• VikingHippie@lemmy.wtf
    link
    fedilink
    arrow-up
    85
    ·
    edit-2
    11 months ago

    Fun fact: when my country transitioned to a new public authentication app, the default way was to use your passport to register. My passport was expired, though, so I had to show up in person with my birth certificate and social security card equivalent.

    To get my birth certificate, I had to show up at the local office with, you guessed it, my passport.

    Lucky for me that they accepted it in spite of being expired (none of the pertinent information such as my face, name and birth date had expired, after all), or I would probably be trapped in the loop to this day, years later.

    • Bumblefumble@lemm.ee
      link
      fedilink
      arrow-up
      29
      ·
      11 months ago

      Ohh, that reminds me of when I moved to Sweden. Their digital ID, bankID, is as the name suggests issued by your bank, not the government, even though it is used for all official authentication. And that includes… you guessed it, creating a bank account. So that was a real chicken and egg situation where it seemed impossible to be properly integrated into the Swedish system.

      • Sprokes@jlai.lu
        link
        fedilink
        arrow-up
        18
        ·
        11 months ago

        I think you have the situation everywhere. At one time in France they ask you for your bank account details to see that you have funds so that they give an ID. But the bank will refuse to open you an account without an ID. So it will depend on the agent handling your request.

      • CurlyMoustache@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        11 months ago

        Reminds me of the first days of BankID here in Norway. To get my new BankID to work with my current bank, I had to log in with, you guessed it, a BankID allready configured to my bank. Took a few weeks talking to the bank, showing up in person and queueing with others with the same problem before the bank realized they’ve made a mistake somewhere

        Same happened when the code thingy the bank sent me ran out of batteries. I went to the bank and asked for a new one. Not possible, they said. I had to contact the main branch, and they would send me new one. It would only take one week or so. I had to pay a bill that day, and asked if I could open it to replace the batteries since there was visible screw with ordinary heads. They said that was illegal and hacking, and that I must replace it. On my way home I opened it, and bought the exact same batteries from a shop, and replaced them. Worked perfectly!

        • VikingHippie@lemmy.wtf
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          We don’t. We show banks picture ID to prove that we are who we say we are. That picture ID is usually our passport or driver’s license, neither of which is managed by the bank.

      • VikingHippie@lemmy.wtf
        link
        fedilink
        arrow-up
        6
        ·
        11 months ago

        Hi neighbor! waves across Øresund

        Yeah, I’m a big fan of Scandinavian style government (unlike the current governments of both of our countries, it would seem) in general, but sometimes the bureaucracy can get a little bit ridiculous 😂

      • Baku@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        It seems like most countries have some variation of this issue. When I had to apply for government assistance here in Australia, there was a whole debacle because as I discovered, I don’t actually have a middle name but rather 2 first names because my birth information was filled in incorrectly. So that caused issues because all 3 of the IDs they demanded listed different information. My student ID didn’t list my second name at all, my learner driver permit initialised it, and my birth certificate listed it in full.

        Then my government service account messed things up too, because certain services have my 2nd name listed as either a middle name, or just a second first name so they decided that because I have different government services linked in “different names” I must be committing fraud

    • DillyDaily@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      11 months ago

      This is why I currently have no proper ID.

      I have my birth certificate and my public healthcare card, and a not expired but no longer fully accepted proof of age card that previously counted as full ID but no longer does, but without it I dont have enough ID to get the new form of ID the government introduced in place of the old one I have.

      It’s enough to prove who I am at a liquor store or chemist, day to day, but I can’t get a passport until I sort it out.

        • DillyDaily@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          11 months ago

          Actual Proof of Age Cards are still around, and that’s what I need to get (but I don’t have anything with my current address on it, other than the lease agreement, so it’s going to take a few steps over red tape to get proper ID, and I am not mentally healthy enough to push that process along right now)

          I had a keypass, which they stopped in 2022. I only found out about proof of age cards last year, when I tried to get into an RSL and the bouncer asked if I had anything else because they’re phasing out keypass.

          I know it’s stupid and ignorance isn’t an excuse, but as a teenager I was told to get a keypass because “that’s the ID you get when you don’t have a licence” so I got a keypass, and for the next 15 years I didn’t run into a single issue with not having the right ID. No one I worked with ever questioned why that’s the only ID I had, so I never really stopped to research the specifics. I didn’t know that keypass and “proof of age card” were different, I thought keypass was a proof of age card, just different names for it.

          • VikingHippie@lemmy.wtf
            link
            fedilink
            arrow-up
            2
            ·
            11 months ago

            I am not mentally healthy enough to push that process along right now

            Aren’t there anyone who can help you with it, then? I don’t know about Britain or Ireland (I’m guessing based on your use of chemist), but here in Denmark, there’s all kinds of help available for when you can’t do that kind of thing.

            Granted, if you have ADHD and/or anxiety like me, I fully understand that even finding who to contact about it and then contacting them can itself be extremely difficult 😮‍💨

            • DillyDaily@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              11 months ago

              if you have ADHD and/or anxiety like me

              Bingo!

              In Australia I’m not even sure if there is a service that could help me - other than applying for an actual disability support worker to help, which my ADHD could probably benefit from, but that’s a whole other paperwork process and it’s frustrating that paperwork is a barrier to getting accommodations and support with completing paperwork!

              • VikingHippie@lemmy.wtf
                link
                fedilink
                arrow-up
                2
                ·
                11 months ago

                Yeah, I hear you! I’m only functional enough to take my ADHD meds because the ADHD meds work and even THAT would probably crumble if I didn’t have someone remind me to renew the subscription when I’m about to run out!

                And yeah, having to do paperwork alone is the bane of my existence! Not only because it’s difficult, but also because it makes me feel like much more dumb than I actually am. 20 years of going undiagnosed was plenty of unnecessarily low self worth, thank you very much! 😂

    • theo@lemmy.world
      link
      fedilink
      arrow-up
      18
      arrow-down
      4
      ·
      11 months ago

      Unfortunately, Microsoft will often force their own 2FA app when logging in to 365.

          • /home/pineapplelover@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            Unless your organization forces specifically microsoft authenticator, then yeah. However, for several schools, that’s never been an issue, there should be an option to use a third party authenticator in small text.

        • ParetoOptimalDev@lemmy.today
          link
          fedilink
          arrow-up
          9
          arrow-down
          1
          ·
          11 months ago

          If your admins change the default away from Authenticator only they see bright red “MS 365 insecure” banners.

          So… Its a dark pattern that technically allows other options.

          • dayvid@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            11 months ago

            TOTP codes can be phished. Technically FIDO2 keys like Yubikeys are one of the only phishing-resistant authenticators out there now, because they’re tied to the official domain of the real site and won’t authenticate to a fake.

            Passkeys are similarly phishing resistant, and Microsoft Authenticator will basically have passkey support added early this year. For now it’s actually not phishing resistant! Though it’s somewhat better than TOTP.

            The issue is that phishing resistance is important but it doesn’t stop session stealing (someone getting ahold of the cookie on your computer that confirms you’re signed in and have done MFA). But it does make it harder to steal sessions because phishing resistance means attackers need to get it from your computer instead of intercepting a fake login.

            Just a little technical backstory around why admins are needing to lock down auth methods in more ways as attacks become more sneaky and the more sophisticated attacks become automated and easier and thus more frequent.

  • Strawberry@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    39
    arrow-down
    3
    ·
    11 months ago

    PSA, don’t use Microsoft authenticator. It’s easy to accidentally wipe your cloud backup and lose all your authenticator codes when switching devices

      • Killercat103@infosec.pub
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        11 months ago

        I think you can use standard TOTP regardless if you add TOTP as an option in the authentication methods on your account page. At least I did and the system has yet to complain.

          • Killercat103@infosec.pub
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            Sounds like a antitrust violation imo. (Not based in knowledge of laws). In the future I hope to work in a co-op, non-profit, foss or privacy oriented bussiness or whatever. Just something I believe is beneficial to our future and not detrimental. Don’t care if I lose potential wages or job security.

            Just the standard run of the mill tech company for a private owner idealizing infinite growth for investors and making software that tries taking advantage of the user or even required to use such? Not for me. (I don’t need perfection just want improvent)

    • BluDood@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      11 months ago

      Is there actually any way to export the secrets from MS authenticator? I’ve been wanting to move them to something like bitwarden but it’s gonna take ages if I have to reset all ~50

    • edric@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      11 months ago

      Can you provide more info how it’s easy to accidentally wipe? I’ve only done a transfer once, but it was by installing authenticator on the new phone and logging in, then deleting the other one on the old phone after testing that the codes work.

    • cyberpunk007@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      Yes, and while you can move it phone to phone on iOS, you cannot on Android. So stupid.

      If you are forced to use it by your company just use it for that email, nothing else. Use something like authy instead.

      • highenergyphysics@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        11 months ago

        If your company forced you to use mobile authentication, they should also be providing you with a device on the company plan at no cost to the employee.

        In which case you should absolutely use MS Auth and give them all your delicious work data because nothing personal should be on the device anyway.

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        11 months ago

        Authy requires a phone number last I checked & is a part of a for-profit entity. TOTP management is a simple task so there is no reason not to be using something open source.

    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      Don’t worry, I’m going to keep using Bitwarden for my personal accounts.

  • CoopaLoopa@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    24
    ·
    11 months ago

    This is specifically an issue with corporate M365 accounts when a user tries to migrate to a new phone without access to the old phone where the authenticator was setup.

    Personal MS accounts can backup their auth secret keys to cloud storage, and when signing in on a new device, it authenticates you with your cloud storage (Google/Apple) and properly restores your MS Authenticator app.

    The issue is that while MS says you can backup your corporate M365 accounts in MS Authenticator, it doesnt actually store the secret key, so it’s useless.

    Have your administrator enable TAP (Temporary Access Passwords) on the tenant. Then an M365 admin can create a TAP for your account that lets you login without a password/2FA. You can use the TAP to login and rejoin MS Authenticator app. The TAP expires in 1 hour by default.

    • spiffy_spaceman@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      I’m in this particular loop at work where I don’t want and don’t really need an account, so I’m going to pretend I didn’t see this and if you could ensure that IT doesn’t see this, that’d be great, thanks.

    • AggressivelyPassive@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      11 months ago

      MS auth also supports SMS via phone number. That’s a whole new level of insecure, but lets you migrate to a new phone rather easily.

      I’m 90% sure, all that 2FA crap is a sham anyway.

    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      11 months ago

      You’d think such an important application would be properly tested, right?

  • ChallengeApathy@infosec.pub
    link
    fedilink
    English
    arrow-up
    13
    ·
    11 months ago

    That sort of risk is one major reason I stopped using MS Auth and went through the painstaking process of manually switching all of my accounts to a FOSS authenticator (Aegis Auth) instead.

  • miss phant@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    11 months ago

    Microsoft will just refuse to let me log with a third-party TOTP after setting it up. Security key is also “not supported” on Firefox even though it works for every other site.

    The most info they will get is my Minecraft account and that’s already too much…

    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      4
      ·
      11 months ago

      I set it up with Bitwarden after a reset, but it showed a popup telling me to switch to MS Auth every time until one day there was no way to refuse the switch anymore.

      • CoopaLoopa@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        ^ Your M365 admin needs to know where to manage the specific authentication methods and be sure to disable MS auth rollouts. By default right now, authentication rollouts are enabled on all tenants with P1 licensing or above, and it only supports the MS Authenticator app.

        Once that rollout is disabled, the authentication methods your admin has made available to you will actually work properly.

  • ParetoOptimalDev@lemmy.today
    link
    fedilink
    arrow-up
    14
    arrow-down
    3
    ·
    11 months ago

    Anyone else hate Microsoft forcing you to use Authenticator rather than alternatives?

    Just another way I’m forced to install Microsoft crap on my devices :/

  • Agent641@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    11 months ago

    My university recently forced us to use this shitpile to 2FA, it never fails to disappoint

  • Honytawk@lemmy.zip
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    11 months ago

    Probably means there already is MFA setup on that account, and now you doing it a second time.

    Or you can just press the “get codes” button in the top right.

    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      6
      ·
      11 months ago

      The get codes button didn’t work the first time I tried it. But it did now after restarting the app a couple times. A bit finnicky but it works.

      • sizing743@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        11 months ago

        Yeah, when your setting it up there’s a button that says something like “use another authenticator app” or it might say something like “configure without notifications”.

        Those generate normal TOTP QR codes which you can use in other apps

  • afraid_of_zombies@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    11 months ago

    One day authentication of new users will be impossible and the only way to get on will be to purchase it from someone who already has it. Entire companies will run on a single account hey bought for millions of dollars. News stories will run of a vengeful or negligent employees bricking the one corporate account, until a cartel of business owners attempts to corner the market.

    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      2
      ·
      11 months ago

      Interesting, do you happen to know which configuration item causes this?

      • LemmyIsFantastic@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        2
        ·
        11 months ago

        The one that forces you only to use ‘passwordless’ logins or forces that MFA challenge. Your admins had a choice on what they allow.

        • BCsven@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          11 months ago

          It seems something changed on MS end though because I have control of what MFA i use on our corporate acxount, which was setup with Yubikey, until about a month ago when this Use Your Outlook Mobile started on it’s own

            • BCsven@lemmy.ca
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              11 months ago

              Whatever it is, somebody at Microsoft made a mistake; it should not prompt you for Outlook Mobile Auth code when that is the actual app you are trying to sign in to, and have no way of retrieving that code. it should have review MS app and if it is Outlook Mobile then move to the next MFA option in your security list.

                • BCsven@lemmy.ca
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  11 months ago

                  In this meme yeah, in my account I get the “try another way” link to let me go back to Yubikey auth option. But it shouldn’t default to Outlook auth if your are trying to sign in to Outlook, that is just lack of forethought

      • LemmyIsFantastic@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        11 months ago

        I mean, unless your service lets you pick individually that usually means turning on SMS. That’s probably why they have a general policy, it’s a pain in the ass to manage multiples.