538
Just Microsoft Things™ (programming.dev)
submitted 2 days ago by irelephant@programming.dev to c/iiiiiiitttttttttttt@programming.dev
66 comments fedilink hide all child comments

TranscriptA wafrn woot (post) by @tinker@infosec.exchange saying "Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers" It has a screenshot showing the microsoft authenticator app.

top 50 comments
sorted by: hot top controversial new old
[-] mo_lave@reddthat.com 10 points 1 day ago

Yo dawg

[-] UnderpantsWeevil@lemmy.world 125 points 2 days ago

Perfect Security. Nobody gets in.

[-] neons@lemmy.dbzer0.com 9 points 2 days ago

False positives are way more important to prevent than false negatives anyways.

[-] Tash@lemmy.world 80 points 2 days ago

Pretty sure you have another device registered with Authenticator here, and it is asking you to verify against that.

It would be bad if somebody could just steal your username/password and then register their own MFA, right?

[-] DarkSirrush@lemmy.ca 10 points 2 days ago

So i recently had this happen. I set up Microsoft authenticator on my phone, found out our IT team wants us to use Google authenticator for some reason, hit the disconnect from device button... And got an infinite loop of being redirected to the Microsoft app, and clicking the "cant access" button brought me back to... The Microsoft authenticator app.

Had to ask IT to delete my 2fa on their end and try again.

[-] SchwertImStein@lemmy.dbzer0.com 14 points 2 days ago

thanks for claryfing that, it makes the post really dumb

[-] ByteWelder@feddit.nl 4 points 2 days ago

This happens when your Microsoft account password is externally managed by your employer. If the password is changed externally, then authenticator needs to re-authenticate… with itself.

[-] BlessedDog@lemmy.world 34 points 2 days ago

Currently doing an internship at an establishment with 1300+ users using Microsoft authenticator (required by policy). The amount of times I've had this same issue is insane. Worst part is, when we provision someone with a new company phone, they have to go to the Google play store to download Microsoft authenticator. The play store however, requires a google login to download apps, but the users cannot log in to their company Google account without authenticator, creating a circular dependency. This unintentionally means every employee HAS to have a personal google account to set up their company google account... Stupid as hell.

[-] federalreverse@feddit.org 22 points 2 days ago* (last edited 2 days ago)

Why not just install the Authenticator APK some other way initially? Just give people a download from some random server you control.

[-] rdri@lemmy.world 4 points 2 days ago

Logically it should be perfectly fine to install authenticator app on a personal device, if that suits the user. 2FA adds security to the password, but the password itself is not meant to be known by anyone else, including any other employee or any other company owned device.

Also, you can enroll mobile devices to Intune and have the authenticator app installed before the employee receives it.

[-] TheBat@lemmy.world 20 points 2 days ago

I use Aegis.

https://f-droid.org/packages/com.beemdevelopment.aegis

[-] ghen@sh.itjust.works 6 points 2 days ago

I just switched to aegis when authy went to light mode. I like it.

[-] exchange12rocks@lemm.ee 4 points 2 days ago* (last edited 2 days ago)

One of the main feature of MS Authenticator is native integration with the MS authentication system. Aegis doesn't have such integration

[-] rbamgnxl5@lemm.ee 2 points 1 day ago

That's kind of the point...

The less of their stuff I have in my life, the better.

funny to me when people are like "I need that integration to automatically approve all auth requests because typing that six digit number in is JUST TOO MUCH MAN!!!"

[-] ghen@sh.itjust.works 4 points 2 days ago

That sounds like a bug in waiting honestly. I don't trust Microsoft that much

[-] Stomata@sh.itjust.works 3 points 2 days ago

Enteauth is also pretty good

[-] kmartburrito@lemmy.world 48 points 2 days ago

[-] Robust_Mirror@aussie.zone 16 points 2 days ago

This isn't a Microsoft issue. This is a stupidity issue. Any authenticator you add 2 factor to, and then put the 2 factor in that same app will do this.

[-] fibojoly@sh.itjust.works 4 points 1 day ago

Oh that's reassuring, I thought maybe it was just because I'm using it on Huawei.

[-] Broadfern@lemmy.world 38 points 2 days ago

This is why I hate passkeys and authenticators (as mandatory requirements). The moment I lose my phone I’m just completely fucked with no recourse, in actual use case.

[-] Limonene@lemmy.world 21 points 2 days ago

I use andOTP for two factor authentication. It's free and open source, and available from the F-Droid app store. It allows you to backup your cryptographic keys in plaintext, with a password, or asymmetrically encrypted using OpenPGP. I keep my backups in a fireproof safe on two flash drives.

[-] Broadfern@lemmy.world 8 points 2 days ago

Thank you for the resources, I’ll be sure to check them out.

Unfortunately I’m still on iOS atm (hoping to switch to Android -> GrapheneOS down the line, when I have the finances), so I’m stuck trying to find something that’ll work between that and my Linux desktop, with GoogleAuth being my primary OTP app.

Cursory Internet search suggests something called 2FAS for mobile so I’ll see if it’s a cross platform option. I actually didn’t know non-corpo authenticators existed until today so it’s an exciting path to explore. /gen /pos

[-] vodka@lemm.ee 4 points 2 days ago

I would highly recommend Ente Auth for 2FA on iOS devices.

It allows for export to a file that you can then import into other apps. You can also use their own sync service.

Personally I use Ente Auth on iOS and Aegis on Android. Both support backups to files (I back up to my own nextcloud) and imports from each other. I could just use Ente Auth on my android devices too, but I just prefer Aegis.

[-] CosmicTurtle0@lemmy.dbzer0.com 18 points 2 days ago

You're supposed to have backups for MFA. Though for passkeys (specifically ones for yubikey) are really hard to backup.

I am not always going to remember to register my primary yubikey and my two backups that are physically never together.

[-] PlexSheep@infosec.pub 2 points 2 days ago

That's why you always register a second hardware token. Those things could get lost.

[-] CosmicTurtle0@lemmy.dbzer0.com 3 points 2 days ago

I've started employing one physical hardware token as my primary means of MFA and a TOTP or backup codes if the website provides them.

I have two backup hardware tokens (so three total) but it's become impractical to keep them all in sync. And not all websites support multiple hardware tokens.

My initial idea is to have a key locked at home in the event that I lose my primary key. The third was just a spare I got at work.

Also the number of websites that don't have proper MFA that really should amazes me.

E-Trade has that shitty symanticVIP MFA. My primary bank still does cell phone MFA with no plans to do TOTP.

Honestly, the bare minimum should be TOTP.

And remember kids: passkeys by themselves are not MFA.

[-] TrickDacy@lemmy.world 10 points 2 days ago

Yeah I had a beautiful moment trying to use Google's find my phone feature in another country when it asked me to use MFA on...my fucking phone. Turned off Google MFA forever after that near nightmare. Luckily another kind tourist found and turned in my phone to the nearest worker at the place I was visiting

[-] hdnsmbt@lemmy.world 4 points 2 days ago

Yeah, I also had a beautiful moment trying to use Google's find my phone feature in another country when I didn't know my password. Used "password123" after that near nightmare.

Security works best when it's really easy to get into my account even though I don't remember my credentials.

[-] federalreverse@feddit.org 7 points 2 days ago

Bit of a shit take there really, that's not the same thing at all.

load more comments (7 replies)
[-] TrickDacy@lemmy.world 6 points 2 days ago

No the best system is if you try to find your phone without having your phone, a cybernetic lifeform should track you down and rip your spine out for trying to find your phone. Then some dipshit on the Internet without a shred of humanity can feel smugly superior about it

load more comments (10 replies)
[-] TrickDacy@lemmy.world 3 points 2 days ago* (last edited 2 days ago)

I guess using strong and unique passwords on every account is the mark of a moron but true genius? That's a company with some of the supposed best engineers in the world who needs you to have your fucking phone to find your fucking phone. What a great system! All hail Google and flawless security practice!

load more comments (6 replies)
[-] Wahots@pawb.social 7 points 2 days ago

I broke my phone, and this actually happened to me. Google had set my old broken phone as a default passkey without my knowledge, back when they were rolling it out. My sim card was retrievable, so I used SMS to get in after my password. Turns out, that's not good enough. It took me days to get into my idiotic accounts (including Google authenticator for work) because of all the security hoops, even with backup codes, password managers, and a SIM card.

My saving grace was Firefox Sync, which allowed me to get into Microsoft accounts and slowly start unwinding Google's insane requirements.

[-] termaxima@programming.dev 8 points 2 days ago* (last edited 2 days ago)

Seems like someone took DRY too far…

The authenticator itself is not supposed to use the same auth dialog than everything else 😅

[-] TankovayaDiviziya@lemmy.world 6 points 2 days ago

There are plenty of FOSS authenticator apps that can authenticate Microsoft account hassle free. I have been using one for years now.

[-] mp3@lemmy.ca 13 points 2 days ago

Nothing says Microsoft like a bit of janky paradox.

[-] oxysis 12 points 2 days ago

I had an issue with this a few weeks ago, my old phone the charging port broke and I couldn’t get back into it. On my new phone it needed me to use the authenticator to log in to the authenticator. Made it my uni’s problem to solve the authenticator paradox

[-] LifeInMultipleChoice@lemmy.dbzer0.com 4 points 2 days ago* (last edited 2 days ago)

Usually a simple fix on their end. Verify something like your school ID, go to the O365 admin portal remove the old phone (don't have to) and send out a QR code to scan on the new phone. Depending on security measures you can assign a sms message code but many insurance companies have made requirements to phase those out. Sucks, because I liked those better, but I guess risk analysis was higher with them.

One thing I did notice though was tokens in the authenticator app would carry over to new phones, where RSA securID tokens usually would not because they were tied to an ID number on the device. But those are just as easy to manage, but they will definitely piss people off. Now the Comp Portal app in government contracts, those are a bitch. You can spend an hour redoing everything just because a user forgot their password and all the apps aren't linking the authenticator token with the portal.

[-] glowie@infosec.pub 7 points 2 days ago

*laughs in Okta*

[-] arotrios@lemmy.world 6 points 2 days ago* (last edited 2 days ago)

Authentinception

[-] Zorque@lemmy.world 6 points 2 days ago

The steam app does this. Like, not in a fucked up useless way, but it still requires that you authenticate with its own pop up.

load more comments
view more: next ›
this post was submitted on 29 Apr 2025
538 points (100.0% liked)

iiiiiiitttttttttttt

442 readers
1358 users here now

you know the computer thing is it plugged in?

A community for memes and posts about tech and IT related rage.

founded 1 week ago
MODERATORS
irelephant@programming.dev
Irelephant@lemm.ee