747
submitted 10 months ago by qaz@lemmy.world to c/memes@lemmy.ml
top 50 comments
sorted by: hot top controversial new old
[-] VikingHippie@lemmy.wtf 84 points 10 months ago* (last edited 10 months ago)

Fun fact: when my country transitioned to a new public authentication app, the default way was to use your passport to register. My passport was expired, though, so I had to show up in person with my birth certificate and social security card equivalent.

To get my birth certificate, I had to show up at the local office with, you guessed it, my passport.

Lucky for me that they accepted it in spite of being expired (none of the pertinent information such as my face, name and birth date had expired, after all), or I would probably be trapped in the loop to this day, years later.

[-] Bumblefumble@lemm.ee 28 points 10 months ago

Ohh, that reminds me of when I moved to Sweden. Their digital ID, bankID, is as the name suggests issued by your bank, not the government, even though it is used for all official authentication. And that includes... you guessed it, creating a bank account. So that was a real chicken and egg situation where it seemed impossible to be properly integrated into the Swedish system.

[-] Sprokes@jlai.lu 17 points 10 months ago

I think you have the situation everywhere. At one time in France they ask you for your bank account details to see that you have funds so that they give an ID. But the bank will refuse to open you an account without an ID. So it will depend on the agent handling your request.

[-] CurlyMoustache@lemmy.world 7 points 10 months ago* (last edited 10 months ago)

Reminds me of the first days of BankID here in Norway. To get my new BankID to work with my current bank, I had to log in with, you guessed it, a BankID allready configured to my bank. Took a few weeks talking to the bank, showing up in person and queueing with others with the same problem before the bank realized they've made a mistake somewhere

Same happened when the code thingy the bank sent me ran out of batteries. I went to the bank and asked for a new one. Not possible, they said. I had to contact the main branch, and they would send me new one. It would only take one week or so. I had to pay a bill that day, and asked if I could open it to replace the batteries since there was visible screw with ordinary heads. They said that was illegal and hacking, and that I must replace it. On my way home I opened it, and bought the exact same batteries from a shop, and replaced them. Worked perfectly!

[-] VikingHippie@lemmy.wtf 6 points 10 months ago

Hi neighbor! waves across Øresund

Yeah, I'm a big fan of Scandinavian style government (unlike the current governments of both of our countries, it would seem) in general, but sometimes the bureaucracy can get a little bit ridiculous 😂

load more comments (1 replies)
load more comments (1 replies)
[-] DillyDaily@lemmy.world 5 points 10 months ago

This is why I currently have no proper ID.

I have my birth certificate and my public healthcare card, and a not expired but no longer fully accepted proof of age card that previously counted as full ID but no longer does, but without it I dont have enough ID to get the new form of ID the government introduced in place of the old one I have.

It's enough to prove who I am at a liquor store or chemist, day to day, but I can't get a passport until I sort it out.

load more comments (5 replies)
[-] ComradePedro@lemmy.ml 46 points 10 months ago
[-] theo@lemmy.world 12 points 10 months ago

Unfortunately, Microsoft will often force their own 2FA app when logging in to 365.

[-] bdonvr@thelemmy.club 18 points 10 months ago

Not true, I've always used Authy.

load more comments (2 replies)
[-] LemmyIsFantastic@lemmy.world 8 points 10 months ago

No they don't. That's a configuration setting.

[-] ParetoOptimalDev@lemmy.today 6 points 10 months ago

If your admins change the default away from Authenticator only they see bright red "MS 365 insecure" banners.

So... Its a dark pattern that technically allows other options.

[-] dayvid@lemmy.world 4 points 10 months ago

TOTP codes can be phished. Technically FIDO2 keys like Yubikeys are one of the only phishing-resistant authenticators out there now, because they’re tied to the official domain of the real site and won’t authenticate to a fake.

Passkeys are similarly phishing resistant, and Microsoft Authenticator will basically have passkey support added early this year. For now it’s actually not phishing resistant! Though it’s somewhat better than TOTP.

The issue is that phishing resistance is important but it doesn’t stop session stealing (someone getting ahold of the cookie on your computer that confirms you’re signed in and have done MFA). But it does make it harder to steal sessions because phishing resistance means attackers need to get it from your computer instead of intercepting a fake login.

Just a little technical backstory around why admins are needing to lock down auth methods in more ways as attacks become more sneaky and the more sophisticated attacks become automated and easier and thus more frequent.

load more comments (1 replies)
[-] burgersc12@sh.itjust.works 10 points 10 months ago

Best one out there

load more comments (3 replies)
[-] Strawberry@lemmy.blahaj.zone 35 points 10 months ago

PSA, don't use Microsoft authenticator. It's easy to accidentally wipe your cloud backup and lose all your authenticator codes when switching devices

[-] Dirk@lemmy.ml 10 points 10 months ago
[-] Killercat103@infosec.pub 5 points 10 months ago

I think you can use standard TOTP regardless if you add TOTP as an option in the authentication methods on your account page. At least I did and the system has yet to complain.

[-] PM_Your_Nudes_Please@lemmy.world 4 points 10 months ago

Nope, IT can disable third-party TOTP services, and force all employees to use the official MS Authenticator app.

load more comments (1 replies)
[-] BluDood@lemmy.world 9 points 10 months ago* (last edited 10 months ago)

Is there actually any way to export the secrets from MS authenticator? I've been wanting to move them to something like bitwarden but it's gonna take ages if I have to reset all ~50

load more comments (2 replies)
[-] scytale@lemm.ee 4 points 10 months ago

Can you provide more info how it’s easy to accidentally wipe? I’ve only done a transfer once, but it was by installing authenticator on the new phone and logging in, then deleting the other one on the old phone after testing that the codes work.

[-] Strawberry@lemmy.blahaj.zone 7 points 10 months ago

You have to begin the recovery on the new device before logging in. If you log in normally and enable cloud backup on the new device, it will simply overwrite the existing backup with a new empty one

[-] GreenSkree@lemmy.world 4 points 10 months ago

That design is awful

load more comments (6 replies)
[-] CoopaLoopa@lemmy.dbzer0.com 23 points 10 months ago

This is specifically an issue with corporate M365 accounts when a user tries to migrate to a new phone without access to the old phone where the authenticator was setup.

Personal MS accounts can backup their auth secret keys to cloud storage, and when signing in on a new device, it authenticates you with your cloud storage (Google/Apple) and properly restores your MS Authenticator app.

The issue is that while MS says you can backup your corporate M365 accounts in MS Authenticator, it doesnt actually store the secret key, so it's useless.

Have your administrator enable TAP (Temporary Access Passwords) on the tenant. Then an M365 admin can create a TAP for your account that lets you login without a password/2FA. You can use the TAP to login and rejoin MS Authenticator app. The TAP expires in 1 hour by default.

load more comments (2 replies)
[-] piranhaphish@lemmy.world 19 points 10 months ago

Brought to you by the same company that takes you to the logout page when you go to the login URL

[-] EdanGrey@sh.itjust.works 16 points 10 months ago

I had this exact problem when I had to install this. Ridiculous

[-] qaz@lemmy.world 10 points 10 months ago

You'd think such an important application would be properly tested, right?

[-] MythTheWolf@bitforged.space 15 points 10 months ago* (last edited 10 months ago)
[-] MMNT@lemmy.ml 15 points 10 months ago

I got FreeOTP from F-droid. Works like a charm.

[-] Appoxo@lemmy.dbzer0.com 22 points 10 months ago
[-] qaz@lemmy.world 9 points 10 months ago

I usually use Bitwarden myself, but the company uses Microsoft Authenticator.

[-] SeedyOne@lemm.ee 4 points 10 months ago

I feel your pain

load more comments (1 replies)
load more comments (2 replies)
[-] missphant@lemmy.blahaj.zone 12 points 10 months ago* (last edited 10 months ago)

Microsoft will just refuse to let me log with a third-party TOTP after setting it up. Security key is also "not supported" on Firefox even though it works for every other site.

The most info they will get is my Minecraft account and that's already too much...

[-] cyberpunk007@lemmy.world 4 points 10 months ago

It's a configurable setting on the admin side. I managed a lot of m365 tenants.

load more comments (1 replies)
[-] qaz@lemmy.world 4 points 10 months ago

I set it up with Bitwarden after a reset, but it showed a popup telling me to switch to MS Auth every time until one day there was no way to refuse the switch anymore.

[-] ChallengeApathy@infosec.pub 12 points 10 months ago

That sort of risk is one major reason I stopped using MS Auth and went through the painstaking process of manually switching all of my accounts to a FOSS authenticator (Aegis Auth) instead.

load more comments (3 replies)
[-] ParetoOptimalDev@lemmy.today 11 points 10 months ago

Anyone else hate Microsoft forcing you to use Authenticator rather than alternatives?

Just another way I'm forced to install Microsoft crap on my devices :/

[-] lhamil64@programming.dev 11 points 10 months ago

It's been a long time since I set it up, but I have Microsoft accounts in my usual TOTP app (Aegis). Maybe I did it manually? But it's definitely possible.

load more comments (2 replies)
[-] corbin@infosec.pub 8 points 10 months ago

I have 2FA through Authy on my Microsoft account.

[-] Appoxo@lemmy.dbzer0.com 6 points 10 months ago

You can work around it to use your own 2FA app.
Did it with my O365 account.

[-] Agent641@lemmy.world 10 points 10 months ago

My university recently forced us to use this shitpile to 2FA, it never fails to disappoint

[-] Honytawk@lemmy.zip 9 points 10 months ago

Probably means there already is MFA setup on that account, and now you doing it a second time.

Or you can just press the "get codes" button in the top right.

[-] qaz@lemmy.world 6 points 10 months ago

The get codes button didn’t work the first time I tried it. But it did now after restarting the app a couple times. A bit finnicky but it works.

load more comments (1 replies)
[-] afraid_of_zombies@lemmy.world 7 points 10 months ago

One day authentication of new users will be impossible and the only way to get on will be to purchase it from someone who already has it. Entire companies will run on a single account hey bought for millions of dollars. News stories will run of a vengeful or negligent employees bricking the one corporate account, until a cartel of business owners attempts to corner the market.

[-] bloubz@lemmygrad.ml 6 points 10 months ago

I have found that Microsoft has the worst authentication on the planet. From weird, nightmarish loops and processes, to non propagated password changes. Not talking about having multiple accounts etc...

The worst of the worst for me was Atlassian login with Microsoft SSO

[-] LemmyIsFantastic@lemmy.world 6 points 10 months ago

This is a configuration item. Nothing to do with the app. It's a choice your company has made.

load more comments (9 replies)
[-] crsu@lemmy.world 6 points 10 months ago
load more comments (1 replies)
[-] crystalmerchant@lemmy.world 4 points 10 months ago

Lmaooo this just happened to me the other day. Drove me nuts

load more comments
view more: next ›
this post was submitted on 05 Jan 2024
747 points (98.4% liked)

Memes

45535 readers
218 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS