Recursive authentication

Fun fact: when my country transitioned to a new public authentication app, the default way was to use your passport to register. My passport was expired, though, so I had to show up in person with my birth certificate and social security card equivalent.

To get my birth certificate, I had to show up at the local office with, you guessed it, my passport.

Lucky for me that they accepted it in spite of being expired (none of the pertinent information such as my face, name and birth date had expired, after all), or I would probably be trapped in the loop to this day, years later.

Ohh, that reminds me of when I moved to Sweden. Their digital ID, bankID, is as the name suggests issued by your bank, not the government, even though it is used for all official authentication. And that includes... you guessed it, creating a bank account. So that was a real chicken and egg situation where it seemed impossible to be properly integrated into the Swedish system.
- I think you have the situation everywhere. At one time in France they ask you for your bank account details to see that you have funds so that they give an ID. But the bank will refuse to open you an account without an ID. So it will depend on the agent handling your request.
- Why do y'all in Europe have your bank manage your legal ID? Seems a bit backwards
- Hi neighbor! waves across Øresund
  
  Yeah, I'm a big fan of Scandinavian style government (unlike the current governments of both of our countries, it would seem) in general, but sometimes the bureaucracy can get a little bit ridiculous 😂
- Reminds me of the first days of BankID here in Norway. To get my new BankID to work with my current bank, I had to log in with, you guessed it, a BankID allready configured to my bank. Took a few weeks talking to the bank, showing up in person and queueing with others with the same problem before the bank realized they've made a mistake somewhere
  
  Same happened when the code thingy the bank sent me ran out of batteries. I went to the bank and asked for a new one. Not possible, they said. I had to contact the main branch, and they would send me new one. It would only take one week or so. I had to pay a bill that day, and asked if I could open it to replace the batteries since there was visible screw with ordinary heads. They said that was illegal and hacking, and that I must replace it. On my way home I opened it, and bought the exact same batteries from a shop, and replaced them. Worked perfectly!
- It seems like most countries have some variation of this issue. When I had to apply for government assistance here in Australia, there was a whole debacle because as I discovered, I don't actually have a middle name but rather 2 first names because my birth information was filled in incorrectly. So that caused issues because all 3 of the IDs they demanded listed different information. My student ID didn't list my second name at all, my learner driver permit initialised it, and my birth certificate listed it in full.
  
  Then my government service account messed things up too, because certain services have my 2nd name listed as either a middle name, or just a second first name so they decided that because I have different government services linked in "different names" I must be committing fraud
This is why I currently have no proper ID.

I have my birth certificate and my public healthcare card, and a not expired but no longer fully accepted proof of age card that previously counted as full ID but no longer does, but without it I dont have enough ID to get the new form of ID the government introduced in place of the old one I have.

It's enough to prove who I am at a liquor store or chemist, day to day, but I can't get a passport until I sort it out.
- When did they remove proof of age cards? (Vic or SA?)

Aegis Authenticator is the best 🏆

Unfortunately, Microsoft will often force their own 2FA app when logging in to 365.
- Not true, I've always used Authy.
Thank you, how about for iOS users?
- Buy a different phone.. Apple is terrible in so many ways
- ~~Just switch to Android/AOSP lol~~ I've heard good things about Raivo Authenticator for Apple devices, although I've never used it myself.

PSA, don't use Microsoft authenticator. It's easy to accidentally wipe your cloud backup and lose all your authenticator codes when switching devices

Cooperate forces me.
- I think you can use standard TOTP regardless if you add TOTP as an option in the authentication methods on your account page. At least I did and the system has yet to complain.
Is there actually any way to export the secrets from MS authenticator? I've been wanting to move them to something like bitwarden but it's gonna take ages if I have to reset all ~50
- They provide "Cloud Backups".
  
  Take the time, move them 5 a day. Better than loosing them forever
Can you provide more info how it’s easy to accidentally wipe? I’ve only done a transfer once, but it was by installing authenticator on the new phone and logging in, then deleting the other one on the old phone after testing that the codes work.
- You have to begin the recovery on the new device before logging in. If you log in normally and enable cloud backup on the new device, it will simply overwrite the existing backup with a new empty one
Yes, and while you can move it phone to phone on iOS, you cannot on Android. So stupid.

If you are forced to use it by your company just use it for that email, nothing else. Use something like authy instead.
- If your company forced you to use mobile authentication, they should also be providing you with a device on the company plan at no cost to the employee.
  
  In which case you should absolutely use MS Auth and give them all your delicious work data because nothing personal should be on the device anyway.
- Authy requires a phone number last I checked & is a part of a for-profit entity. TOTP management is a simple task so there is no reason not to be using something open source.
Don't worry, I'm going to keep using Bitwarden for my personal accounts.
Somehow I don't think there's much risk of anyone doing it willingly...
Learnt that the hard way

This is specifically an issue with corporate M365 accounts when a user tries to migrate to a new phone without access to the old phone where the authenticator was setup.

Personal MS accounts can backup their auth secret keys to cloud storage, and when signing in on a new device, it authenticates you with your cloud storage (Google/Apple) and properly restores your MS Authenticator app.

The issue is that while MS says you can backup your corporate M365 accounts in MS Authenticator, it doesnt actually store the secret key, so it's useless.

Have your administrator enable TAP (Temporary Access Passwords) on the tenant. Then an M365 admin can create a TAP for your account that lets you login without a password/2FA. You can use the TAP to login and rejoin MS Authenticator app. The TAP expires in 1 hour by default.

I'm in this particular loop at work where I don't want and don't really need an account, so I'm going to pretend I didn't see this and if you could ensure that IT doesn't see this, that'd be great, thanks.
MS auth also supports SMS via phone number. That's a whole new level of insecure, but lets you migrate to a new phone rather easily.

I'm 90% sure, all that 2FA crap is a sham anyway.

Brought to you by the same company that takes you to the logout page when you go to the login URL

I got FreeOTP from F-droid. Works like a charm.

Aegis here
- Secur user checking in
I usually use Bitwarden myself, but the company uses Microsoft Authenticator.
- I feel your pain
I recommend Aegis, but I guess it's a matter of taste
Isn't that discontinued? I just installed aegis from fdroid

I had this exact problem when I had to install this. Ridiculous

You'd think such an important application would be properly tested, right?

∞-FA

Anyone else hate Microsoft forcing you to use Authenticator rather than alternatives?

Just another way I'm forced to install Microsoft crap on my devices :/

It's been a long time since I set it up, but I have Microsoft accounts in my usual TOTP app (Aegis). Maybe I did it manually? But it's definitely possible.
- Not if your organization disables alternative TOTP apps 😔.
I have 2FA through Authy on my Microsoft account.
You can work around it to use your own 2FA app.
Did it with my O365 account.

That sort of risk is one major reason I stopped using MS Auth and went through the painstaking process of manually switching all of my accounts to a FOSS authenticator (Aegis Auth) instead.

Does Aegis sync between devices?
- No, but you can back it up (encrypted) and restore it.
- TOTP isn't supposed to be saved in a "cloud"
- It has an option for Android Backup Transport spoon...maybe?

Microsoft will just refuse to let me log with a third-party TOTP after setting it up. Security key is also "not supported" on Firefox even though it works for every other site.

The most info they will get is my Minecraft account and that's already too much...

I set it up with Bitwarden after a reset, but it showed a popup telling me to switch to MS Auth every time until one day there was no way to refuse the switch anymore.
It's a configurable setting on the admin side. I managed a lot of m365 tenants.
- ^ Your M365 admin needs to know where to manage the specific authentication methods and be sure to disable MS auth rollouts. By default right now, authentication rollouts are enabled on all tenants with P1 licensing or above, and it only supports the MS Authenticator app.
  
  Once that rollout is disabled, the authentication methods your admin has made available to you will actually work properly.

My university recently forced us to use this shitpile to 2FA, it never fails to disappoint

Probably means there already is MFA setup on that account, and now you doing it a second time.

Or you can just press the "get codes" button in the top right.

The get codes button didn’t work the first time I tried it. But it did now after restarting the app a couple times. A bit finnicky but it works.
- Yeah, when your setting it up there's a button that says something like "use another authenticator app" or it might say something like "configure without notifications".
  
  Those generate normal TOTP QR codes which you can use in other apps

Microsoft works

Jumbo shrimp

One day authentication of new users will be impossible and the only way to get on will be to purchase it from someone who already has it. Entire companies will run on a single account hey bought for millions of dollars. News stories will run of a vengeful or negligent employees bricking the one corporate account, until a cartel of business owners attempts to corner the market.

Wait, is this really possible? With Steam you still will be able to access TOPT in the mobile app if you need to log in the same app, at least that's how it worked.

I mean, there are probably one time passwords that go with some of accounts when using F2A. But I don't care about Microsoft account either way.

Yeah, I already went to IT several times to ask them to forcibly reset it. I'm WFH now, so I'll have to pay them another visit on Monday.

Lmaooo this just happened to me the other day. Drove me nuts

Same thing with proton pass. How will i login to proton pass if i save my proton mail password in it.

Why would you store your password manager's password in your password manager??? That's like putting a safe's key into the safe
- I know but I remember it was saved by default in it. I am really confused about it. What should I do abt it? Should I just make a memorable password and remember the proton account password? or something else?

People run into this for company MFA not realizing that their IT can enable new account setups. If it's a personal account you already have a device setup so I hope you didn't yeet it into the ocean or you really are screwed

Aegis Authenticator. Dont trust MS or Google your stuff