> Microsoft has made Authy, Google Authenticator, and similar apps incompatible, a choice that needlessly inconveniences users and undermines the whole “passwordless by default” marketing message.
Welp.
dqv · 11h ago
Nice. My favorite Microsoft Authenticator feature is that the iOS and Android versions aren't interoperable. There is no way to export the private keys from an iOS device so they can be imported on an Android device and vice versa.
JumpCrisscross · 14h ago
Preceded by “even after users create a passkey, they can’t go passwordless until they install the Microsoft Authenticator app on their phone.”
So not great. But not terrible. Solid Dyatlov.
pedalpete · 13h ago
I took this to mean that you have to use the Microsoft Authenticator app, not just that it needs to be installed on your phone.
Either way, it's just Microsoft trying to push themselves into a space and remove consumer choice.
Is there another possible reason for this?
I'm saying that as a general fan of Microsoft. I just wish they'd stop doing these things that are not beneficial to the user, and solely focused on keeping themselves relevant.
The right way to stay relevant is to make great products.
rolph · 13h ago
microsoft seems to be acting like its in a death spiral, wringing everylast cent it can, and cutting as much overhead as possible, while reaching out to any possible investment bubble, and a daylate and a doller short everytime trying to ape contemporary successes of competitors.
now i understand why Bill cut the fetters and walked away from the board room.
briHass · 11h ago
Wait, do you mean the Microsoft that is currently the most valuable company in the world? The one worth North of 3 trillion dollars?
Part of why they can push the scheme this article complains about is because M365/Entra is such a juggernaut.
abhiyerra · 11h ago
It is funny I thought this as well for a long time, but they are absolutely killing it with their market which is Enterprise and Government.
Software is still garbage but the moat they have with E3 and E5 licenses is huge.
pedalpete · 7h ago
That's not at all what I was suggesting, and they are the most valuable company in the world.
There is no direct revenue for them in this move. It's strictly to continue to get lock-in.
EarthMephit · 13h ago
Microsoft Authenticator is annoying.
It doesn't work if you have notifications off or "do not disturb" on, so I can't log on to anything in the evenings.
george_perez · 10h ago
When in DND notifications still work, they're just under the fold and you need to swipe up to see the Microsoft Authenticator notifications.
IcyWindows · 13h ago
It works fine for me with "do not disturb" on.
TowerTall · 13h ago
It also means that by default you will no longer be able to RDP from one Windows PC to another on your LAN or mount it as a network drive, as neither of these functions works with a passwordless Microsoft account. Even Microsoft's new "Windows App" cannot establish RDP connections between Windows systems on your local network.
nashashmi · 11h ago
If you lose your devices because of a car theft for example, you lose access to everything. Everything!
Authenticator needs a login. Logins are only through logged in devices. All logged in devices are stolen. Backup?
retrorangular · 7h ago
Yeah, many users choose weak passwords, re-use passwords, etc. Maybe most people can't be trusted with creating and using passwords. But probably even fewer users can be trusted to actually print off their MFA backup codes and store them in a separate place from where they live. A single instance of theft, fire, or flood, or other unfortunate events, could permanently destroy someone's digital life, which has major impacts on their real life (e.g. many banks are online only.)
Text message 2FA has the advantage that recovering your phone number is pretty achievable since carriers have physical stores you can go to with a photo ID (probably more difficult but not impossible with online-only MVNOs.) SIM swapping attacks through social engineering is definitely a risk for some people, but probably not most. Unfortunately with SS7 vulnerabilities, basically any text message 2FA code can be intercepted, so it's really unideal. I think SMS alone should not be enough for account recovery or login, but as a second factor, maybe for many people the benefits might outweigh the costs.
Password managers largely fix the issue of weak passwords and password reuse. If that's too complicated, one-time use email magic links also fixes the issue. Those have their own downsides, but if a site has a "forgot my password" feature that gets reset through email, you're not losing out on a ton of security through magic links.
Of course, the downside of that is that if you lose access to your email account, you're truly screwed. In the past, when email addresses were not given freely and people got email addresses through their ISPs, if you did lose access, maybe your ISP had some way for you to prove your identity (since you pay them each month) and regaining access to it. But there's effectively no customer support for free Gmail, Yahoo, Outlook, etc. accounts. Even if you own your own domain, that's just moving the issue to your domain name registrar, which also likely doesn't have a physical location you can go in person to verify at.
If there was some guaranteed official way of proving your identity and regaining access to your email account, then I think that'd fix a lot of issues. Unfortunately that'd come with privacy risks, as it'd require having a real ID associated with your email. But MFA through hardware authentication devices (e.g. Yubikey) or through software MFA (e.g. Authy, Google Authenticator, etc.) could remain an option for privacy concerned users if they wished to avoid using a real ID for account login/recovery.
Unfortunately no perfect solutions so far, but I think Microsoft's approach here (quite similar to many other companies) may be too risky for the general population. I think companies, universities, etc. should fully lean into secure MFA, as they can easily resolve the problem if an employee or student loses their phone or hardware authentication device. But that option doesn't exist for personal email and other user accounts. There's a huge number of people in the developing world with only a single device (a phone, no other computer) and no printer for printing off backup codes (I guess you can write them down by hand, but in practice very few people anyplace will do that.) I'm not sure Microsoft (or other companies') passwordless by default approach fits that scenario. A strong, unique password for email, and then magic links for other accounts, might be a better approach for consumer accounts.
nashashmi · 4h ago
> Maybe most people can't be trusted with creating and using passwords. … Microsoft's approach here [passwordless] (quite similar to many other companies) may be too risky for the general population.
Thirty years have been spent incrementally improving password logins. The amount of education the public has endured on password and login security is staggering. And yet even after all this, we assess the measures insufficient to login security?
I am referring to even the advanced security crowd. How can they recover access when all devices are lost? Passwords are the only self reliant way back. Secondary email addresses are the next way. Phone number is a third way. Social network is a fourth way. But a disaster can eliminate the second, third, and fourth way all in one shot. Password remains the most important recovery tool.
wkat4242 · 14h ago
This has been possible on my business M365 like forever. But yeah they're pushing their own authenticator too which is annoying. It's Microsoft's way though. Always locking you in. Same with ms365 web which never works properly in Firefox.
perching_aix · 11h ago
To be fair, MS365 apps are frequently miserable in Edge and "natively" too.
Just a few issues of Teams and Teams only:
- statuses getting stuck or being null
- having to relogin despite the current token still clearly working
- outright crashing on JS level (fixed)
- never finishing loading in, requiring a browser cache wipe (fixed)
- lying about messages having been delivered
- messages getting dropped from mid conversation when scrolling back in history
- message history being rewritten live as things are catching up
- @everyone pings arriving localized (wtf??)
- the wrong flyout menu appearing when clicking something (???), e.g. you try to screenshare but the emoji selector shows up (fixed?)
- various localization oversights, like the calendar flyouts starting on the wrong day of the week, various strings not being translated
- if you happen to call someone at the same time they call you, buckle up, cause stuff's about to go potentially very wild
- getting into a call doesn't actually put you in the call sometimes, necessitating a full system restart (how even???)
- custom embeds for certain sites instead of just using OpenGraph, so when you link e.g. the Wikipedia article about C++, you get told it's a carcinogenic substance (debatable) group called "IARC group 2B"
- software vs hardware mute desync, sometimes resulting in a rapid fire on/off fight
- sometimes buggy at-mention tokenization behavior that triggers webhooks as many times as there are spaces in the mentioned identity's name
... and I'm sure there are countless more. Some of these are genuine dealbreaker level, that I'm confident they only get away with because of their ecosystem grip. Using Discord would be a million times nicer I swear.
wkat4242 · 5h ago
Ah yes the first few are some of the biggest annoyances in Firefox. I thought it was because of that. I assumed they had made sure it doesn't happen in edge. Guess not.
I do have some extra Firefox issues if I don't set my user agent to edge. Like copy paste uploads not working. If I set the UA to edge they suddenly work fine :X
The status stuck is so annoying. You see someone that's green, send them a message and instantly after sending it they show as away or something. Grr. I know it's not the user, they can't react that fast.
And yeah especially now on Linux the browser experience is important because they discontinued the teams client.
tatersolid · 11h ago
According to current docs all business-oriented Microsoft Entra ID accounts support only device-bound passkeys. So the Microsoft Authenticator app isn’t absolutely required, a FIDO2 hardware token like a Yubikey or even TPM-backed Windows Hello is supposed to work for these passkeys too.
Software-based “syncable” passkeys (such as Bitwarden) have been on the roadmap for 18+ months but are still not available for business MSFT Entra ID accounts for some reason.
kgwxd · 46m ago
I’m forced to use it for work, it’s absolutely not great
GeoAtreides · 5h ago
Eventually we all have an extra phone, used for banks, authenticators, gov stuff, that never leaves home and has a different account on it.
cyanydeez · 14h ago
So its not great.
andrewmcwatters · 12h ago
There’s a way to use standard TOTP verification codes with Microsoft Accounts but the last I remember is that it was a pain in the butt to do.
tatersolid · 2m ago
That’s actually pretty easy these days with a reasonable UX… you just choose “use a different authenticator app” instead of Microsoft Authenticator when enrolling MFA.
Welp.
So not great. But not terrible. Solid Dyatlov.
Either way, it's just Microsoft trying to push themselves into a space and remove consumer choice.
Is there another possible reason for this?
I'm saying that as a general fan of Microsoft. I just wish they'd stop doing these things that are not beneficial to the user, and solely focused on keeping themselves relevant.
The right way to stay relevant is to make great products.
now i understand why Bill cut the fetters and walked away from the board room.
Part of why they can push the scheme this article complains about is because M365/Entra is such a juggernaut.
Software is still garbage but the moat they have with E3 and E5 licenses is huge.
There is no direct revenue for them in this move. It's strictly to continue to get lock-in.
It doesn't work if you have notifications off or "do not disturb" on, so I can't log on to anything in the evenings.
Authenticator needs a login. Logins are only through logged in devices. All logged in devices are stolen. Backup?
Text message 2FA has the advantage that recovering your phone number is pretty achievable since carriers have physical stores you can go to with a photo ID (probably more difficult but not impossible with online-only MVNOs.) SIM swapping attacks through social engineering is definitely a risk for some people, but probably not most. Unfortunately with SS7 vulnerabilities, basically any text message 2FA code can be intercepted, so it's really unideal. I think SMS alone should not be enough for account recovery or login, but as a second factor, maybe for many people the benefits might outweigh the costs.
Password managers largely fix the issue of weak passwords and password reuse. If that's too complicated, one-time use email magic links also fixes the issue. Those have their own downsides, but if a site has a "forgot my password" feature that gets reset through email, you're not losing out on a ton of security through magic links.
Of course, the downside of that is that if you lose access to your email account, you're truly screwed. In the past, when email addresses were not given freely and people got email addresses through their ISPs, if you did lose access, maybe your ISP had some way for you to prove your identity (since you pay them each month) and regaining access to it. But there's effectively no customer support for free Gmail, Yahoo, Outlook, etc. accounts. Even if you own your own domain, that's just moving the issue to your domain name registrar, which also likely doesn't have a physical location you can go in person to verify at.
If there was some guaranteed official way of proving your identity and regaining access to your email account, then I think that'd fix a lot of issues. Unfortunately that'd come with privacy risks, as it'd require having a real ID associated with your email. But MFA through hardware authentication devices (e.g. Yubikey) or through software MFA (e.g. Authy, Google Authenticator, etc.) could remain an option for privacy concerned users if they wished to avoid using a real ID for account login/recovery.
Unfortunately no perfect solutions so far, but I think Microsoft's approach here (quite similar to many other companies) may be too risky for the general population. I think companies, universities, etc. should fully lean into secure MFA, as they can easily resolve the problem if an employee or student loses their phone or hardware authentication device. But that option doesn't exist for personal email and other user accounts. There's a huge number of people in the developing world with only a single device (a phone, no other computer) and no printer for printing off backup codes (I guess you can write them down by hand, but in practice very few people anyplace will do that.) I'm not sure Microsoft (or other companies') passwordless by default approach fits that scenario. A strong, unique password for email, and then magic links for other accounts, might be a better approach for consumer accounts.
Thirty years have been spent incrementally improving password logins. The amount of education the public has endured on password and login security is staggering. And yet even after all this, we assess the measures insufficient to login security?
I am referring to even the advanced security crowd. How can they recover access when all devices are lost? Passwords are the only self reliant way back. Secondary email addresses are the next way. Phone number is a third way. Social network is a fourth way. But a disaster can eliminate the second, third, and fourth way all in one shot. Password remains the most important recovery tool.
Just a few issues of Teams and Teams only:
- statuses getting stuck or being null
- having to relogin despite the current token still clearly working
- outright crashing on JS level (fixed)
- never finishing loading in, requiring a browser cache wipe (fixed)
- lying about messages having been delivered
- messages getting dropped from mid conversation when scrolling back in history
- message history being rewritten live as things are catching up
- @everyone pings arriving localized (wtf??)
- the wrong flyout menu appearing when clicking something (???), e.g. you try to screenshare but the emoji selector shows up (fixed?)
- various localization oversights, like the calendar flyouts starting on the wrong day of the week, various strings not being translated
- if you happen to call someone at the same time they call you, buckle up, cause stuff's about to go potentially very wild
- getting into a call doesn't actually put you in the call sometimes, necessitating a full system restart (how even???)
- custom embeds for certain sites instead of just using OpenGraph, so when you link e.g. the Wikipedia article about C++, you get told it's a carcinogenic substance (debatable) group called "IARC group 2B"
- software vs hardware mute desync, sometimes resulting in a rapid fire on/off fight
- sometimes buggy at-mention tokenization behavior that triggers webhooks as many times as there are spaces in the mentioned identity's name
... and I'm sure there are countless more. Some of these are genuine dealbreaker level, that I'm confident they only get away with because of their ecosystem grip. Using Discord would be a million times nicer I swear.
I do have some extra Firefox issues if I don't set my user agent to edge. Like copy paste uploads not working. If I set the UA to edge they suddenly work fine :X
The status stuck is so annoying. You see someone that's green, send them a message and instantly after sending it they show as away or something. Grr. I know it's not the user, they can't react that fast.
And yeah especially now on Linux the browser experience is important because they discontinued the teams client.
Software-based “syncable” passkeys (such as Bitwarden) have been on the roadmap for 18+ months but are still not available for business MSFT Entra ID accounts for some reason.