[HN Gopher] Flaw has Microsoft Authenticator overwriting MFA acc...
___________________________________________________________________
Flaw has Microsoft Authenticator overwriting MFA accounts, locking
users out
Author : miles
Score : 106 points
Date : 2024-08-17 16:51 UTC (6 hours ago)
(HTM) web link (www.csoonline.com)
(TXT) w3m dump (www.csoonline.com)
| RcouF1uZ4gsC wrote:
| Incidentally, this is why SMS MFA is so popular with users
| despite its security vulnerabilities.
|
| Generally, unless you are targeted by someone with a sim swap, it
| is good enough. Most people won't be targeted, but do have a good
| chance of something going wrong that makes them lose their MFA
| key.
| SoftTalker wrote:
| Yep. It's simple, and almost everyone understands it. Like
| passwords themselves. Also the reason more secure approaches
| such as YubiKeys have never taken off in the general public --
| they are just cumbersome and confusing.
| leftbehind wrote:
| We haven't had any issue getting all of our staff --
| nontechnical users alike -- on yubikeys. As part of education
| we skip the PKI portion and just point out that it is "like
| your physical house key. You plug it in and touch it to turn
| the key to unlock"
| SoftTalker wrote:
| Yes, and our staff uses ssh keys (generally but not always
| without issue) and a commercial MFA app. It's one thing to
| get this stuff used in a controlled environemnt where you
| have a help desk or administrators who can do a lot of the
| setup. You just hand the employee their YubiKey or smart
| card and say "use this."
|
| Trying to imagine your grandmother setting it up herself to
| be able to log in to her Facebook is another matter, and
| why these things have never worked for the general public.
| close04 wrote:
| You probably use certificates and a company PKI to manage
| them. No need to stress if one is lost or locked, just
| revoke and whip up a new certificate.
|
| At home Yubikey is probably synonymous to FIDO not PIV/PKI.
| No whipping up a new one if you lose it. You better have 3
| of them enrolled at any time, and have at least one stored
| off site.
| leftbehind wrote:
| We enroll them as standard fido/webauthn - I hate the
| other modes.
|
| I agree it requires significantly more work when you
| can't just call the locksmith for a new one -- IT -- if
| you lose one on your personal account you can only go get
| the spare key hidden under the doormat, a printed code in
| your safe, or lose the account.
| JackSlateur wrote:
| Most importantly: yubikeys must be bought
| alistairSH wrote:
| And carried around.
| peanut-walrus wrote:
| Honestly, the only way I see forward is FIDO with dirt cheap
| NFC cards as keys. Need to log in to somewhere? Get the card
| from your wallet and touch it to your phone/laptop. It has to
| be cheap enough that for any company with paying customers it
| makes more sense to physically mail them a card if they don't
| already have one than to support any alternative auth methods.
|
| Most services won't even need a second layer of auth, if
| someone steals your wallet - do they really care about your
| reddit account?
| SoftTalker wrote:
| "This is a small example of a big problem with usability and
| cybersecurity. This is what happens when apps are developed by
| engineers who don't have a strong knowledge of customers"
|
| This really rings true. Just think of all the nonsense you have
| to deal with in the name of "security." Mandatory password change
| intervals. Insane rules for constructing passwords. Completely
| undocumented password requirements that you just have to figure
| out by trial and error. Complicated error messages full of
| security jargon. "Secret Questions" that you can't remember the
| answers to. And on the other side of the coin, the security of
| these systems themselves is like a sieve. So many data breaches,
| information disclosures, they are in the news almost daily. I
| often wonder how they get away with it all.
| robertlagrant wrote:
| This isn't engineers doing that. It's CYA IT cyber policies.
| SahAssar wrote:
| Sure, but a lot of engineers aren't completely blameless.
| They should push back and explain why these are bad choices
| just like I would expect a building engineer to say to me
| that cardboard is not the ideal load bearing element for my
| skyscraper.
|
| If the company still pushes forward with bad choices its on
| them, but they should be clearly informed how and why those
| choices are bad.
| harimau777 wrote:
| Pushing back is a great way to lose your job or get past
| over for pay raises.
| SahAssar wrote:
| In bad orgs, yes. In good orgs you get appreciated for
| speaking up and communicating what will be future
| problems.
| meroes wrote:
| So far https://studentaid.gov/ is the worst I've come across (I
| don't want to enter fake info^ and I can't duplicate my account
| to double check the requirements). From memory it was something
| like:
|
| 1) No words! 2) Can't reuse last 24 passwords 3) Excludes some
| special characters 4) 5 Security questions 5-10) Several other
| password requirements
|
| Are the security questions case sensitive? Who knows.
|
| ^ "I understand that I'll be required to certify that the
| information I provide to create an account is true and correct
| and that I'm the individual I claim to be. If I'm not the
| person I claim to be, I understand that I'm not authorized to
| proceed and that I should exit this form now. If I provide
| false or misleading information, I understand that I might be
| subject to a fine, prison time, or both."
| lostlogin wrote:
| > If I provide false or misleading information, I understand
| that I might be subject to a fine, prison time, or both
|
| Enter your password wrong and you're off to jail?
| wizzwizz4 wrote:
| Hopefully "Fakename Q Notarealperson" won't get me
| arrested... Here's the password help message:
|
| ---
|
| Your password must be 8 to 30 characters in length and must
| contain at least one uppercase letter, one lowercase letter,
| and one number.
|
| Your password is case-sensitive.
|
| You can't use personal identifiers such as your first or last
| name, date of birth, or Social Security number in your
| password.
|
| ---
|
| Here are some error codes the API returns:
| ["NULL_USERNAME", "NULL_EMAIL", "PWD_ILLEGAL_CHARACTERS",
| "PWD_CONTAINS_SPACE", "NULL_CHALLENGE_QAS"]
|
| The UI doesn't expose the password error codes. It just says
| "You entered an invalid response. For more info, select the
| help (?) icon." (The NULL_USERNAME and NULL_EMAIL errors seem
| to be spurious in this context.)
| meroes wrote:
| Hmm I just made an account two days ago and it told me no
| words allowed in the own. The email link they sent me to
| sign up no longer works, so maybe they changed something?
| jagged-chisel wrote:
| So I had to guess that spaces weren't allowed?
| tetrep wrote:
| > Just think of all the nonsense you have to deal with in the
| name of "security."
|
| Well, the good news is that everything you listed is known as a
| bad idea to both end users and people who understand security
| (which is, sadly, not most people who implement security
| policies).
|
| Using 4 or more dictionary words provides excellent password
| security and you can do the same for all of your security
| answers too. There's a variety of free and paid for password
| managers that solve the issue of trying to remember all your
| secrets (great for backing up 2FA secrets too).
|
| I'm not sure what you mean by "complicated error messages" but
| I assume it's errors that they expect the user to fix
| themselves, otherwise they could return a generic nonspecific
| error and a unique ID for you to provide when you contact
| support to get help. While it sucks to get jargon spammed, I
| feel like pretty standard human ineptitude at explaining an
| error rather than anything specific to security. I also think
| it's how many people feel about _any_ error message that
| contains computer jargon (PC LOAD LETTER!?!?).
|
| > I often wonder how they get away with it all.
|
| My thinking (and experience...) is that most organizations are
| failing at a lot of things at any given time, even if the
| business overall is successful. Security is just one of those
| things. I wouldn't be surprised at a small elite organization
| not following that trend, but any sufficiently large
| organization is going to have incompetent people doing
| incompetent things.
| brookst wrote:
| > Completely undocumented password requirements that you just
| have to figure out by trial and error.
|
| My favorite is:
|
| 1. I go to a website I haven't used in a while but know I have
| an account on
|
| 2. I sign in with my email and what I'm sure is the right
| password for that site (algorithmically generated from site
| URL)
|
| 3. Password not valid
|
| 4. Ok, maybe this was an older version my my algorithm from way
| back
|
| 5. Password not valid
|
| 6. Fine, hit password reset
|
| 7. Get reset email and click it
|
| 8. Enter algorithmically generated password as new password
|
| 9. Error, can't have that special character
|
| 10. Fine, per my rules, replace that special character with
| next one
|
| 11. Sorry, can't reset password to your current password
|
| 12. Aaaaaargh.
| rightbyte wrote:
| This has bugged me a lot. Have I been gaslighted? Like, do
| sites lose my password? I can swear there have been like 10
| occasions in the last 20 years where I had to reset my
| password where I am pretty sure I knew it.
| 14 wrote:
| That's how I lost my Hotmail account.
| gerdesj wrote:
| They emailed you the password reset link?
| jasonjayr wrote:
| I'd bet that some sites had their DB leaked/hacked, and
| just marked all the current passwords invalid to force a
| reset. Hopefully, it wast just the hashes that were
| leaked...
| jlarocco wrote:
| "This is what happens when apps are developed by engineers who
| don't have a strong knowledge of customers"
|
| I'd replace "engineers" with "product owners". I'm sure the
| engineers at Microsoft know some of the stuff they're doing is
| braindead and are unable to do anything about it.
| worble wrote:
| This boggles my brain on so many levels - are you telling me
| Microsoft Authenticator only stores the entry based on label? It
| doesn't generate an internal key or anything? And then they claim
| that the issue is websites not putting the issuer in the label,
| but in the issuer field, where it belongs?
|
| Is no-one at Microsoft actually using their own Authenticator?
| Unless I'm missing something, this would make it nearly unusable
| for almost all applications - as soon as you've used your email
| for one site you wouldn't be able to add it for any others?
| SoftTalker wrote:
| From the article: "Microsoft hasn't bothered to fix it because
| Microsoft Authenticator is a free product and therefore doesn't
| generate revenue."
| lostlogin wrote:
| It's actually worse than that. Given the opportunity to
| escape, I'm sure many would pay to to allowed to do so.
|
| Entering multi factor hell just to get into Teams is
| something I'd happily pay to avoid.
| tialaramex wrote:
| Assuming you use Microsoft Entra ("Azure Active Directory"
| as was), get your employer to enable the "preview" support
| for Security Keys. Why is it off by default? Well it's
| actually secure, and it would never do to provide a feature
| out of the box that actually works without lots of fiddling
| about, this is Microsoft, the consultant's friend.
|
| These seem to be relatively current instructions:
| https://learn.microsoft.com/en-
| us/entra/identity/authenticat...
|
| Having found a friendly sysadmin to do this, ask them to
| specifically _not_ "Enforce key restrictions" which is
| theory could let your empoloyer require employees to use a
| specific issued authenticator credential - are they going
| to buy every employee an authenticator from a named brand?
| No? Then this must not be switched on, easy.
|
| Once this feature is enabled for you (you may be able to
| get them to switch it on for the whole org, or maybe for IT
| or whatever department you work in) you should be able to
| enrol a new Security Key the same way you'd add other MFA.
|
| So why go to all this bother? Because you can buy a
| Security Key that works how you want, a physical piece of
| hardware you own and can re-use - if you buy say the Yubico
| Security Key 2 in USB A, that goes in your USB A port on
| the laptop or dock and it just stays there. Its job is to
| be "Something you have" and the "Something you know" will
| be a PIN of your choosing (it literally doesn't leave your
| device, so corporate can't decide it should be the Password
| Game on steroids)
|
| No need for a phone or other unrelated device, no opening
| fiddly apps, no transcribing codes, you type your PIN and
| touch the sensor. If a PIN is too much, some pricier
| options take fingerprints, so then you just touch the
| sensor (with the correct finger)
| technion wrote:
| Security keys don't work with android phones when you
| want to logon to m365 email. This is a showstopper for a
| lot of people.
| marcosdumay wrote:
| > Is no-one at Microsoft actually using their own
| Authenticator?
|
| At most, I'd expect people to only use it for work, where
| Microsoft is the only issuer.
|
| I also expect lots and lots of people to not use it.
| tzs wrote:
| > Unless I'm missing something, this would make it nearly
| unusable for almost all applications - as soon as you've used
| your email for one site you wouldn't be able to add it for any
| others?
|
| Yeah, something is not making sense here. I've got multiple
| accounts with the same email and just compared the codes from
| Authenticator, which is my backup TOTP app, with the correct
| codes and Authenticator agreed.
|
| I did find a UI problem that could lead to a user getting the
| wrong code. When the first few accounts are on the screen and
| it is time to refresh the codes the ones on screen refresh
| every 30 seconds.
|
| The ones offscreen do not. When I scroll to bring offscreen
| codes into view they show an older code. In one case the code
| that scrolled in was 4 codes behind the correct code.
| magicalhippo wrote:
| I've been using Microsoft's one for my work accounts because,
| well, we're elbow deep into Office365 so why not.
|
| I've never gotten that dialog, and have not had any issues with
| the accounts I've added. Since they're my work accounts, 99% of
| them share my work email as account name.
|
| So does that mean I've just been lucky, in that the sites I've
| signed with have provided a sufficiently unique label? I feel I
| didn't fully get what the issue is.
| muststopmyths wrote:
| Same. 3 personal accounts use the same email address. Two of
| them are FAANG and it all seems to fine (for going on a decade)
| prng2021 wrote:
| Seems like the bug is specific to the iOS app when scanning QR
| codes.
| breadwinner wrote:
| This happened to me when I updated MS Authenticator after not
| updating it for a while. It wiped out all data, and I got locked
| out of all accounts. MS Authenticator is not a carefully written
| product.
| napsterbr wrote:
| Something similar happened to me about a year ago when the Google
| Authenticator app automatically updated to a new version. I lost
| all my accounts in the update process. Definitely learned a few
| lessons there.
| xandrius wrote:
| This nightmare is why I always backup MFA QR codes and use
| those to add them to an open source app which let's me backup
| the data elsewhere too.
|
| Sorry to hear that!
| SoftTalker wrote:
| Yep, any time I use an authenticator with an account I
| generate "backup codes" and keep them in my password manager.
| This saved me when I got a new phone and for some reason my
| Google Authenticator did not transfer to the new phone
| properly.
| lostlogin wrote:
| > Google Authenticator did not transfer to the new phone
| properly.
|
| This seems to be my normal experience with a new phone for
| MFA apps. I'm doing something wrong. That and setting up
| email are so dreaded that I hold off updating.
| knallfrosch wrote:
| Switching from Android to iOS for a phone, I found that
| Microsoft Authenticator officially doesn't support this.
| You can't backup, you can't transfer. Everything is lost,
| please start anew.
| issafram wrote:
| ymmv, but I've never had this issue.
| chaz6 wrote:
| When asked to set up TOTP, the first thing I do is scan the QR
| code with a QR code reader, and save the secret into my password
| manager, before adding it to my authenticator app.
| gleenn wrote:
| Does this actually work? I thought most TOTP codes were single
| use. Have you actually tried re-using them?
| Rychard wrote:
| The initial QR code isn't a TOTP code, it contains the secret
| used to generate the TOTP codes.
| sleepycatgirl wrote:
| Oh, that's actually really nice, I should start doing the same
| thing myself
| esafak wrote:
| 1password lets you see it after you've saved it too.
| n8henrie wrote:
| As does Bitwarden (just "edit" and it is revealed)
| Nextgrid wrote:
| However, this does reduce the separation of factors, if that
| password manager is the same one containing your actual
| password.
|
| Depending on your threat model this may be an issue.
| NotACracker wrote:
| I've just made a test: multiple accounts using the same
| account/email and there is no conflict.
|
| I even have a matching icon of the issuer for each entry; the
| issuer is registered for each entry.
|
| I am using the MS Authenticator for years and I've never had any
| problem of that sort, and of course, I am always using the same
| email as my account/username.
|
| Anyway, I'm just putting the result of my test. It's not like
| this going to change your mind about the authenticator or
| Microsoft itself here...
| CatWChainsaw wrote:
| A whole different type of "too big to fail", and a great
| demonstration of why putting the keys to your kingdom in
| Microsoft's/Google's/Apple's hands is a stupid idea.
| halfcat wrote:
| Is AWS any better, or what's the solution? Most businesses
| aren't technical and don't need to be in the
| authentication/security business.
| CatWChainsaw wrote:
| Greetings fellow feline, I am a microbiologist not IT. In
| that capacity, the only general suggestion is to have
| redundant authentication measures that cannot all be crippled
| by one source like this. I can't imagine it's popular, or
| easy, for a company to want to be able to use multiple
| authentication schemes, but this sort of situation shows why
| lock-in is a bad idea.
| ReptileMan wrote:
| And keepass keeps complete history since the file was created.
| Someone was really sloppy in Microsoft in the design phase.
| motohagiography wrote:
| some security products seem like they are designed to discredit
| security as a field. imo the market is just at the point of
| backlash against the decadent stupidity in that cost centre. if
| you are going to humiliate people by making them jump through
| hoops 10x a day with context switching 2FA tokens and make
| serious people with educations and responsibilities use words
| like "smishing," you better be sure that hoop is the finest
| example of engineering _anywhere_. the solution has become the
| problem. I 'm calling the peak.
| jokethrowaway wrote:
| Are we again in a Microsoft 2000 phase? It seems like everything
| Microsoft is broken these days.
|
| GitHub barely works after the acquisition. Azure is a joke. Teams
| is the bane of my existance. Outlook is the second one.
|
| Do they need to ask harder leetcoding problems during the
| interviews?
___________________________________________________________________
(page generated 2024-08-17 23:01 UTC)