The problem here is MS's terrible MFA & "SSO" implementations. If I didn't need to MFA multiple times per day into Azure¹ (i.e., if I could sign in truly once per, say, 24 hours), and if MFA was just a literal MFA², the fatigue would not be so incredibly high to begin with. Solutions like a Yubikey Nano are going to seem like future tech to anyone that has to put up with MS Authenticator.
All of the articles suggestions just seem to make more work for the alright overburdened user. Fixing the fatigue at its root is what is needed. (But the article is oddly targeting administrators, for whom such a fix is impossible, not … MS themselves.)
¹different Azure tenants, despite being tied sort of to the same user, require separate MFA/auth sequences. In a separate AAD tenant, my user is technically separate, but also technically not; best I understand it is that it is sort of like a shadow user ("guest", in AAD) to my real user. AAD knows they're connected … but not well enough to matter for MFA.
²MS Auth requires a double PIN entry on the phone in order to respond to an MFA. It used to be you could just tap the notification, but at some point, that got axed, and the fatigue went up like 3x. MFA is supposed to be proof of possession (I have the phone), not proof of knowledge (password, pin). An non-pin-protected notification is fine; the password still covers the "what you know".
With Google SSO, I log in and do MFA once per year or so on trusted devices and any further prompt beyond that would be extremely suspicious. With Azure, I have to complete the sequence like a hundred times per day.
Forget Azure. Even Outlook/Teams flips apps between Teams/MSAuthenticator over and over. My iPhone goes into strange loops. Sometimes, its logged-out but doesnt show it and just doesnt update anything. Its nuts how vast the chasm is between Azure/Outlook/Teams vs AWS/Google.
Nope. This is capitalism working as intended. They keep making money regardless of how crappy their products are. The problem is that those who suffer are not the ones making the purchase decision.
Capitalism allocates society's wealth towards the most productive members, in order to promote more productivity (in theory anyways). Microsoft has collected a massive amount of wealth, yet they're not being productive with it. In effect, they're wasting society's time since we aren't getting a return for that investment. That's unforgivable since people only live for a few decades, so Microsoft's misuse of wealth means that other businesses/individuals who would've used it to produce new/better technologies aren't able to. It's laziness, which is one of the worst traits a member of a capitalist society can have, and it's especially heinous when it's a trait possessed by an actor in such a powerful position.
Thus, many of us will die without ever seeing a real hoverboard. So when you're on your deathbed and you don't have a hoverboard, know that it's Microsoft's fault (and the government regulators who should've stopped them).
That is not what capitalism is, according to wiki: "Capitalism is an economic system based on the private ownership of the means of production and their operation for profit."
There's nothing in here about allocating wealth, or promoting productivity. It's all about private ownership. The owner decides how to make money, and what to do with the profits. If they decide to use it for non-productive goals, that's the freedom of the owner.
Capitalism is to opposite of a society consciously allocating anything for a specific purpose, it leaves it up to every individual.
Private wealth is just an implementation detail of capitalism. An economic system’s purpose is to determine where the wealth goes, since the whole point of an economy is to share resources (e.g. so people don’t have to grow their own food)
> Capitalism is to opposite of a society consciously allocating anything for a specific purpose, it leaves it up to every individual.
Yeah, capitalism doesn’t use central planning. It’s a decentralized system in its purest form (real world requires regulators though), however it still is a system designed to answer the question: “who gets what?”
I'd say the purpose of capitalism is not to decide "who gets what", but rather to lay the foundation that the society/country as a whole get as much as possible.
Sorry, but I don’t see what you’re trying to say here. Tonally, you seem to be trying to contradict my argument, yet aren’t actually contradicting anything.
> I'd say the purpose of capitalism is not to decide "who gets what", but rather to lay the foundation that the society/country as a whole get as much as possible.
The question “who gets what?” can be rephrased as “how do we give everyone as much as possible?”. Capitalism offers one potential answer.
So yeah you’re not actually saying anything different from what I am. Are you even reading and/or understanding my comments?
I know that the word “capitalism” tends to invoke knee-jerk/emptional reactions because of the politics behind it, so maybe that’s what’s going on here? Fwiw, I’m not saying that capitalism is good nor bad, I’m just defining it for the sake of my somewhat facetious hoverboard comment further up.
"Who gets what" to me sounds like a zero-sum situation: we have one pie, and capitalism will decide how big a piece every member of the group gets.
"Everybody as much as possible" is a different situation where you're trying to get as many pies for the group as possible.
In the first situation the wealth of the rich people comes at the cost of the poor people, in the second situation both groups can gain, although some more than others.
It's not Azure, it is how your organization decides to implement MFA. The only time re-MFA'ing is 'required' is when your password expires (if it does) as your token expires.
Otherwise, you could have 365 day token lifetimes if your organization configured it. Or greater.
Google does have a more stringent mode that can be enabled on high profile / admin accounts that requires MFA more often and faster auto log outs. But it is still not too bad.
I have never been pinged multiple times per day. In fact, I have never been inconvenienced by this at all and all my stuff lives in Office365 and Azure. No idea where all this is coming from in this thread.
I think it depends what people mean here. As a general Office 365 user, I logon to my laptop and Outlook, Teams, Onedrive etc hasn't prompted for MFA in months. However, I have many scripts that require both "Connect-AzureAD" and "Connect-ExchangeOnline" at the start. More frustratingly some legacy features from Connect-MSOL" haven't made it into the newer scripts yet and thus often that's also needed. Those scripts take three separate logons with three separate MFA prompts, because it seems incapable of determining that I literally just authenticated and can I please use that session.
It’s irritating that the “something you have” for most things can’t be “a laptop with a TPM.” It’s functionally equivalent to phone-based MFA.
The only improvement would be some screen + touch approval (like the touchbar had for privilege elevation). That would at least leave a human in the MFA loop in the event of machine compromise.
To add to what jsnell said, the Yubikey requires a tap. A physical interaction from someone sitting at a laptop, which is something a trojan cannot accomplish, and a tiny barrier from the human that doesn't materially contribute to fatigue.
Now, I don't really know how much of a difference it makes for trojans, since presumably the resulting token/cookie/etc. could just be compromised in place. One might hope is scoped or at least of a more limited lifetime, I suppose.
(Compromise by trojan is one of those "all roads seem to end in pwned" events to me.)
I will note that it at least requires some authentication to happen prior to compromise, so if some IDS is blaring off alarm bells, all hope might not be lost if the device can be cut off fast enough.
(The point here, though, vs. MS Authenticator, is that Authenticator adds nothing but massive amounts of friction over the supposed Yubikey state of affairs. Edit: although, see another of my comments: apparently MS Authenticator's behavior is configurable — for uh, some reason —_so I've switched it to "less annoying" mode. So, I'll forgive MS a touch, but AIUI it's the default to fatigue the user…)
Not quite equivalent. When an attacker compromises your laptop, they'll get all of the factors in one go: steal all your bearer tokens, steal your password with a key logger, and operate the TPM remotely.
You cannot compromise the TPM(e.g. read the keys stored in it, decrement increment-only counters), but most of the point of a TPM is that programs can call an interface and have the TPM perform operations using those keys. If someone compromises the machine enough to be able to run arbitrary code, they can issue those TPM operations remotely just the same as the legit software.
What you describe is somewhat related, in that one can use a combination of a TPM + some kind of a biometric sensor to build a system like TouchID or Windows Hello, and that combination would not be remotely operable. But if e.g. your mTLS client cert is stored in the TPM, you certainly would not expect to swipe a fingerprint reader on every connection that the browser establishes to the mTLS domains.
Thats why most of those TPMs have a requirement of physical interaction, i.e. you need to press a key on a Yubikey, or put a fingerprint down on an iPhone before they start this operation.
I think the idea is that you cannot impersonate a specific TPM remotely. Get root on a system, though, and you can do whatever you want with the hardware you now have access to, including using its TPM for your own purposes.
But thats exactly how it doesn't work - you are referring to Software-level TPMs. I.e. the SecureEnclave in iPhones work in a way that you can always put keys INTO the TPM chip, but cannot read it out back later, but rather have the SecureEnclave perform the crypto on chip (requiring some form of authentication, like a fingerprint read or a button press on Yubikeys). Even a full-root access should not compromise that.
I think the parent comment was referring to a scenario where the attacker has code executing on your laptop, not necessarily a physical seizure of the device.
Not really sure of the capabilities of nation states. They buy the tools private companies come up with.
But I think this is exaggerated security anyway. You want to keep stuff accessible. Binding anything to specific hardware is a terrible idea. My bank does that and it really sucks as a security mechanism.
I assume a lot of this is org controlled and has toggles to allow or disallow certain things, because for our AD environment when they started recommending Windows Authenticator for MFA the first thing I did was test that it works if I just add it to Google Authenticator like my other MFA things, and it did, and I've been using it that way for about two years now I think.
These things shouldn't be set by an organization. Microsoft needs to actually advocate for its users and stop creating options that make their products work shittier.
Many times, the org settings make a users life so much easier. We use MS SAML SSO for all our tools (office, Outlook Web, Atlassian toolstack, another ticketing tool) and I really only need to use the 2nd factor once in a few days or when I log out manually, and it's a simple sms code. Reading other comments here, my life is SO easy in this regard. I actually considera Microsoft single login with (sms) 2FA a good thing and therefore have almost 0 "mfa fatigue".
> Solutions like a Yubikey Nano are going to seem like future tech to anyone that has to put up with MS Authenticator.
Except Microsoft requires you to protect your Yubikey with a pin-code (even the consumer accounts), instantly making it unusable for your iOS device if you use it via NFC.
The funny thing is on Windows once you set up your Yubikey in Windows Hello it doesn't even matter. You are still forced to use the PIN and at that point why bother with the key.
I'd much rather skip the pin and just use Yubikey lol.
All European / UK banks I've tried are just as bad as azure as of lately. Thanks SCA, I guess.
What's the purpose of authenticating me 8 times in the span on 10m.
Open banking api that allow you to add accounts from other banks were promising but they turned out to be half baked versions, so in practice I still have n bank apps ok my phone. Not to mention I could not do online banking without my phone.
I've been seriously considering automating all of that and just have an application with a master password which access encrypted multiple banks secrets and authenticate / perform local mfa as required and let me have the banking experience (for a single bank) of, say, 10 years ago.
All of this for what? If someone hacks my account and steal my money I hope the bank mafia would be able to sort out things with the target bank and hallucinate a balance without the theft (especially because they flag tons of payments as fraudulent, requiring me to call them).
> All European / UK banks I've tried are just as bad as azure as of lately.
How so? I have like 6 different banks ( some"legacy", some fancy "app-only"), and for all of them friction is minimal for the security. All apps work with biometrics/code, and all websites ( where available) don't ask for MFA on known devices. Web payments always require MFA with the app as per the recent regulations.
>It used to be you could just tap the notification, but at some point, that got axed, and the fatigue went up like 3x.
Must be your tenant settings or something, my phone just gets a single Allow/Disallow notification that takes a fraction of a second to tap. Surprisingly though, I can tap it from the lockscreen too, without unlocking the phone.
While I agree that there could be a lot of authentication prompts to deal with, keep in mind that the frequency and kind of notifications you get depends on security requirements of the operation/flow you're in and are not indicative of the "quality of SSO implementation".
Some high-security flows use auth tokens with short TTLs (e.g., 20 mins).
Some flows may trigger "less secure" "pick a number" notification (user is prompted to tap 1 number out of 3); some flows trigger "enter a number" notification, when user has to enter the number they see on the login prompt (I personally hate this one).
Some of these things are controlled only by service (e.g., TTL of the auth token), some I suspect could be tweaked by the tenant admin (e.g. pick vs. enter a number).
What the parent describes is exactly how it works for my employer's O365 system. I get MFA requests on a regular basis even on known devices. Ticking the 'dont ask again' option has no effect. Meanwhile Google on the same devices nags me once a week at the most.
I have a lot of experience managing O365/Azure, and these issues all come down to the config of MFA in the O365/Azure tenant. They may even be intentional for "security" purposes.
To be fair, O365 and Azure change all the time. I've seen these issues on neglected O365 tenants, usually MFA was setup years ago and never touched again.
Do we work at the same company or is O365 that bad? We just had a big discussion on Slack as to what that checkbox actually does, because it's apparently nothing...
I've seen google devices nag daily, and O365 stay logged in for weeks/months.
Too few measurements to have a strong opinion on which scenario is more likely, but it does seem interesting that a number of configuration or other issues seem to be solved by : just aske for auth again.
A tenant can be set up to expose the “don’t ask me to sign in again on this device” option, and to let the MFA last for a certain amount of time. It would be worth reviewing your tenant config. MFA shouldn’t be as big a pain as people are making it out to be here. If it is, it’s either been set that way deliberately (security concern) or accidentally.
I don’t get recurring Authenticator requests on my phone. On desktop, I use a different browser profile for each tenant I have admin rights to and sign in with accounts specific to those tenants. MFA requests are very rare.
If you’re using a single account to hop between tenants (like a MS partner acct), in a single browser session, it’s very messy and requires you to pay very careful attention to which tenant you happen to be in. I don’t advise this approach.
Same, I get a request from the authenticator app, login in via facetime and click a dialog that asks me to authorize (yes/no). I don't love it, but it's pretty simple.
We have reduced MFA again and use very strong passwords and good password managers protected by yubikeys instead. Many APIs are still accessible without MFA that could lead to data exfiltration anyway. The workaround for that to register privileged applications is not really too convincing and just not flexible enough.
Are you talking about 'settings->app lock'? This setting assumes you have Touch ID or Face ID set up; either the iOS API prompts for your PIN if you don't have those two, or Microsoft Authenticator falls back to asking for it.
Well, I'm on Android, so that wouldn't apply, at least not directly. I've never investigated biometrics. I still don't think they're necessary here.
Tapping the notification, nowadays, requires unlocking the screen. That's PIN entry #1. Then, MS Authenticator itself requires you to enter your lockscreen PIN, for #2.
(Some time ago — months? years? — it used to be you could acknowledge the MFA request from the lock screen.)
Edit: OMG it's a setting! I've disabled this nonsense. I swear I looked when it was first introduced, but IDK. MS & defaults. I love Cunningham's Law sometimes, this is going to make MS Auth somewhat less annoying.
Microsoft has consistently had one of the worst account management stories on the internet. For being such a huge company where one of their main "things" has been a directory/account management system, I wish they would not require people to have dozens of different accounts to use their services.
They have started to integrate GitHub accounts into stuff, which for the services that support it are an improvement, but its now yet another login to the fray.
For a while they had work and personal accounts using the same email but different passwords!
There were some really weird loop login situations you just could not break - perhaps in part due to account type confusion or an existing login or legacy account stuff on old accounts.
I was an early Microsoft Passport user, not sure if that's hung around as well.
In fairness the google home user vs apps user distinction is also annoying (can't share google home control with various google account types etc).
Not as bad as Citrix cloud at least - you could have MULTIPLE accounts under the same email. Your email is not actually your username on the back end (and your actual username is very difficult to find). Once you do find it though then of course you can login using that + password and it works relatively well.
Strangely enough the only consistent way I could figure out to get that back end username was to make a post on their official forums which would then show the real username next to your post (after you made a config change in the forum settings). So now for every administrative user I helped to setup I had them posting random stuff that really had nothing to do with anything just so they could figure out what their actual username was.
Unfortunately social (aka viral) accounts are inherently different from corporate accounts (e.g. Google Workspace). Although you might be the same person you might not want those accounts to be mixed, many people on purpose carry 2 phones to keep this separate. Microsoft’s implementation is arcane and old, but even if it weren’t you’d still have difficulties using a single account. With 2FA it just becomes annoying.
That said I really, really dislike login practices that require me to relogin after certain time. When did anyone had to relogin into gmail? Why all other services keep expiring their logins?
The tradeoffs with session length are actually quite interesting. Obviously infinite sessions are the best in terms of the initial friction, and thus be great for creating user engagement and minimizing the number of users who drop off the service due to having to log in again. And even if the users stick, if they need to log in too often they'll hate it (as seen all over these comments).
But on the flipside, the infinite session might not be a benefit in the long term. A user who signs in just once when creating account will have no idea of how to log in. They'll have forgotten their password because they only used it the once, they've lost access to their recovery email account due to changing jobs, etc. And while any single one of these issues would have been trivial to fix if noticed quickly, letting them pile up for a year means you might have very few ways of proving it really is you when that nominally infinite session finally gets killed for some reason.
I very nearly had this happen last month. I had been intending to close an old phone number from a different country, where I haven't lived in 15 years. But I also happened to try to log into a PSN account for the first time in years (consoles basically never require new logins); the password mysteriously did not match the one that was stored in my password manager, and it was only that old phone number with weeks left to live that got me back in.
>you might be the same person you might not want those accounts to be mixed,
Yeah, but my work account is tied to my work email and my personal account is tied to my personal email. Not sure why anyone would want their personal account tied to their work email and vice versa.
Not actually disagreeing with your comment, but for what it's worth, I've been running Gmail, Agenda and Google Chat in rambox, and approximately once every two weeks the session "die" and I have to log in again.
What a coincidence, I just opened a support request to MS because main M365 web apps (outlook, onenote) require re-login every 6 hours of "idle" (read: closed tabs). So on average, I login 3-4 times a day just into those two services (even though they use the same account, you need to login for each app individually!). Now for free/non-business users it seems longer sessions are possible, but MS claims there are 6hour limits for M365 subscribers [0]. As I am the M365 admin, it seems this setting is also not adjustable, but I will wait for the support response.
My experience in transitioning from GWorkspace have been horrible - M365 seems to be a patchwork from various MS products, bundled together but not nearly as consistent as GSuite. In the setup of my single-user, two-domain Email Account I had to login into 3 separate Admindashboards (Main admin portal, Exchange Admin Dashboard, new Security Center dashboard) for basic tasks. I encountered various errors and redirection loops, plus super outdated documentation/tutorials (link leading to nowhere, or documentation referring to older dashboard/uis). It seems M365 is just a mess at this point.
I found with admin rules turned up I was getting the same. And you can’t have different rules per service, such as daily for email but every time for Admin console. So I did what I probably should’ve done, created two different accounts for myself.
The admin account I only need every so often, but my regular account with no admin privileges follows our regular user domain settings around MFA session times, etc. and I’m rarely prompted now and it is awesome.
I highly recommend this approach as a balance of practical security and quality of life.
Pretty sure it would be at most $5 - I’ll have to double check. We pay for premium Active Directory (almost exclusively to get the extra security features), so that might be why it works.
So the answer really is, yeah, it’s got to be paid for one way or another. If you’re using AD you’re paying per user whether or not you’re paying for the M365 suite or not.
That was my experience recently as well - one admin portal links you to another, sometimes the same setting or button can be accessed in multiple places, and who knows what is going on account wise behind the scenes.
One day I counted the number of times I needed to authenticate in order connect to my client's web server. The count was 8.
1 Unlock my PC
2 Login to client corp VPN
3 Unlock my phone
4 Enter PIN to MFA app to confirm login to VPN
5 Login to client corps' credentials generation app.
6 Unlock my phone again (screen lock has timed out by now)
7 Enter PIN to MFA app to confirm login to credentials generation app.
8 Login to client's server.
It reminds me of the "8 different bosses" scene from the film Office Space.
Yup. We're at the point where people optimize their passwords for how easy they are to type in.
One of my coworkers' passwords is a number and a capital letter followed by asdfghjkl;' (the Enter key at the end of the home row is then the keyboard press) Every 60 days when the password update thing nags him he changes the initial letter or number. He just zips his finger across the keyboard to type in the whole home row; once early in the pandemic during an online meeting the characteristic sound of his finger zipping across the keyboard came in over the mic and someone said, "What the heck was that?" and someone else replied, "Oh that was just John entering his password".
I once worked as a consultant for $BigEnterprise. They had a big sales department, and some their staff had these laptops they brought with them to their customers. To actually use them they had to enter a Disk encryption password, Windows login password, VPN password. All in all there were 3 or 4 passwords. They all had to be different. They all had to cycle every 60 or 90 days. They all very strict "security settings".
Every single one of those laptops I saw had a little post-it note on it with all the passwords.
The password cycles especially are just hard to deal with.
I started to list out the amount of MFA and frequency I do regularly and it exhausted me just writing it out. Suffice it to say I'm forced through all sorts of MFA with various passwords, PINs, Yubi keys, phone authenticators, and even an RSA token daily combined with other hidden information like varied usernames or paths to things. I probably do hundreds of auth steps in a day.
In addition we have all sorts of paranoid levels of security with network filters and local security software you have to frequently disable to accomplish tasks, using MFA of course, opening temporary windows that have to be opened later. I'm at a point now where being insecure isn't even insecure because if my info is compromised an attacker wouldn't even know where to find or how to do anything. If they did they'd probably give up. I only deal with it because I get paid well to deal with it.
My favorite fuckup is when the MS Authenticator itself tells me that it needs me to use MS Authenticator to verify who I am, so it sends a code to itself.
I have had Microsoft Teams open up Microsoft Authenticator and ask me to input my password, twice, and then (within Authenticator) ask me to click a button to get to Authenticator to get a 2fa code - again, while in Authenticator.
It's awful and I believe it's completely possible that some set of conditions lead to what the parent described.
Microsoft’s are the only services I use where I regularly have to delete all cookies because Teams or something gets stuck in a strange redirection loop that doesn’t happen in clean browser instances. Good times.
I think Microsoft is also responsible for an (at the time a bit embarrassing) account breach I suffered. I have no proof, but something very weird happened.
Way back when, I think my Skype account was hacked using a password that no longer should have existed. This happened some time after the forced migration to Microsoft accounts. The new password was unique and password manager-generated, and no machine of mine was ever compromised — luckily.
However, my old Skype password had been embarrassingly weak (different times), and I had only upgraded everything to strong passwords a short time before that. I remember that there was no user-visible way to change the old Skype password or even see the account anymore — I thought it was deleted during the migration.
Yet someone managed to spam all my contacts, some of which got very angry with me personally. My best guess is that they had accidentally exposed an API backend that still used the old account database. Again, I don’t really know and can’t prove it. There were hints in forums of other users with that problem, but never any official answer.
My actual point is, Microsoft isn’t that great at all of this. Whenever they buy something and force migrate all accounts, the user experience gets worse.
I have no idea why so many enterprise IT departments have such a strong preference for their stuff. It’s not like any of it is particularly easy to set up.
The new version of the Danish national authentication system had to disable push notification for the same reason. Attackers would just hammer a person with push notification until the user accidentally authorized a login.
I gave up on the Microsoft authenticator and just switched to manually enter tokens from an TOTP app. The push/popup thingy was a nice idea, but it’s annoying to use day to day.
> I gave up on the Microsoft authenticator and just switched to manually enter tokens from an TOTP app.
My office considered Microsoft authenticator, but there was push back after looking at their privacy policy and how much access the app wanted on people's personal devices (location, storage, contacts, etc). The nice thing about a little TOTP hardware token is that you avoid the push notification problem and it doesn't collect massive amounts of your data to use against you or sell to 3rd parties.
Even that wants your GPS location (why?), camera (and therefore microphone) access, and storage access. Those kinds of permissions have been 'normalized' sure, but they're also 100% unnecessary considering the job is done just as well (or better as it's without security issues like the one in the article) with a tiny hardware token that requires literally none of those things and couldn't do them if it wanted to.
If you aren't currently handing your location data over to Microsoft 24/7 right now, why should you start?
GPS is for the audit log. I can go into my AAD security center (security.microsoft.com) and view a history of logins in my org that include IP address and approx location.
> GPS is for the audit log. I can go into my AAD security center (security.microsoft.com) and view a history of logins in my org that include IP address and approx location.
You can already get a rough idea of location using just the IP address. Surely enough to know if your user logged in from the same country/state/ISP as usual. Is that really a situation where you need pin point location accuracy? Do you really need to know which room of their house they were in?
Whatever fringe feature is used to justify the access it's not required for authentication and there's nothing to enforce that those are the only situations in which Microsoft will use the access you've given them. Microsoft and Google are in the data collection/ad pushing business and I can't blame folks for wanting to limit the amount of data they leak to those parties.
IP is useless if you are using a VPN a lot of corporate uses of MS will also have a VPN . Many times the vpn won't even exit in the same country so can't use IP.
These kind of logs are typically demanded by customers and customers inturn have either strong compliance requirements (HIPAA FEMA , ITAR etc ) or have suffered breaches and react with collecting a ton of info in a effort to keep it more secure.
That is not say MS is innocent, just that enterprises would demand this anyway.
> Surely enough to know if your user logged in from the same country/state/ISP as usual.
Same ISP, maybe. Every single customer of my ISP shows up (using "IP geolocation") as being in a small office building in a non-descript town. Is that where they are? No, it isn't even where the ISP's main hardware is, that's just an office, the geo-location maps every address assigned to them to their registered place of business, and nothing more.
And to be sure it isn't "required for authentication" and yet, just as with the password rotation nonsense and a dozen other requirements, somewhere there will be a business that is absolutely certain they require this feature, so Microsoft checked the box. That's all Microsoft are interested in, you want to give us $1B but we must check a box? Box checked.
You want Linux support? Box checked. You want package management? Box checked. None of these things are done well but box checking exercises aren't about doing it well they're about checking the box. I assume if you're into actually doing a good job you either soon leave Microsoft or you find some niche team where they'll let you do that in peace.
> That's all Microsoft are interested in, you want to give us $1B but we must check a box? Box checked.
Microsoft is now a company whose purpose is data collection and targeted ad pushing so they've lost any benefit of the doubt. You can be certain that for every scrap of data they're collecting it isn't collected because they are only interested in feature creep/bloat. At this point we have to treat them no differently than Google. We're left assuming that they'll take whatever data they can extract from you so they can use it against you. Their own practices and privacy policies don't offer any reassurances either.
You can already get a rough idea of location using just the IP address.
Being able to correlate the location of the user with the location of the login request is very useful to determine the risk profile of this particular login attempt.
It wants your GPS location for the same reason banks look at your location. Even if they still let an auth request go through, they can alert you through email if a request is approved from an unexpected location. Camera permission is necessary for QR codes so you can setup the authenticator. No idea what the mic permission is about though.
Your IP should provide them (and your bank) enough location info to alert you if your account is accessed from another state/country. QR codes weren't needed to set up the hardware token, so that feels like a feature created to justify the increased access (also phones come with their own camera apps capable of reading a QR code or at the very least photographing one). The mic access is a side effect of android's leaky permission system which hands out the ability to record audio to any app that wants access to your camera.
A lot of times you can deny access to many of those things and the app will still function just fine. Most of the apps on my phone I am not giving half the stuff they ask for.
The old solutions are best IMO. Challenge/response where there’s a knowledge element.
TOTP is too easy to share or steal, especially for targeted or familiar person attacks. I’ve encountered fraud scenarios where soon to be ex-spouses accessed an account via a iPad with authy to get at someone.
Fundamentally, it’s too easy to think you have MFA, but you’re actually secured with a shared, no-factor-auth iPad. (People share work credentials in 1Password for convenience) Mitigation of password spray is cool, but not secure.
> TOTP is too easy to share or steal, especially for targeted or familiar person attacks. I’ve encountered fraud scenarios where soon to be ex-spouses accessed an account via a iPad with authy to get at someone.
If your threat model is 'person in proximity of other person being able to access the second factor' then no method of 2FA is safe. Even if you use U2F, the "soon to be ex-spouses" can easily take the dongle from their spouse's keychain, in fact even easier than they could get their OTP codes.
> Even if you use U2F, the "soon to be ex-spouses" can easily take the dongle from their spouse's keychain
Stealing the physical object is quite a step up from merely using something you have access to that was never de-authorised.
And if you steal say, my Security Key 2 from Yubico, it still needs its PIN. Worse the phone I use to authenticate on mobile sites requires my fingerprint, which while far from impossible to fake is definitely another step beyond "I just assumed I was allowed" and now you've also stolen my phone, how long do you think you have before I notice?
I'm not sure what contrived scenarios you're envisioning, but if the threat model is, once again, 'person in proximity', they don't have to "steal" anything, they can simply use it, e.g. authenticate with the key while you're in the shower. And if in your model they presumably already know your password, it stands to reason they also know your PIN.
With a hardware token, it’s very clear that the token is in the physical possession of the user or not. It can only be in one place at a time. With a challenge/response or PIN, you mitigate the risk of the user losing possession.
With a TOTP token, if a user puts Authy or 1Password on the family iPad so their kid has access to MFA for the PlayStation, he has also provided the kid or other household member/visitor with access to the token. The token is wherever Authy is.
The point is TOTP shares all of the risks associated with things like SSH private keys. It has value, but is inferior to many other types of token.
> With a TOTP token, if a user puts Authy or 1Password on the family iPad so their kid has access to MFA for the PlayStation
My little one plays with my keychain, which has my U2F keys on it, all the time. She likes the light the BLE U2F fob has.
I don't see the distinction you're making between TOTP and U2F if your threat model is 'someone in your house', the two are virtually indistinguishable in such a scenario - in fact, the U2F is less secure. Your "soon to be ex-spouse" can easily use your hardware token while you're in the shower, as I said above.
In my opinion, having one physical key is better than a private key synced via cloud service to a half dozen devices. ”Something you have” implies in your custody.
So if an attacker had access to 2 million IP addresses[0] and they were attacking a country where maybe less than 5 million people[1] have an account on the national authentication system, how easy would it be for them to DDoS the system for a week?
Presumably the attackers would choose the week when people were supposed to fill in their tax forms, or (if the country was foolish enough to allow online voting) the week of an election.
An attack of that size would of course be automated which should make it easy to fingerprint, then just block the matching fingerprint, or add a captcha.
Could also add a "I didn't request this MFA" link that would flag the requester.
This is why you have to give the enduser a way of authenticating the authenticator. The well-designed Adobe Account Access app often presents the user with a random number that they have to tap on in the authenticator app. The authenticator app presents that number along with some other random numbers, asking the user to pick the correct one.
The random number list is not always presented. I presume that Adobe skips presenting the number challenge if the user is logging in with a relatively fresh cookie or from a recently associated device. But I guarantee that login attempts from a new device would prompt this more strict authentication step.
Microsoft now appears to do this (thank you, Traubenfuchs).
My bank used to show me a picture that I specified, after I put in my username, but before I put in my password. I knew that if I was being shown an odd picture, I either typed in my username incorrectly, or I was not logging into my bank!
I think would make scams more obvious, even in the face of MFA fatigue!
Yep. This is kinda useful as an indicator whether you wrote login correctly (wrong pic = wrong login) and to weed out the lowest quality phishing, but for anyone who's not a clown it should be easy to recreate the flow and hence, it's actually even harmful (you think you get assurance you're not scammed while getting scammed).
Edit: one thing to make it more bulletproof would be bank rejecting all calls that look like serverish initiated (AWS etc), then the attacker would need some genuinely looking botnet to not get blocked by the bank due to suspicious volume from same IP pool. Raises the bar for attack, but still, serious attacker can mitigate this.
They only show the picture after you have logged in successfully from the device. If it is a new device (or attacker), the picture is blank and the site says something like “first time using this device?” So it helps against phishing or a MITM that doesn’t intercept the real site cookies.
Generally the attack vector is much easier: Just replace the image with a "This service is currently being upgraded for your safety!" or whatever. Most people in studies I've seen will still go through with the login.
Enterprises have very fine-grained ways to manage the 2fa flow. My AAD-based account requires I type in the full number on the Authenticator app; not choose from 3 numbers.
Awesome. Let me just convince my enterprise customer where I'm not even an employee to mass enable two PREVIEW features for 35K users. That'll go down well.
Users cannot opt in to more secure authentication options individually.
The default is woefully insecure, almost pointless security theatre.
The secure option is unsupported in production.
Hardware token-based security is disabled by default, and carefully hidden behind dark patterns to boost the numbers of the MS Authenticator app so that some manager at Microsoft can meet his personal KPIs and get his bonus.
Customers using features like Azure AD multi-tenant applications cannot enforce MFA themselves -- Microsoft reserves this capability for their own applications only.
Even if I enforce hardware token MFA in my own personal Azure AD tenant, if I get invited to some other tenant as a Guest (e.g.: to a Teams meeting), then I'm forced to sign in using their MFA policy, which is more than likely the default MS Authenticator app with all optional features like this disabled.
To say that Enterprise customers have lots of options is patently false.
Microsoft only cares about security when it affects their own systems.
> Microsoft only cares about security when it affects their own systems.
I don't think even that's true. Unlike at Google and to some extent Apple, I don't sense that Microsoft's internal corporate culture wants security per se. Both Google and Apple seem comfortable with the idea that if you can solve a security problem for $15 you have one option, "Secure" and it costs $15 and the only question is whether "Not secure" should be available for $0 (OK at Apple maybe "Secure" inexplicably costs $30 because it's a premium product but equally maybe "Secure" was "free" with your $1000 premium Apple product, for this argument either outcome is fine).
Microsoft seems excited about offering "Somewhat secure" for $5 and "A bit more secure" for $10 and if just "Secure" is an option at all, it needs to be priced at $100 to show what a bargain the "Somewhat secure" option is. This is a reasonable mindset if you make padlocks or something, but a crummy attitude for digital security where we can so often just solve the problem full stop. Remember how Intel couldn't persuade people the Pentium FDIV bug wasn't a big deal? Nobody wants a computer that sometimes gets arithmetic wrong "a little bit" they want the correct answers and anything less is unacceptable.
That's not it at all. Its difficult to get buy in on stricter security practices in an organization because people dont like to be hassled. Enterprise security is always a balancing act with user inconvenience.
Microsoft can get away with it in Xbox because they can set the terms for how an individual gets to access the service.
An individual consumer doesn't have much of a choice but trying to force the same terms on business users could cause them to not use it at all or jump vendors.
MFA fatigue wouldn't be such a big problem if their MFA and SSO implementation was not so utter shit.
Whenever I get a signin prompt, there is literally no way to tell what I'm signing in for.
When the MS Authenticator app receives a MFA request notification, there is, yet again, no way to tell what service the request is for.
To add insult to injury, when I need to signin again for a SharePoint guest account, it consistently fails to correctly redirect me back to the SharePoint folder.
Microsoft's MFA is just security theatre. Take MS Teams for instance. Why does it ask me to sign in again, and yet still allow me to read messages that are already on the screen? Worse yet, the MS Teams desktop app can still receive new message notifications and display them while I have not re-logged in yet.
Wow this sounds like we are going through the same thing!
MS Teams' sign-in is truly asinine. If that data is sensitive you'd think they would at least try something more than keeping it on screen while a potential thief steals all the data for the utilities company I work at.
I assume this is all because of an unfortunate mix of on-prem services, cloud services and.. "quality" non-Linux server admins in general.
The worst part is I'm coming to this after having worked at Heroku. Everything was a tap of a Ubikey away; even the Salesforce Authenticator app was better than Microsoft Authenticator, which is pretty depressing to think about.
OTP. OTP, OTP, OTP. I could feel in my bones it was better, and now I have proof.
Because you are giving an OTP to the website, instead of the website giving a push notification to you, OTP mitigates this. It's also just better and way less invasive.
Google lets you use OTP, but only as a back-up option to having a phone and using push notifications. Apparently microsoft as well. Many financial institutions still use SMS for MFA, not wanting to use OTP or app probably because it's "too technical" for older people who comprise the lion's share of investors.
Skip OTP, give us FIDO2/Webauthn for everything. OTP is vulnerable to phishing.
I was pleasantly surprised when both Bank of America and Vanguard leapfrogged from SMS MFA to security keys. I bought 3 and started using them for every service that allows me to. Even better are services (e.g. Bitwarden, GitHub) that don't restrict to security keys, then MacBook Pro and iPhone Touch ID can be registered as well.
* It can be phished. An active phish persuades you this is Famous Bank, you enter the TOTP code, they relay it to the actual Famous Bank and steal your money.
* Under the hood it's just a Shared Secret which means the Relying Party can lose all your credentials. You have no way to be sure they did a good job securing them, and they've got every reason to blame you if those credentials are stolen.
* Psychologically humans perceive the TOTP code entry as mutually authenticating when it isn't. The site asked for my Famous Bank TOTP code, and it worked, so therefore this is actually Famous Bank. This actually makes them less cautious than they should be.
I have a small banking account at some German bank.
Their 2FA basically forces you to use a weak password: if you want to log into the web interface on a desktop, you get sent a code to your phone after successfully submitting your username and password.
To receive the code, you must install their mobile banking app (which is something I don't want to do, but have to). If you don't use the banking app regularly your device, it won't accept biometrics to unlock it, you need to input your password into a password field, username field memorizes the username.
The app does not make use of Google Smart Lock or any other means which allows you to securely store your password and easily insert it into the field, so you need to type in your 16 character upper-, lower letter, numbers and symbols-password through the popup keyboard while keeping it visible on your desktop.
This really wants to make me change it to an 8 char no-symbols all-lowercase password.
I have two very different MFA tools, one for my employer and one for the company to whom I’m contracted out: Microsoft Authenticator for the former, PingID for the latter.
It’s interesting to compare the two, because they operate very differently on my Watch, my primary tool for this. Authenticator sometimes fails because my Watch face goes inactive (and in fact it’s a very clumsy Watch app overall), something that never happens with PingID.
Authenticator has the advantage, however, in that it forces me to match one of three integers against the value presented in the browser, and unlike Ping it tells me what I’m authenticating. To some extent this might mitigate the fatigue attack.
I use Authenticator (on my phone) for multiple accounts. Some accounts will give me the 3 integers challenge, and others will make me enter my phone unlock code.
Is it me, or does MS seem to require renewing the SSO a lot more than other services? I nearly got phished by a sharepoint document that redirected to a fake MS login page. I only noticed it was fake when my password manager didn't autofill. With other services I'm suspicious when 30s after logging in it asks me to log in again, but with MS services, that's just Tuesday...
I came in to say, perhaps push notifications are less secure than users typing in their TOTP.
However, as someone else mentioned, this is a solved problem by prompting the user to select the correct number/symbol shown by Service Provider. It's a clever, implemented way of making the user understand intuitively "I should only respond to these messages if I am actively logging in to a system".
I've been running into a similar-ish problem which involves someone creating a bunch of gmail accounts and linking my account to it. Whenever that happens, Google sends me an email notifying me with an option to remove the linking. However, since I never initiated that action to begin with, I start worrying that the email could be a phishing attempt, so I don't click any of the links. But as a result, I start getting email notifications whenever someone logs to those accounts from random countries on random phones.
Lately they've started creating Facebook accounts with my email. Despite me not verifying the email, Facebook continues to send me login notifications.
Has this happened to anyone? I don't quite understand the attack vector, but my guess is that they're trying to bomb me with notifications and if/when they start realizing that I'm clicking on the links in the notification emails, they can start sending out phishing emails with malicious URLs.
It's def possible, but even if that were the case, I'd still be nervous about clicking on the email links. Given the lack of tools for dealing with this issue, I'll assume Google/Facebook haven't seen this problem in a large enough scale yet.
Shouldn't the accounts be locked out after enough failed 2FA requests? If someone is managing to spam those requests, it means that they have the password and therefore the password needs to be changed.
I use the yubikeys - they seem pretty good and never had a problem unless computer was hard to plug into.
I also use google authenticator which is TOTP. Never had a problem there either.
I will say that I like the google login flow. MFA is only needed ONCE every 30 days per device. That's the right tradeoff. A business bank I deal with is MFA on every login (with an org login then an employee login) AND MFA on various transactions. That really is instant MFA fatigue! I'm certain no one is even matching up things anymore (it'll do the MFA to approve "1 transaction" with no details on trx). They do have a phone call method, but same issue, press X to approve "2 transactions".
This is actually reasonable. there are some transactions that require re-authentication to make sure you are the person behind the screen.
This is in swift contrast with question from finance dept such as "how long of a screen timeout is secure?". To what I respond "about 10 seconds - the time you need to walk to the door". This is "not acceptable" - to which the answer is re-authentication but his requires them to actually think about what is important and recode the app.
Also for Microsoft accounts? When I want to use my Yubikey for my Microsoft Account, it requires me to protect the key using a PIN. But when I protect it with a PIN, I can't use it anymore via NFC on iOS.
No, not for MS accounts unfortunately. They also steer users towards their authenticator. Fine if you have one account, but in a business users are on a lot of platforms. The pin vs password / windows hello stuff on windows is also sometimes annoying / broken.
Instead of getting a contextless “approve?” notification, you’re shown the app asking for approval, location, and also asked to enter the two digit number shown on the apps login screen requesting login. You can also respond “this isn’t me”.
This means you can’t really approve such an attempt because you need to enter a two digit code too.
This is why “do you want to allow browser to do X” dialogs are not a good security model for the myriad features people keep trying to get added to the browser.
Dialog fatigue is a well known issue, and has been for decades at this point.
I thought at first it was targeting MFA students (Master of Fine Arts, Creative Writing) using Office365, maybe ransomwaring their stories and poems. Who could be so cruel?! :)
The backend should use an exponential backoff to block repeated failed MFA requests within a short period of time like the one demonstrated in the video.
I never use Office 365, but how this fatigue attack work? If I have my phone lying on my desk and I am not doing anything with Office 365, wouldn't it be very strange that I receive a request to authorize a login?
I would call the Helpdesk, like I am instructed. Or do people just get annoyed and click "Authorize" eventually?
It's a security decision made consciously or less consciously by you the user, so it won't be 100% accurate like a hardware U2F key would be. There was recently a story about a Dutch government employee who leaked his password and erroneously approved the MFA pop-up when the white hat hacker tried to log in.
"Secure password practices" are at best aspirational and in most cases almost worthless.
If you value security give employees unphishable FIDO tokens, require them everywhere you can (e.g. Microsoft Office 365), and make requiring them a necessary part of tenders for new IT. If you want two factors require the tokens to do that for you instead of messing about with layers of extra stuff.
I can more or less rationalise outfits which don't really care about their users anyway, like Twitter, having rubbish security but I don't understand any employer including my own that still thinks passwords are a good idea in the twenty first century. Yubico will sell you tokens your employees can use to entirely defeat a bunch of the "Top problems" that are probably on the whiteboard of your "Head of cyber security" or whatever, for less than you probably spent on their Christmas meal last time there wasn't a pandemic.
Typical Microsoft that the last option for which MFA options are allowed is two options together: 'Verification code from mobile app or hardware token' — I really want the phishing-proof hardware token only!
"Verification code from hardware token" does not refer to FIDO / WebAuthn phishing proof authentication.
It's talking about those little gizmos from outfits like RSA "SecurID" that are essentially an LCD digital clock except they output an OTP value instead of showing a HH:MM display. They're exactly as secure/ not secure as any TOTP authenticator on a smart phone today, but less convenient.
Microsoft has a separate, "Preview" capability for FIDO/ WebAuthn that the domain's Administrators need to authorise for particular people or groups. You should definitely use this, but chances are whoever is gatekeeper for it is sure that like SMS is good enough.
Thanks for clearing that up. I agree that those are even worse than TOTP. I'm not expecting to see Yubikeys used anytime soon in the largish enterprises that outsource their IT to the lowest bidder and leave the thinking about security to the information security committee. Just explaining that they need to spend 2x$25 for every employee will take at least five years!
Why is webauthn being adopted so slowly? Why do we have passwords at all? Why doesn't the US government calculate how much taxes each person owes and send them a bill/check and let them dispute it?
> Why is webauthn being adopted so slowly? Why do we have passwords at all?
Microsoft's WebAuthn implementation was completely unusable in Safari until a few months ago for me and would just fail at enrollment with a useless, generic error - not sure who is to blame but the point is that it's much more complex than passwords which are merely a text-based secret that only requires a text input field.
> Why doesn't the US government calculate how much taxes each person owes and send them a bill/check and let them dispute it?
That's a political problem, but frankly not too far off from the 2FA situation at hand where every company insists on using their own, non-interoperable, often shitty authenticator (a comment above raises an issue with the various not-functionally-necessary permissions that the Microsoft Authenticator app requires on Android) instead of adhering to an open standard such as TOTP (yes it has issues, but the world would still be much better off if we at least converged on that).
Essentially huge chunks of the awful mess that is o365 only work in Chrome. I have no idea why, but rather than being standards compliant we seem to be going back towards the realms of a browser monoculture and all the down side that go with it.
If only. If there was a good mainstream push for them we'd actually end up seeing decent support. Not just on the service side but also on the local hardware side. NFC would be the way to go since you don't have to worry about 3 different ports (USB-A, USB-C, and Lightning). Laptops could have a receiver near the keyboard and desktops could either have a standalone receiver sitting on the desk or one embedded in or mounted to the monitor.
For which account? At least a few years ago, some of their apps or certain workflows didn't support certain MFA methods like u2f token auth and stuff like that.
Are there Yubikeys or similar hardware tokens that work on mobile devices that don't involve dongles? My NFC-enabled one is pretty much useless on iOS sadly.
If your phone has a fingerprint reader (or maybe Apple's facial recognition?) it can do the exact same thing as Yubikeys are doing to, for example, sign into GitHub - WebAuthn.
The phone says, well, I am me, and this user is my owner because their fingerprint matches, so here you go, here is my signed message saying I promise I'm still me and my user is still whoever they are, let us is.
The technology to make that work is a bit easier for Apple because they own the entire ecosystem, on Android there's some shenanigans because you can install a different Web Browser (e.g. Firefox) and this still needs to work, yet it mustn't work if that free-to-play match four puzzle you installed claims to be a web browser that needs to log into your bank... so Google actually gives out "This is really a web browser" Android stickers for release builds of e.g. Firefox that let WebAuthn work.
All of the articles suggestions just seem to make more work for the alright overburdened user. Fixing the fatigue at its root is what is needed. (But the article is oddly targeting administrators, for whom such a fix is impossible, not … MS themselves.)
¹different Azure tenants, despite being tied sort of to the same user, require separate MFA/auth sequences. In a separate AAD tenant, my user is technically separate, but also technically not; best I understand it is that it is sort of like a shadow user ("guest", in AAD) to my real user. AAD knows they're connected … but not well enough to matter for MFA.
²MS Auth requires a double PIN entry on the phone in order to respond to an MFA. It used to be you could just tap the notification, but at some point, that got axed, and the fatigue went up like 3x. MFA is supposed to be proof of possession (I have the phone), not proof of knowledge (password, pin). An non-pin-protected notification is fine; the password still covers the "what you know".