I recently had to setup Microsoft Authenticator. It refused to register a code unless I enabled notifications.
You are a two factor app. I should never be in a situation where there is an unexpected login I need to verify.
I recently had to setup Microsoft Authenticator. It refused to register a code unless I enabled notifications.
You are a two factor app. I should never be in a situation where there is an unexpected login I need to verify.
I want scopes like Graphene has for storage scopes. I want this on my phone and browser - let the site/app think it has everything (cookies, storage, microphone, camera, notifications, whatever it wants) but it's all empty and does nothing.
Apps can know whether you granted permission?? That sounds like a security flaw.
This is basically required for clueless (and even not so clueless) users.
If there's a chat app I installed 3 years ago, with no intention of giving it camera access, and I suddenly need to use that app for a video call, I don't want to be stuck debugging broken camera issues for two hours. I'd much rather have the app tell me that it doesn't have camera access.
This is fair for permissions. But for notifications, the app shouldn't need to know. It can just send them into the void for all the app cares. If the notification doesn't work then it should never break critical app functionality and apps should be built with the assumption that users will never see/interact with notifications.
> This is basically required for clueless (and even not so clueless) users.
I can actually confess that this hit me. Almost nothing on my phone has permission to use my camera, including my web browser (why???). I assume this was done in a fit of pique upon discovering that the setting even existed.
Roll on (god knows how many years later) and I cannot get into the gym with the link I was emailed to have my browser read a QR because my browser is just a grey screen. It was only when the member of staff suggested permissions that I realised what was going on.
I'm the problem, it's me
The OS could tell you instead. If it is a camera app, the OS could tell you on install, that you can't start the app without given camera access, because that's what the app is.
They can, but there's an OS option that basically is "I'm going to say yes, but then effectively do no". Basically it'll pretend to the application that a permission is granted, but then just keep returning empty information or doing nothing with it. So notification perms would then be seen as enabled, but nothing is actually being send to the user.
Unfortunately Google isn't really exposing this to users, so you need something like App Ops or adb to set it up.
Of course, that way they can so they can refuse to work until you uninstall or give in to their demands. There are other operating systems that present fake data at least.
Yep. Just today I had a tram/bus ticket purchase app refuse to work unless I grant it Phone access.
Tip: The iPhone Passwords App has basic TOTP functionality (manually create a password entry and click “Set Up Code”). I have a few dummy passwords which are effectively just labels for some login codes - it’s one less App to install.
Unfortunately Microsoft Authenticator does more than TOTP and usually its not up to the user to decide which two factor implementation is accepted.
Some Microsoft setups ONLY allow Authenticator - can’t use 1pass etc. I have recently fallen into this pit
I believe this is also a consequence of iOS gating background processing and scheduled timers allowed by an app based on whether or not notifications are enabled by the user. I believe Microsoft Authenticator also wants notifications enabled for the same reason most Banking apps on iOS want notifications enabled, so that it can register a ~10-minute background timer to run any backups, securely clear program memory, and safely "logout" from any active "session".
On the one hand it helps avoid "permissions fatigue" that the user just has the one permission to manage ("enable notifications"), but on the other hand it does lead to these questions about why an entire class of applications (banking apps and security apps) whose role should be mostly never to send notifications (because that can be a FUD/fear/fraud vector) need notifications enabled to work securely.
Okta has push as an option. Maybe msft has that too.
Key word there being 'option'. If you choose to use push as your mechanism then enabling it is obvious. If you choose not to the app should still work. You don't need push notifications enabled on an MFA app.
AFAICT any TOTP app (FreeOTP+, Aegis...) works just fine with Microsoft services (or Google, etc). You don't actually need to install several TOTP apps.
Microsoft Authenticator is not standard TOTP, but their own private flavor.
I've used FreeOTP+ to connect to my customers' Microsoft Teams for years without any trouble.
> I should never be in a situation where there is an unexpected login I need to verify.
Isn't that kind of the point? If someone else is trying to login somewhere with your credentials, your two factor will ping up?
Why would I want that? If it is not me, I am not going to allow the login. Making it a notification makes it more likely I could fat finger an approval.
I guess you can make the argument that you are then made aware of login attempts, but that feels more like something the host service should control.
> Why would I want that?
Because to get that far they entered your password? Which you might like to change?
You did mention: "You are a two factor app."
If they've got past your first factor, you might want to know.
I recently got an unsolicited OTP email from Microsoft, which led me to fear that someone had entered my password, but no: I eventually was able to confirm that the arrival of an OTP does not, in fact, require that someone enter anything beyond my email address. This is rather insane (I should not be having a blood pressure event due to Microsoft) but on the other hand I do understand the passwordless concept which is just a password-reset flow sans password-change. Perhaps a nice middle ground would be if the OTP email explicitly stated that my password was not entered.
This also happened to me about a week ago and I had the same reaction/discovery process you did. OT but I wonder if there was a recent ramp up in these attacks. It was done against an email I do not regularly use that was attached to my account as an alternate and haveibeenpwned confirmed was in a data breach back in 2020.
Some providers (looking at you, Intuit) don't seem to understand TWO factor authentication and will allow someone to bypass your password if they can intercept the SMS or email, and treat it as a normal login.
Our Okta is setup so that it usually does the two-factor before asking for password.
I would, but I don't need to know immediately. Plus you have the other vector of my phone sitting on a table and showing the notification to a person who can see it when they are trying to login as me.
I find it to be a poor default that sensitive data is shown on the lock screen. I change that setting as a first order of business whenever I'm setting up a new phone.
I saw a new marketing strategy recently: Someone tried to sign into something with my email. I didn't have an account, so they took the excuse to send me an email asking me to create an account.
I saw a new marketing strategy recently: Someone tried to sign into something with my email. I didn't have an account, so they took the excuse to send me an email asking me to create an account.
This has been going on since at least 2006.
Startups will "growth hack" by buying e-mail lists and feeding them into their password recovery tools.
A certain percentage of people will then follow the links and end up creating a new account on a service they had no interest in that now has their confirmed contact information, a new user, and a plausible reason to bombard them with marketing email.
I recently started getting emails from a company warning me that "I only had x days left to verify your account."
The account was supposedly registered for an organization whose name was somewhat similar to mine, so I thought somebody fat-fingered their coworker's email (the initial email was an invitation to create an account and join the org), but it might have very well been the tactic you described.
huh, is that why my google authenticator app pops up randomly? i always figured it was a bug in the app or in android.