True, but the alternatives generally are either a pain in the ass or require yet another syncing service to have sensitive info just so I can access things reliably anywhere.
It is still more secure than SMS and email based options.
Besides, my vaultwarden still needs an MFA code to access in the first place, and thatâs handled by a separate generator.
Iâm willing to accept the slight security difference in exchange for the convenience of having access on a single app 99.9% of the time.
To get into my Vaultwarden in the first place to get my info theyâd first have to know my self-hosted server exists to target. And theyâd need to compromise that MFA which is handled by a separate unrelated app.
Thatâs more than enough security for nearly everyone on the planet.
Sure. But if your bitwarden is protected by a 50char password AND a yubikey, itâs not that big of a tradeoff imo. Thatâs what I do, but I have hundreds of MFA tokens and it was PAINFUL to auth a lot of the time when I was using an authenticator app.
Theyâre exactly why I decided to accept the slight security downgrade for usability. Plus, at the time, finding a yubikey that would work with every device, desktop, laptop, mobile, etc. was impossible without dongles, kind of defeating the point. USB-C wasnât on everything then.
How do you like the self hosted approach? I contemplate it every so often, but Iâm not sure that my sysadmin abilities (and attention) are enough to keep it secure.
The admin overhead isnât too bad as long as you have a good base, and donât try to do anything crazy. I transferred from Synology to a custom built NAS recently, and itâs running TrueNAS. That supports not only docker now, but also a catalog of apps preconfigured for TrueNAS with minimal manual setup needed.
For Vaultwarden, since it needs external access, I had issues setting up various reverse proxy systems and dynamic DNS services properly. So I got cheap like $5 domain through Cloudflare, and run a Cloudflare tunnel back to my network for Vaultwarden and a couple other apps like Emby for my media.
The Cloudflare tunnel also allows me to use WARP as a VPN on my laptop and phone to route that traffic back through my home network. Which also lets me use the pi-hole on my network for my ad blocking on those devices.
I jump into the TrueNAS interface weekly to check for system and app updates, and thatâs about it.
Depends on your org. I have a yubikey, a phone app Authenticator, a pin and my regular SSO login/password. All of which I have to use constantly, because some dumbass did something dumb like two fucking years ago. So I can hardly get shit done. Plus the same dumbasses who probably fucked all this up are writing production code for an actual product. Please kill me.
Yeah, I got 4 because Iâm paranoid about losing access to things, and still spread out backup TFA mechanisms⊠I donât trust technology to be reliable enough, heh.
Personally, I have the second Gen Google Titan USB keys, I upgraded from the first Gen some time ago. Theyâre Fido2 so theyâre very equivalent to yubikey in most respects.
I use my yubikey for work. I connect it to anything and everything I can. I use Microsoftâs authenticator as my backup for work.
I have a pair of Fido2 keys for personal with totp backups, and recovery codes as a last line of defense (stored in a secure location), and one Fido2 key with totp backups for work.
Ironically, the least secure account I have is for my bank, which doesnât support Fido2 (or anything other than SMS).
So mine supports it in principle, but I havenât tested it out yet. Enrollment seems simple enough though. I use a handful of 2fa apps between work, personal password manager, sms backup, and so on⊠I have hopes to consolidate and onboard TOTP some day, but the banking apps have low support, so thats annoying.
Our password manager requires logging in and using the authenticator every time the session times out, so we all started using a browser plug-in to keep the session alive all day.
That may have come off as judgmental. It wasnât meant to be. When you make security so onerous that no one will do it then itâs little surprise that peopleâŠ. wonât.
Moreover⊠when you make your security so onerous that no one will do it, you donât have security. They know that, but itâs the ânobody every got fired for buying IBM thing.â
No matter how bad you have it someone else has it worse.
In order to do my job I have to log into the VPN, and then remote desktop onto a server, then from that server remote desktop onto another server. Then I have to go back to the first remote desktop and remote desktop onto a different server which from there I can remote desktop onto two other servers, on one of those servers there are two different log ons which I can use to do different tasks.
Then back on the main desktop I can remotely connect via web browser to a virtual machine that I can then remote desktop onto a server. If I want to change the password on that server I have to remote desktop from that remote desktop from that virtual machine, into a remote desktop.
Oh and then there is the web app that I have to use that only works in Internet Explorer, but for security reasons IE has been removed from the main system, so I have an entire remote desktop literally just to use Internet Explorer.
It takes about 25 minutes to log into everything everyday and about 10 minutes to log out at the end of the day.
Fuck, and here I thought AGS progressive controllers were bad. Remote desktop into the controller using a commonly known username and password to get a âsaltâ, âhash codeâ, âiterationsâ, âpassword lengthâ, and âserver nameâ. Enter all that onto a website that has to be logged in to, all to get a generated password which is used to remote desktop desktop into the same progressive controller under a different account. Password changes every 24 hours. Oh, and did I mention that this is typically done on an active casino floor? Good times.
The largest issue I have is the randomness of all the different security setups. One requires MFA by e-mail, one requires an authenticator, most require sms, some push to require using their app, and this random page requires a code by phone call. Now they are pushing passkeys and that is a complete cluster.
Whatâs ironic is that most of the webpages that push these things donât reach the âDo I give a fuck?â threshold. The security is usually there to protect against unauthorized use of user stored credit cards. Since I am not liable for any fraudulent charges to the credit card, I really donât give a fuck about securing the account. Yeah I am reusing passwords, keeping them in plain text in a word doc etc..
When I worked for other companies, I moderately gave fuck about there security. Not enough to inconvenience me. If they made me change the password constantly, they got the number changing series at the end of the password - $tupidPass#01 Seriously that was my actual work password for over a decade.
Now my bank account and financial logins. Youâd better believe those have every security feature they offer setup. I do not fuck around with those. I give a fuck about those.
I remember reading an article once which referred to research which suggested that making people change passwords every month made their accounts less secure, because they have to go extra steps to remember them - which usually translates to making them really obvious and/or storing them where theyâre easily accessed. In one of my previous jobs where we had to change passwords every month, basically everybody would have their password written on a post-it on their computer monitor.
In my first job I had like 7 different passwords to access different systems. Each one had different schedule of password reset. They each ended up being on a different reset schedule. I had to reset a password once or twice a week.
Yeah, everyone had their passwords on a sticky note on their monitor. I once got praise for being the one person without it. I of course had an abreviation for the system with what number series the password was on posted on my monitor.
I had a passkey card where each letter was given a random sequence of uppercase, lowercase, a number and a symbol. With just a four letter word as they key you had a 16 digit random password that was hard to guess even if you had the key sheet.
Yeah, thatâs actually also why itâs no longer considered best practice to force regular password changes. But many places / websites /apps still do, obviously.
I have a Yubi key that crashes Authenticator when I select the option to it l use it. It goes into a loop asking to touch the button and type the PIN. But it does not wait for input, it just keeps creating windows until it crashes.
What a ball ache inclined to blame ms for that because statically it probably is down to them đ€ŁIâve had an issue where it doesnât ask for the pin so it fails but I just close the browser and itâs fine.
I have multiple accounts configured on the same yubikey, but it seems like any of the Microsoft login portals expect you to always use the account you most recently signed in with. So any time I need to switch accounts (which is often, I have different accounts for each different testing environment and access level), I have to type in my pin and touch my key twice - once to allow Microsoft to try logging in with the wrong account and fail, and then another time where it asks which account I want to use. đ
As someone on the other side, in IT support, you can fix this yourself and I wish more people would.
Before your old phone gets wiped and sent to the graveyard, log in using authenticator, and go to âview accountâ from any of the online pages for Microsoft (if youâre unsure, try login.microsoft.com ).
Go to your security options, and you should see all the info you need to remove the old authenticator and add a new one.
From here you can also add backups, which I encourage everyone to do.
It saves you from having to call IT all the time to fix it, and since you donât have to go through the usual back and forth of verifying who you are, or whatever, and getting them to do a thing, you can take care of it for yourself, by yourself, without those unnecessary delays.
Your IT people will appreciate it, and youâll have to talk to them a bit less as a result.
I did this and checked my devices on the login or account page (not sure exactly which one it was). It showed two devices, that were named âiPhoneâ. No idea, which one is the new one and which one is the old one. IT-support couldnât tell either. So once Iâll have to hand in my old iPhone and delete it from the trusted devices / devices with authenticator, it will be a hit or miss game.
One day Ms will make the power point youâre sharing on teams even smaller than todayâŠ..but Iâm here to tell you how to do it now. Take a look at the slide below!
In my country, Microsoft has inserted itself into the education system. If you want to learn system / network admin so you can run IT at pretty much any local business, itâs all Microsoft.
To be fair, Active Directory does make it easier to manage a bunch of windows boxes with consistent users and permissions. When your users are business people mashing Excel spreadsheets all day, and build their lives and identities around Excel, you pretty much have to give them the environment that Excel runs in, which is Microsoft.
You might be able to use a ânormalâ (TOTP-compliant / Google Authenticator-like) 2FA app even with Microsoft work accounts.
One of the prompts to download MS Authenticator has a âuse a different appâ option:
I assume admins can disable it, but itâs also easy to miss.
On top of this, this prompt only shows up when attempting to add a new MS Authenticator, since there is no âother appâ option among the authenticator type choices.
Thereâs a government-tier system used by lots of schools, cities, etc. It fucking SUCKS.
Like: if you have Outlook on your mobile device and add a government system account, it makes you remove any other accounts. Even if those other accounts are part of the same organization.
And since I manage more than 1 email account that need to go to separate inboxes for legal reasons, I get to carry 3 phones and a tablet.
Did I mention the part where I work for a municipal government by day and teach at a public university by night? Itâs 2 phones and a tablet for the city, one for the university, and a 4th phone I didnât mention for me.
Though the school phone usually gets left in my bag. I teach scuba and underwater photography. Nobodyâs gonna lose their house over me waiting a few days to respond to an email. The only time my duties there are critical is when Iâm actively with the students. Then itâs more important because pressurized encironkents and breathing and stuff.
But I also donât take my phone underwater ^(on purpose).
Normal Microsoft Account does support ânormal 2FAâ. However, my school MS Account only supports microsoftâs own protocol, which is not supported by other authenticators (Aegis, Ente, Raivo, etc).
We use duo as 2fA for our Microsoft accounts at work. Every Thursday its log into teams on phone log into teams on desktop, log into outlook on phone, log into outlook on desktop. Why canât your apps cross authenticate on the same device? How does one drive manage to stay authenticated throughout the whole process?
Any actual work I need togets done is done on a 15 year old think pad running Debian. The beefy 12th gen i9 just whirrs its fan around and occasionally gets used for emails, team chats and logging up tickets.
Thereâs actually a duo feature that does that.
Normally apps canât cross authenticate like that because they donât have the ability to talk to each other in a standard way thatâs also verifiable and secure. Teams could have a way to share your auth to something else, but itâs much more difficult for it to know that the thing asking for access actually is something thatâs supposed to be able to do so.
OneDrive is built in to Windows, so itâs able to use the authentication you use to log into the computer to talk to the Microsoft servers. (Essentially, thereâs like a million steps and layers of indirection).
I like when you want to make a Microsoft account, it asks you to enter your exisiting e-mail first (you can enter one ending with @outlook.com or @hotmail.com though, it will create new mail account). Itâs like they donât believe in their own products, lol.
I once created a Microsoft account (for a Windows 7 machine I think) and entered a Google address. It didnât seem to mind. Itâs my Microsoft account to this day, not that I have much use for it. Maybe itâs gotten more weird nowadays.
Thatâs the point. For a long time I assumed that they give you an e-mail address (currently Outlook) by default, like Google does with GMail, but they donât.
I donât have the exact timeline at hand, but Microsoft Accounts (originally Microsoft Passport) as a Microsoft service wide SSO were originally cooked up at Microsoft, while Hotmail was a separate service that Microsoft acquired. And this was in the late 1990s. I guess they originally designed the account system to be independent of the whole web portal nonsense that was fashionable at the time.
âŠanyway, I think itâs good thing that Microsoft let you use whatever email address you want with it and not force you to use Hotmail/Outlook.
An @outlook.com / @hotmail.com account is already a Microsoft account to begin with. If you enter one of those that already exists, youâre just signing in. There is no ânew mail accountâ.
It makes sense to have the user use their own existing email address so that they have it as recovery option, most people donât need another email address.
I am not sure that you read my comment properly. Registration form asks for non-Microsoft e-mail address first. You _CAN_ enter Outlook or Hotmail address, which will create one, but itâs not even something that they acknowledge in that form.
And if you still donât believe me yet, I have literally tried this yesterday, and it works. It did create a new Outlook account when Ientered ...@outlook.com e-mail address.
My father has a Microsoft account, but doesnât have Outlook/Hotmail account for example, which is a bit strange at least for me, and I had no idea that this is the default.
I think the misunderstanding comes from where you wrote âit would create a new mail accountâ which is objectively inaccurate, the @outlook.com / @hotmail.com emails already exist as both a âmailâ and Microsoft account - thereâs literally nothing being âcreatedâ in that situation, youâre just signing in to what already exists.
In your fatherâs case, he probably has a Microsoft Account set up with a third party email address.
If he were to want that to include a mailbox, he could navigate to his Microsoft accountâs email settings, create a new â@outlook.comâ alias, and set it as the primary alias for the account. He would then have a mailbox usable at Outlook.com or via Microsoft Exchange in a mail client.
Itâs possible to do the same thing with Google - you can create your Google account using a third-party email address, you wonât have a mailbox but if you were to visit gmail.com you would be offered the option to create a mailbox with a new @gmail.com address.
PeachPie đ
LadyButterfly she/her
Okay so I get this is a meme BUT I started using a yubikey instead of the auth app and it has done a world of good for my sanity.
I transitioned everything to Bitwarden. Password manager, passkeys, and MFA code generation all in one app that works on all of my devices.
And then I started to self-host it via Vaultwarden and transferred all the data.
A friendly FYI: having your passwords and MFA in one place partially defeats the purpose
True, but the alternatives generally are either a pain in the ass or require yet another syncing service to have sensitive info just so I can access things reliably anywhere.
It is still more secure than SMS and email based options.
Besides, my vaultwarden still needs an MFA code to access in the first place, and thatâs handled by a separate generator.
I get that not everyone wants to set up something like Aegis in combination with e.g. Syncthing.
Of course it is still better than SMS and email, but I would recommend you check out Ente Auth and/or Proton Auth.
Both are end to end encrypted and you would at least have it in separate apps
Iâm willing to accept the slight security difference in exchange for the convenience of having access on a single app 99.9% of the time.
To get into my Vaultwarden in the first place to get my info theyâd first have to know my self-hosted server exists to target. And theyâd need to compromise that MFA which is handled by a separate unrelated app.
Thatâs more than enough security for nearly everyone on the planet.
Perfectly valid, everyone has their own threat model and their own standards.
Sure. But if your bitwarden is protected by a 50char password AND a yubikey, itâs not that big of a tradeoff imo. Thatâs what I do, but I have hundreds of MFA tokens and it was PAINFUL to auth a lot of the time when I was using an authenticator app.
Theyâre exactly why I decided to accept the slight security downgrade for usability. Plus, at the time, finding a yubikey that would work with every device, desktop, laptop, mobile, etc. was impossible without dongles, kind of defeating the point. USB-C wasnât on everything then.
I do 2 accounts, one normal, one mfa. If only the extension would let you pull from both accounts at once! KepassXC still does the usability better.
Bitwarden is just so awesome
How do you like the self hosted approach? I contemplate it every so often, but Iâm not sure that my sysadmin abilities (and attention) are enough to keep it secure.
The admin overhead isnât too bad as long as you have a good base, and donât try to do anything crazy. I transferred from Synology to a custom built NAS recently, and itâs running TrueNAS. That supports not only docker now, but also a catalog of apps preconfigured for TrueNAS with minimal manual setup needed.
For Vaultwarden, since it needs external access, I had issues setting up various reverse proxy systems and dynamic DNS services properly. So I got cheap like $5 domain through Cloudflare, and run a Cloudflare tunnel back to my network for Vaultwarden and a couple other apps like Emby for my media.
The Cloudflare tunnel also allows me to use WARP as a VPN on my laptop and phone to route that traffic back through my home network. Which also lets me use the pi-hole on my network for my ad blocking on those devices.
I jump into the TrueNAS interface weekly to check for system and app updates, and thatâs about it.
Depends on your org. I have a yubikey, a phone app Authenticator, a pin and my regular SSO login/password. All of which I have to use constantly, because some dumbass did something dumb like two fucking years ago. So I can hardly get shit done. Plus the same dumbasses who probably fucked all this up are writing production code for an actual product. Please kill me.
I hear that if you lock down your system so much that no one can access anything thatâs peak security.
I too have a yubikey. My advice, have something that functions as a backup.
Other than that, yes. Itâs way better than alternatives.
Yeah, I got 4 because Iâm paranoid about losing access to things, and still spread out backup TFA mechanisms⊠I donât trust technology to be reliable enough, heh.
Personally, I have the second Gen Google Titan USB keys, I upgraded from the first Gen some time ago. Theyâre Fido2 so theyâre very equivalent to yubikey in most respects.
I use my yubikey for work. I connect it to anything and everything I can. I use Microsoftâs authenticator as my backup for work.
I have a pair of Fido2 keys for personal with totp backups, and recovery codes as a last line of defense (stored in a secure location), and one Fido2 key with totp backups for work.
Ironically, the least secure account I have is for my bank, which doesnât support Fido2 (or anything other than SMS).
Are you using the slightly more expensive one capable of generating TOTP codes?
I also use a Yubikey too, but I still have to use another 2FA app for services that donât support passkeys yet.
So mine supports it in principle, but I havenât tested it out yet. Enrollment seems simple enough though. I use a handful of 2fa apps between work, personal password manager, sms backup, and so on⊠I have hopes to consolidate and onboard TOTP some day, but the banking apps have low support, so thats annoying.
Our password manager requires logging in and using the authenticator every time the session times out, so we all started using a browser plug-in to keep the session alive all day.
Seconding the ask on the extension, I hate having to log into my secret store every 15 minutes while working on stuff
Session alive
Same issue. Whatâs the extension called?
I use session alive
So secure.
Complain to the guys that set stupid policies that encourage people to do this. We gave up trying and donât care any more.
That may have come off as judgmental. It wasnât meant to be. When you make security so onerous that no one will do it then itâs little surprise that peopleâŠ. wonât.
Especially when itâs a business.
Moreover⊠when you make your security so onerous that no one will do it, you donât have security. They know that, but itâs the ânobody every got fired for buying IBM thing.â
Some of that is compliance requirements. Daily fines the size of your yearly salary are no joke.
And get 15 emails from microsoft regarding how you just logged in.
No matter how bad you have it someone else has it worse.
In order to do my job I have to log into the VPN, and then remote desktop onto a server, then from that server remote desktop onto another server. Then I have to go back to the first remote desktop and remote desktop onto a different server which from there I can remote desktop onto two other servers, on one of those servers there are two different log ons which I can use to do different tasks.
Then back on the main desktop I can remotely connect via web browser to a virtual machine that I can then remote desktop onto a server. If I want to change the password on that server I have to remote desktop from that remote desktop from that virtual machine, into a remote desktop.
Oh and then there is the web app that I have to use that only works in Internet Explorer, but for security reasons IE has been removed from the main system, so I have an entire remote desktop literally just to use Internet Explorer.
It takes about 25 minutes to log into everything everyday and about 10 minutes to log out at the end of the day.
Thanks for the aneurysm. I feel for you.
Oh ffs I got annoyed just reading the comment I canât imagine the hell of having to do that
You clearly donât work in an OT environment. Network segmentation is everything.
I bet the security âexpertsâ who designed this are busy jerking each other off about how âsecureâ theyâve made everything
Fuck, and here I thought AGS progressive controllers were bad. Remote desktop into the controller using a commonly known username and password to get a âsaltâ, âhash codeâ, âiterationsâ, âpassword lengthâ, and âserver nameâ. Enter all that onto a website that has to be logged in to, all to get a generated password which is used to remote desktop desktop into the same progressive controller under a different account. Password changes every 24 hours. Oh, and did I mention that this is typically done on an active casino floor? Good times.
But why though
Deleted by author
The largest issue I have is the randomness of all the different security setups. One requires MFA by e-mail, one requires an authenticator, most require sms, some push to require using their app, and this random page requires a code by phone call. Now they are pushing passkeys and that is a complete cluster.
Whatâs ironic is that most of the webpages that push these things donât reach the âDo I give a fuck?â threshold. The security is usually there to protect against unauthorized use of user stored credit cards. Since I am not liable for any fraudulent charges to the credit card, I really donât give a fuck about securing the account. Yeah I am reusing passwords, keeping them in plain text in a word doc etc..
When I worked for other companies, I moderately gave fuck about there security. Not enough to inconvenience me. If they made me change the password constantly, they got the number changing series at the end of the password - $tupidPass#01 Seriously that was my actual work password for over a decade.
Now my bank account and financial logins. Youâd better believe those have every security feature they offer setup. I do not fuck around with those. I give a fuck about those.
I remember reading an article once which referred to research which suggested that making people change passwords every month made their accounts less secure, because they have to go extra steps to remember them - which usually translates to making them really obvious and/or storing them where theyâre easily accessed. In one of my previous jobs where we had to change passwords every month, basically everybody would have their password written on a post-it on their computer monitor.
In my first job I had like 7 different passwords to access different systems. Each one had different schedule of password reset. They each ended up being on a different reset schedule. I had to reset a password once or twice a week.
Yeah, everyone had their passwords on a sticky note on their monitor. I once got praise for being the one person without it. I of course had an abreviation for the system with what number series the password was on posted on my monitor.
This is my current job. Iâve got monthly, every three months, every quarter, once per year⊠Thank goodness the last service they added has SSO.
I had a passkey card where each letter was given a random sequence of uppercase, lowercase, a number and a symbol. With just a four letter word as they key you had a 16 digit random password that was hard to guess even if you had the key sheet.
Yeah, thatâs actually also why itâs no longer considered best practice to force regular password changes. But many places / websites /apps still do, obviously.
I worked in top secret military stuff and the worst I had was every 4 months on some systems. Monthly seems extremely ineffective.
Sticky note under the keyboard is probably still the number one spot.
Get a yubi key then you have to find your keys
I have a Yubi key that crashes Authenticator when I select the option to it l use it. It goes into a loop asking to touch the button and type the PIN. But it does not wait for input, it just keeps creating windows until it crashes.
What a ball ache inclined to blame ms for that because statically it probably is down to them đ€ŁIâve had an issue where it doesnât ask for the pin so it fails but I just close the browser and itâs fine.
I have multiple accounts configured on the same yubikey, but it seems like any of the Microsoft login portals expect you to always use the account you most recently signed in with. So any time I need to switch accounts (which is often, I have different accounts for each different testing environment and access level), I have to type in my pin and touch my key twice - once to allow Microsoft to try logging in with the wrong account and fail, and then another time where it asks which account I want to use. đ
I have a 3d printed access card holder that also holds my work yubikey. Very handy
Have the day you/your company paid to have.
You should try Okta instead! Itâs⊠blue.
Da ba dee da ba da
My company⊠runs both, for some reason.
On a scale of 1-10 how likely are you having conversations with your friends about <ms Authenticator>
Hmmm. Conversation, yes.
Oh did you change your phone? Suffer bitch!!!
/s
As someone on the other side, in IT support, you can fix this yourself and I wish more people would.
Before your old phone gets wiped and sent to the graveyard, log in using authenticator, and go to âview accountâ from any of the online pages for Microsoft (if youâre unsure, try login.microsoft.com ).
Go to your security options, and you should see all the info you need to remove the old authenticator and add a new one.
From here you can also add backups, which I encourage everyone to do.
It saves you from having to call IT all the time to fix it, and since you donât have to go through the usual back and forth of verifying who you are, or whatever, and getting them to do a thing, you can take care of it for yourself, by yourself, without those unnecessary delays.
Your IT people will appreciate it, and youâll have to talk to them a bit less as a result.
I did this and checked my devices on the login or account page (not sure exactly which one it was). It showed two devices, that were named âiPhoneâ. No idea, which one is the new one and which one is the old one. IT-support couldnât tell either. So once Iâll have to hand in my old iPhone and delete it from the trusted devices / devices with authenticator, it will be a hit or miss game.
Thatâs the pinch. Sometimes itâs hard to tell which is which. Iâm sure thereâs a way, but itâs not something I would want to do.
My thought would be to delete everything and start over when you get a new phone.
One day Ms will make the power point youâre sharing on teams even smaller than todayâŠ..but Iâm here to tell you how to do it now. Take a look at the slide below!
Lemmy is now better than teams! Yey!
Is there a community around here dedicated to the hatred of Microsoft?
You mean system administrators?
i think thatâs just all of lemmy at this point
I hate MS Auth so badly. Why donât they just implement the ânormalâ 2FA instead? MS doesnât work with Ente Auth
microsoft has sucked arse for eons. the real q is why the fuck IT keeps buying their shit.
Their sales department gets all the budget.
In my country, Microsoft has inserted itself into the education system. If you want to learn system / network admin so you can run IT at pretty much any local business, itâs all Microsoft.
To be fair, Active Directory does make it easier to manage a bunch of windows boxes with consistent users and permissions. When your users are business people mashing Excel spreadsheets all day, and build their lives and identities around Excel, you pretty much have to give them the environment that Excel runs in, which is Microsoft.
Idk, they probably want someone to blame
You might be able to use a ânormalâ (TOTP-compliant / Google Authenticator-like) 2FA app even with Microsoft work accounts.
One of the prompts to download MS Authenticator has a âuse a different appâ option:
I assume admins can disable it, but itâs also easy to miss.
On top of this, this prompt only shows up when attempting to add a new MS Authenticator, since there is no âother appâ option among the authenticator type choices.
Nah I guess our admins have disabled it. fuckâŠ
Idk my microsoft account works fine with ente auth.
Thereâs a government-tier system used by lots of schools, cities, etc. It fucking SUCKS.
Like: if you have Outlook on your mobile device and add a government system account, it makes you remove any other accounts. Even if those other accounts are part of the same organization.
And since I manage more than 1 email account that need to go to separate inboxes for legal reasons, I get to carry 3 phones and a tablet.
Wowie what a horrible system
Did I mention the part where I work for a municipal government by day and teach at a public university by night? Itâs 2 phones and a tablet for the city, one for the university, and a 4th phone I didnât mention for me.
Though the school phone usually gets left in my bag. I teach scuba and underwater photography. Nobodyâs gonna lose their house over me waiting a few days to respond to an email. The only time my duties there are critical is when Iâm actively with the students. Then itâs more important because pressurized encironkents and breathing and stuff.
But I also donât take my phone underwater ^(on purpose).
Normal Microsoft Account does support ânormal 2FAâ. However, my school MS Account only supports microsoftâs own protocol, which is not supported by other authenticators (Aegis, Ente, Raivo, etc).
Ah that sucks. My UNI supports it so I just have everything inside ente.
Bruh. One more reason to hate my country
Why the whole country? Just hate the school
Youâre right. Iâm just fed up with this place, you knowâŠ
We use duo as 2fA for our Microsoft accounts at work. Every Thursday its log into teams on phone log into teams on desktop, log into outlook on phone, log into outlook on desktop. Why canât your apps cross authenticate on the same device? How does one drive manage to stay authenticated throughout the whole process?
Any actual work I need togets done is done on a 15 year old think pad running Debian. The beefy 12th gen i9 just whirrs its fan around and occasionally gets used for emails, team chats and logging up tickets.
Thereâs actually a duo feature that does that.
Normally apps canât cross authenticate like that because they donât have the ability to talk to each other in a standard way thatâs also verifiable and secure. Teams could have a way to share your auth to something else, but itâs much more difficult for it to know that the thing asking for access actually is something thatâs supposed to be able to do so.
OneDrive is built in to Windows, so itâs able to use the authentication you use to log into the computer to talk to the Microsoft servers. (Essentially, thereâs like a million steps and layers of indirection).
I like when you want to make a Microsoft account, it asks you to enter your exisiting e-mail first (you can enter one ending with
@outlook.comor@hotmail.comthough, it will create new mail account). Itâs like they donât believe in their own products, lol.I once created a Microsoft account (for a Windows 7 machine I think) and entered a Google address. It didnât seem to mind. Itâs my Microsoft account to this day, not that I have much use for it. Maybe itâs gotten more weird nowadays.
Thatâs the point. For a long time I assumed that they give you an e-mail address (currently Outlook) by default, like Google does with GMail, but they donât.
Oh, right
Separate departments I suppose
I donât have the exact timeline at hand, but Microsoft Accounts (originally Microsoft Passport) as a Microsoft service wide SSO were originally cooked up at Microsoft, while Hotmail was a separate service that Microsoft acquired. And this was in the late 1990s. I guess they originally designed the account system to be independent of the whole web portal nonsense that was fashionable at the time.
âŠanyway, I think itâs good thing that Microsoft let you use whatever email address you want with it and not force you to use Hotmail/Outlook.
What?
An @outlook.com / @hotmail.com account is already a Microsoft account to begin with. If you enter one of those that already exists, youâre just signing in. There is no ânew mail accountâ.
It makes sense to have the user use their own existing email address so that they have it as recovery option, most people donât need another email address.
I am not sure that you read my comment properly. Registration form asks for non-Microsoft e-mail address first. You _CAN_ enter Outlook or Hotmail address, which will create one, but itâs not even something that they acknowledge in that form.
And if you still donât believe me yet, I have literally tried this yesterday, and it works. It did create a new Outlook account when Ientered
...@outlook.come-mail address.My father has a Microsoft account, but doesnât have Outlook/Hotmail account for example, which is a bit strange at least for me, and I had no idea that this is the default.
I think the misunderstanding comes from where you wrote âit would create a new mail accountâ which is objectively inaccurate, the @outlook.com / @hotmail.com emails already exist as both a âmailâ and Microsoft account - thereâs literally nothing being âcreatedâ in that situation, youâre just signing in to what already exists.
In your fatherâs case, he probably has a Microsoft Account set up with a third party email address.
If he were to want that to include a mailbox, he could navigate to his Microsoft accountâs email settings, create a new â@outlook.comâ alias, and set it as the primary alias for the account. He would then have a mailbox usable at Outlook.com or via Microsoft Exchange in a mail client.
Itâs possible to do the same thing with Google - you can create your Google account using a third-party email address, you wonât have a mailbox but if you were to visit gmail.com you would be offered the option to create a mailbox with a new @gmail.com address.
Dominic Christ, yes. Why?!
WELL GOOD FOR YOU
Canât access your phone to verify Microsoft Authenticator? Please use Microsoft Authenticator to reset your account, thanks bye.
And the other half in the toilet, having a relaxing poo. Thatâs the dream. Getting paid for both. Did adverts convince you otherwise?