It seems something changed on MS end though because I have control of what MFA i use on our corporate acxount, which was setup with Yubikey, until about a month ago when this Use Your Outlook Mobile started on it’s own
Whatever it is, somebody at Microsoft made a mistake; it should not prompt you for Outlook Mobile Auth code when that is the actual app you are trying to sign in to, and have no way of retrieving that code. it should have review MS app and if it is Outlook Mobile then move to the next MFA option in your security list.
In this meme yeah, in my account I get the “try another way” link to let me go back to Yubikey auth option. But it shouldn’t default to Outlook auth if your are trying to sign in to Outlook, that is just lack of forethought
I mean, unless your service lets you pick individually that usually means turning on SMS. That’s probably why they have a general policy, it’s a pain in the ass to manage multiples.
I have found that Microsoft has the worst authentication on the planet. From weird, nightmarish loops and processes, to non propagated password changes. Not talking about having multiple accounts etc…
The worst of the worst for me was Atlassian login with Microsoft SSO
TOTP codes can be phished. Technically FIDO2 keys like Yubikeys are one of the only phishing-resistant authenticators out there now, because they’re tied to the official domain of the real site and won’t authenticate to a fake.
Passkeys are similarly phishing resistant, and Microsoft Authenticator will basically have passkey support added early this year. For now it’s actually not phishing resistant! Though it’s somewhat better than TOTP.
The issue is that phishing resistance is important but it doesn’t stop session stealing (someone getting ahold of the cookie on your computer that confirms you’re signed in and have done MFA). But it does make it harder to steal sessions because phishing resistance means attackers need to get it from your computer instead of intercepting a fake login.
Just a little technical backstory around why admins are needing to lock down auth methods in more ways as attacks become more sneaky and the more sophisticated attacks become automated and easier and thus more frequent.
Unless your organization forces specifically microsoft authenticator, then yeah. However, for several schools, that’s never been an issue, there should be an option to use a third party authenticator in small text.
Wait, is this really possible? With Steam you still will be able to access TOPT in the mobile app if you need to log in the same app, at least that’s how it worked.
I mean, there are probably one time passwords that go with some of accounts when using F2A. But I don’t care about Microsoft account either way.
Add comment