you know the computer thing is it plugged in?
A community for memes and posts about tech and IT related rage.
Transcript
A wafrn woot (post) by @[email protected] saying "Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers" It has a screenshot showing the microsoft authenticator app.
Yo dawg
If we're headed into a chaotic and terrible time of uprising and war these next few decades, I hope among the things that get shelled and flattened, all of Microsoft's offices are among them. It would be a shame if, like IBM nearly a century ago, Microsoft remains in the aftermath.
Oh that's reassuring, I thought maybe it was just because I'm using it on Huawei.
https://mysignins.microsoft.com/security-info
Obviously it's very fashionable to bang two saucepans together while chanting "microsoft baaaaad", but for anyone interested in actually learning about how this stuff works: Authenticator will never use 'itself' to authenticate, but you can use a second, seperate instance of Authenticator on another device to authenticate which is what is happening here. If you use Entra (or whatever it's called this week), go to that URL to see which MFA methods Microsoft thinks you have and if, say, there's a copy of Authenticator on a phone you no longer own, or an outdated phone number, or whatever, you can delete it.
Nothing in the UX here conveys that you should open a second Authenticator on a second device. And what if you aren’t logged into the second Authenticator? Is a third one needed on a third device? And if you aren’t logged into the third?
The original TOTP phone apps don’t require their own login. The protection is provided by the mobile OS.
Microsoft is making this complex it’s not usable.
MS Authenticator also uses the phone's built-in security and can also be used for plain TOTP without sign-in if you want. If you aren't signed in on a separate instance it won't offer Authenticator as an option. I think a reasonable person would have realised that based on my answer or, if you were really interested in finding out, from the documentation but I guess you bought those saucepans so you might as well use them. I suppose you're right in a sense; if Microsoft really wanted to make the UX idiot-proof they'd have a link that says something like "I can't use my Microsoft Authenticator app right now."
Out of interest, what happens if you lock yourself out of the completely free, open source and self-hosted app that has your TOTP codes? What recource would you have that isn't also true for MS Authenticator, or Google Authenticator, or any of the other ones?
For work apps, you can “contact an admin” if you can’t access TOTP. Some other services also have account recovery options if you lose that access.
In other cases, I think you are screwed because you opted into requiring a second factor then lost it.
or request/get a keyfob for the 2nd authentication?
had to do that shit at my last job. and although tedious, it was better than installing an MS app on my phone
Seems like someone took DRY too far…
The authenticator itself is not supposed to use the same auth dialog than everything else 😅
This isn't a Microsoft issue. This is a stupidity issue. Any authenticator you add 2 factor to, and then put the 2 factor in that same app will do this.
Even better/worse, Microsoft will never send 2FA requests to the app that is requesting them. This user has a second copy of Authenticator installed somewhere else which they forgot about.
in a sandbox or VM? or perhaps a rooted phone which does all that and more.
There are plenty of FOSS authenticator apps that can authenticate Microsoft account hassle free. I have been using one for years now.
Which?
I am using an app called QR & Barcode Scanner.
I just switched to aegis when authy went to light mode. I like it.
Enteauth is also pretty good
One of the main feature of MS Authenticator is native integration with the MS authentication system. Aegis doesn't have such integration
That's kind of the point...
The less of their stuff I have in my life, the better.
funny to me when people are like "I need that integration to automatically approve all auth requests because typing that six digit number in is JUST TOO MUCH MAN!!!"
That sounds like a bug in waiting honestly. I don't trust Microsoft that much