On a semi-related note, Microsoft security is genuinely terrible.
For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.
Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.
Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.
Microsoft also has this cool thing where if someone fails to get into your account too many times, your account can get locked and you are asked to reset your password. For a working password.
Even after changing my password, I couldn't login to my email on my phone, so I just gave up. I only use that email for a handful of things anyway.
Their enterprise account system (active directory or whatever it's called) also has an awesome bug where if you accidentally reload the page during password reset, the link will no longer be valid, but your old password will already be invalidated. So you won't be able to log in at all untill IT staff manually changes your password.
> The default sign in flow with the app enabled is email + authenticator. No password required
Isn't this only if browser have some cookie from previous session or IP didn't change?
Edit: just tried (new IP + private window firefox), you are right, I can enter email and select app notification.
I've been getting this too, authenticator prompts saying "logged in" and asking for confirmation, but no history whatsoever when I went to security to check.
It freaked me out the first time, I went through all the security settings I could find, but it was if it never happened.
I just ignored it the second time, but it's a bit unsettling, because the default authenticator flow also has the chance of accidentally hitting the right number.
Is that because it’s two digits?
No, because the default is to present you 3 numbers and asks you which your number is!
1 in 3 and easy to hit by mistake.
Shouldn't there be a button like "i didn't request this" or something? Why would you hit one of the buttons if you know the request is bogus?
You've never hit the wrong button by mistake on a phone touchscreen?
I can only envy your adroitness.
That's insane.
Yes it is completely broken. Everyone should disable microsoft authenticator and uninstall it. It is a massive vector.
Yes, there are so many other 2FA authenticators, many of them even open-source. Why would you ever use the Microsoft one?
It is doing something different than RFC 6238, which theoretically is more secure. The way they have it implemented is worse than if they did nothing though. If they cared at all about security they would have pulled it down years ago when this vector being abused was first being reported by users. But nope admitting a mistake isn't in the vocabulary of. The leaders definitely know what they're doing.
I also had this starting a few months back. I changed the email address (really, just an alias to the same mailbox as before) and the notifications stopped.
It is the same company that want to stop SMS 2fa to force you to use their shitty authenticator app.
SMS 2FA is the worst factor because of how insecure and phishable the phone network is, it deserves to die out where possible
But they could allow other 2fa apps, but they force their shitty one.
They now support passkeys with things other than their shitty app. I use 1Password, and it works fine.
I've also had a yubikey for a long time and can't be bothered to type in codes, so I didn't know their shitty app did OTP or even that OTP was actually a possibility for MS accounts.
Agreed; and more generally, Microsoft's online services in general are terrible. Their login system is a mess, their UX is awful... our company is a microsoft partner but there's like 27 different ways to be one, with a bunch of different accounts, forms and systems for it. Azure UX is atrocious. And this nonsense spills into every single enterprise product they offer too (how many people complain about Teams?).
Here in Belgium, 80% of enterprise accounts use MS over Google and I genuinely don't get why. (Without getting into the fiasco of not really having an EU alternative to either of those)
> Here in Belgium, 80% of enterprise accounts use MS over Google and I genuinely don't get why. (Without getting into the fiasco of not really having an EU alternative to either of those)
Maybe because those enterprises already used on-prem AD? It's much "easier" to have a hybrid monstrosity combining on-prem AD and Azure AD than on-prem AD and Google (or anything non-MS, really). Plus, MS is already a supplier, so for large, bureaucratic entities, they already have a foot in the door.