backup codes, password managers, and a SIM card.
My saving grace was Firefox Sync, which allowed me to get into Microsoft accounts and slowly start unwinding Google’s insane requirements.
Yo dawg…
i heard you like authentication
Nothing says Microsoft like a bit of janky paradox.
