Dominic Christ, yes. Why?!
Is there a community around here dedicated to the hatred of Microsoft?
On a scale of 1-10 how likely are you having conversations with your friends about <ms Authenticator>
Hmmm. Conversation, yes.
Have the day you/your company paid to have.
And get 15 emails from microsoft regarding how you just logged in.
The largest issue I have is the randomness of all the different security setups. One requires MFA by e-mail, one requires an authenticator, most require sms, some push to require using their app, and this random page requires a code by phone call. Now they are pushing passkeys and that is a complete cluster.
What’s ironic is that most of the webpages that push these things don’t reach the “Do I give a fuck?” threshold. The security is usually there to protect against unauthorized use of user stored credit cards. Since I am not liable for any fraudulent charges to the credit card, I really don’t give a fuck about securing the account. Yeah I am reusing passwords, keeping them in plain text in a word doc etc…
When I worked for other companies, I moderately gave fuck about there security. Not enough to inconvenience me. If they made me change the password constantly, they got the number changing series at the end of the password - $tupidPass#01 Seriously that was my actual work password for over a decade.
Now my bank account and financial logins. You’d better believe those have every security feature they offer setup. I do not fuck around with those. I give a fuck about those.
I remember reading an article once which referred to research which suggested that making people change passwords every month made their accounts less secure, because they have to go extra steps to remember them - which usually translates to making them really obvious and/or storing them where they’re easily accessed. In one of my previous jobs where we had to change passwords every month, basically everybody would have their password written on a post-it on their computer monitor.
Yeah, that’s actually also why it’s no longer considered best practice to force regular password changes. But many places / websites /apps still do, obviously.
I worked in top secret military stuff and the worst I had was every 4 months on some systems. Monthly seems extremely ineffective.
In my first job I had like 7 different passwords to access different systems. Each one had different schedule of password reset. They each ended up being on a different reset schedule. I had to reset a password once or twice a week.
Yeah, everyone had their passwords on a sticky note on their monitor. I once got praise for being the one person without it. I of course had an abreviation for the system with what number series the password was on posted on my monitor.
This is my current job. I’ve got monthly, every three months, every quarter, once per year… Thank goodness the last service they added has SSO.
I had a passkey card where each letter was given a random sequence of uppercase, lowercase, a number and a symbol. With just a four letter word as they key you had a 16 digit random password that was hard to guess even if you had the key sheet.
One day Ms will make the power point you’re sharing on teams even smaller than today…but I’m here to tell you how to do it now. Take a look at the slide below!
.Lemmy is now better than teams! Yey!
Get a yubi key then you have to find your keys
I have a 3d printed access card holder that also holds my work yubikey. Very handy
I have multiple accounts configured on the same yubikey, but it seems like any of the Microsoft login portals expect you to always use the account you most recently signed in with. So any time I need to switch accounts (which is often, I have different accounts for each different testing environment and access level), I have to type in my pin and touch my key twice - once to allow Microsoft to try logging in with the wrong account and fail, and then another time where it asks which account I want to use. 🙃
I have a Yubi key that crashes Authenticator when I select the option to it l use it. It goes into a loop asking to touch the button and type the PIN. But it does not wait for input, it just keeps creating windows until it crashes.
What a ball ache inclined to blame ms for that because statically it probably is down to them 🤣I’ve had an issue where it doesn’t ask for the pin so it fails but I just close the browser and it’s fine.
I like when you want to make a Microsoft account, it asks you to enter your exisiting e-mail first (you can enter one ending with
@outlook.comor@hotmail.comthough, it will create new mail account). It’s like they don’t believe in their own products, lol.I don’t have the exact timeline at hand, but Microsoft Accounts (originally Microsoft Passport) as a Microsoft service wide SSO were originally cooked up at Microsoft, while Hotmail was a separate service that Microsoft acquired. And this was in the late 1990s. I guess they originally designed the account system to be independent of the whole web portal nonsense that was fashionable at the time.
…anyway, I think it’s good thing that Microsoft let you use whatever email address you want with it and not force you to use Hotmail/Outlook.
I once created a Microsoft account (for a Windows 7 machine I think) and entered a Google address. It didn’t seem to mind. It’s my Microsoft account to this day, not that I have much use for it. Maybe it’s gotten more weird nowadays.
That’s the point. For a long time I assumed that they give you an e-mail address (currently Outlook) by default, like Google does with GMail, but they don’t.
Oh, right Separate departments I suppose
What?
An @outlook.com / @hotmail.com account is already a Microsoft account to begin with. If you enter one of those that already exists, you’re just signing in. There is no “new mail account”.
It makes sense to have the user use their own existing email address so that they have it as recovery option, most people don’t need another email address.
I am not sure that you read my comment properly. Registration form asks for non-Microsoft e-mail address first. You CAN enter Outlook or Hotmail address, which will create one, but it’s not even something that they acknowledge in that form.
And if you still don’t believe me yet, I have literally tried this yesterday, and it works. It did create a new Outlook account when Ientered
...@outlook.come-mail address.My father has a Microsoft account, but doesn’t have Outlook/Hotmail account for example, which is a bit strange at least for me, and I had no idea that this is the default.
I think the misunderstanding comes from where you wrote “it would create a new mail account” which is objectively inaccurate, the @outlook.com / @hotmail.com emails already exist as both a “mail” and Microsoft account - there’s literally nothing being “created” in that situation, you’re just signing in to what already exists.
In your father’s case, he probably has a Microsoft Account set up with a third party email address. If he were to want that to include a mailbox, he could navigate to his Microsoft account’s email settings, create a new “@outlook.com” alias, and set it as the primary alias for the account. He would then have a mailbox usable at Outlook.com or via Microsoft Exchange in a mail client.
It’s possible to do the same thing with Google - you can create your Google account using a third-party email address, you won’t have a mailbox but if you were to visit gmail.com you would be offered the option to create a mailbox with a new @gmail.com address.
Our password manager requires logging in and using the authenticator every time the session times out, so we all started using a browser plug-in to keep the session alive all day.
Seconding the ask on the extension, I hate having to log into my secret store every 15 minutes while working on stuff
Session alive
Same issue. What’s the extension called?
I use session alive
So secure.
Complain to the guys that set stupid policies that encourage people to do this. We gave up trying and don’t care any more.
That may have come off as judgmental. It wasn’t meant to be. When you make security so onerous that no one will do it then it’s little surprise that people… won’t.
Especially when it’s a business.
Okay so I get this is a meme BUT I started using a yubikey instead of the auth app and it has done a world of good for my sanity.
Are you using the slightly more expensive one capable of generating TOTP codes?
I also use a Yubikey too, but I still have to use another 2FA app for services that don’t support passkeys yet.
I transitioned everything to Bitwarden. Password manager, passkeys, and MFA code generation all in one app that works on all of my devices.
And then I started to self-host it via Vaultwarden and transferred all the data.
How do you like the self hosted approach? I contemplate it every so often, but I’m not sure that my sysadmin abilities (and attention) are enough to keep it secure.
A friendly FYI: having your passwords and MFA in one place partially defeats the purpose
True, but the alternatives generally are either a pain in the ass or require yet another syncing service to have sensitive info just so I can access things reliably anywhere.
It is still more secure than SMS and email based options.
Besides, my vaultwarden still needs an MFA code to access in the first place, and that’s handled by a separate generator.
I get that not everyone wants to set up something like Aegis in combination with e.g. Syncthing.
Of course it is still better than SMS and email, but I would recommend you check out Ente Auth and/or Proton Auth.
Both are end to end encrypted and you would at least have it in separate apps
I’m willing to accept the slight security difference in exchange for the convenience of having access on a single app 99.9% of the time.
To get into my Vaultwarden in the first place to get my info they’d first have to know my self-hosted server exists to target. And they’d need to compromise that MFA which is handled by a separate unrelated app.
That’s more than enough security for nearly everyone on the planet.
Perfectly valid, everyone has their own threat model and their own standards.
Sure. But if your bitwarden is protected by a 50char password AND a yubikey, it’s not that big of a tradeoff imo. That’s what I do, but I have hundreds of MFA tokens and it was PAINFUL to auth a lot of the time when I was using an authenticator app.
Bitwarden is just so awesome
I too have a yubikey. My advice, have something that functions as a backup.
Other than that, yes. It’s way better than alternatives.
Depends on your org. I have a yubikey, a phone app Authenticator, a pin and my regular SSO login/password. All of which I have to use constantly, because some dumbass did something dumb like two fucking years ago. So I can hardly get shit done. Plus the same dumbasses who probably fucked all this up are writing production code for an actual product. Please kill me.
I hear that if you lock down your system so much that no one can access anything that’s peak security.
Oh did you change your phone? Suffer bitch!!!
/s
As someone on the other side, in IT support, you can fix this yourself and I wish more people would.
Before your old phone gets wiped and sent to the graveyard, log in using authenticator, and go to “view account” from any of the online pages for Microsoft (if you’re unsure, try login.microsoft.com ). Go to your security options, and you should see all the info you need to remove the old authenticator and add a new one.
From here you can also add backups, which I encourage everyone to do.
It saves you from having to call IT all the time to fix it, and since you don’t have to go through the usual back and forth of verifying who you are, or whatever, and getting them to do a thing, you can take care of it for yourself, by yourself, without those unnecessary delays.
Your IT people will appreciate it, and you’ll have to talk to them a bit less as a result.
I did this and checked my devices on the login or account page (not sure exactly which one it was). It showed two devices, that were named “iPhone”. No idea, which one is the new one and which one is the old one. IT-support couldn’t tell either. So once I’ll have to hand in my old iPhone and delete it from the trusted devices / devices with authenticator, it will be a hit or miss game.
You should try Okta instead! It’s… blue.
Da ba dee da ba da
My company… runs both, for some reason.
