Perfect Security. Nobody gets in.
this post was submitted on 29 Apr 2025
565 points (100.0% liked)
iiiiiiitttttttttttt
607 readers
253 users here now
you know the computer thing is it plugged in?
A community for memes and posts about tech and IT related rage.
founded 2 weeks ago
MODERATORS
False positives are way more important to prevent than false negatives anyways.
Pretty sure you have another device registered with Authenticator here, and it is asking you to verify against that.
It would be bad if somebody could just steal your username/password and then register their own MFA, right?
thanks for claryfing that, it makes the post really dumb
This is a legit problem with authenticator. My work phone was wiped and I had to have my authenticator reset because it got stuck in the same loop.
load more comments
(1 replies)
So i recently had this happen. I set up Microsoft authenticator on my phone, found out our IT team wants us to use Google authenticator for some reason, hit the disconnect from device button... And got an infinite loop of being redirected to the Microsoft app, and clicking the "cant access" button brought me back to... The Microsoft authenticator app.
Had to ask IT to delete my 2fa on their end and try again.
Keeper does the same. Because that's sane security.
Lemmy: $MS dumb and bad! (Please clap.)
This happens when your Microsoft account password is externally managed by your employer. If the password is changed externally, then authenticator needs to re-authenticate… with itself.
This is why I hate passkeys and authenticators (as mandatory requirements). The moment I lose my phone I’m just completely fucked with no recourse, in actual use case.
I use vaultwarden (passwords, mfa, etc), which moves the point of failure from a device I hold and am at constant risk of dropping, to the server it's running on that has no risk of being dropped. There are people that will scream 'you shouldn't store mfa with your passwords' but if someone already breaches my vault then I have WAY bigger problems, so the argument is moot. Just secure your shit correctly and it's nbd.
Then it becomes a case of data safety and integrity, so raid, snapshots, encrypted backups on and off-site, having those encryption keys accessible in a physical form near the server for recovery...
I use andOTP for two factor authentication. It's free and open source, and available from the F-Droid app store. It allows you to backup your cryptographic keys in plaintext, with a password, or asymmetrically encrypted using OpenPGP. I keep my backups in a fireproof safe on two flash drives.
Thank you for the resources, I’ll be sure to check them out.
Unfortunately I’m still on iOS atm (hoping to switch to Android -> GrapheneOS down the line, when I have the finances), so I’m stuck trying to find something that’ll work between that and my Linux desktop, with GoogleAuth being my primary OTP app.
Cursory Internet search suggests something called 2FAS for mobile so I’ll see if it’s a cross platform option. I actually didn’t know non-corpo authenticators existed until today so it’s an exciting path to explore. /gen /pos
load more comments
(1 replies)
You're supposed to have backups for MFA. Though for passkeys (specifically ones for yubikey) are really hard to backup.
I am not always going to remember to register my primary yubikey and my two backups that are physically never together.
load more comments
(2 replies)
Yeah I had a beautiful moment trying to use Google's find my phone feature in another country when it asked me to use MFA on...my fucking phone. Turned off Google MFA forever after that near nightmare. Luckily another kind tourist found and turned in my phone to the nearest worker at the place I was visiting
This is where you're supposed to run the find my phone from another device where you're already signed in, such as your laptop at the hotel room. Or alternatively have one of your partner's accounts as a backup 2FA method since your partner probably didn't lose their phone at the same time.
If anyone can sign into the account and lock the phone as lost with just a username and password then the moment your username and password are breached/guessed your entire account is as good as gone
A lot of people here are treating me like I'm stupid when my only point really is that Google knows the one way I cannot recover my phone was with the phone itself so it's not a smart design to offer that. Carrying more devices isn't a real option either, so I get that technically it's possible, but smarter people than I should've come up with something better by now. No one can carry or afford a backup phone.
It's ultimately the challenge that 2FA is a combination of 2 of the following: something you have, something you are, or something you know. Or as a Cisco security engineer once put it in a talk, a combination of something you've lost, something you've forgotten or something you were at one time but are no longer.
Ultimately, authentication sucks and there's really no better way to do it for individuals than just having multiple backup methods, which of course is more opportunities for account compromise. It's a lose-lose-lose situation
Yeah, I also had a beautiful moment trying to use Google's find my phone feature in another country when I didn't know my password. Used "password123" after that near nightmare.
Security works best when it's really easy to get into my account even though I don't remember my credentials.
No the best system is if you try to find your phone without having your phone, a cybernetic lifeform should track you down and rip your spine out for trying to find your phone. Then some dipshit on the Internet without a shred of humanity can feel smugly superior about it
load more comments
(10 replies)
load more comments
(7 replies)
I broke my phone, and this actually happened to me. Google had set my old broken phone as a default passkey without my knowledge, back when they were rolling it out. My sim card was retrievable, so I used SMS to get in after my password. Turns out, that's not good enough. It took me days to get into my idiotic accounts (including Google authenticator for work) because of all the security hoops, even with backup codes, password managers, and a SIM card.
My saving grace was Firefox Sync, which allowed me to get into Microsoft accounts and slowly start unwinding Google's insane requirements.
Currently doing an internship at an establishment with 1300+ users using Microsoft authenticator (required by policy). The amount of times I've had this same issue is insane. Worst part is, when we provision someone with a new company phone, they have to go to the Google play store to download Microsoft authenticator. The play store however, requires a google login to download apps, but the users cannot log in to their company Google account without authenticator, creating a circular dependency. This unintentionally means every employee HAS to have a personal google account to set up their company google account... Stupid as hell.
Why not just install the Authenticator APK some other way initially? Just give people a download from some random server you control.
Logically it should be perfectly fine to install authenticator app on a personal device, if that suits the user. 2FA adds security to the password, but the password itself is not meant to be known by anyone else, including any other employee or any other company owned device.
Also, you can enroll mobile devices to Intune and have the authenticator app installed before the employee receives it.
I just switched to aegis when authy went to light mode. I like it.
load more comments
(5 replies)
This isn't a Microsoft issue. This is a stupidity issue. Any authenticator you add 2 factor to, and then put the 2 factor in that same app will do this.
Nothing says Microsoft like a bit of janky paradox.
I had an issue with this a few weeks ago, my old phone the charging port broke and I couldn’t get back into it. On my new phone it needed me to use the authenticator to log in to the authenticator. Made it my uni’s problem to solve the authenticator paradox
It's a security feature.
If it was easy to get into without the authenticator, then it would be useless.
load more comments
(2 replies)
Yo dawg
Seems like someone took DRY too far…
The authenticator itself is not supposed to use the same auth dialog than everything else 😅
If we're headed into a chaotic and terrible time of uprising and war these next few decades, I hope among the things that get shelled and flattened, all of Microsoft's offices are among them. It would be a shame if, like IBM nearly a century ago, Microsoft remains in the aftermath.
*laughs in Okta*
Authentinception
The steam app does this. Like, not in a fucked up useless way, but it still requires that you authenticate with its own pop up.
There are plenty of FOSS authenticator apps that can authenticate Microsoft account hassle free. I have been using one for years now.
load more comments
(5 replies)
Oh that's reassuring, I thought maybe it was just because I'm using it on Huawei.
I had Google fi. One time I got a new phone. Went to switch service to the new pixel. Moving service deactivate service on my old phone. Couldn't sing in to Google Fi to activate my new service until I entered the code they texted me.
view more: next ›