25

Multi-factor authentication does not mean I have a password to your site AND have to login with Google. Also, I logged in with Google, you should have my email address now.

Oh, a user with that address already exists? No shit, it's me.

Your fucking login flow is broken.

Comments
  • 6
    The amount of enterprise peons that don't get this is too damn high.
  • 0
    @sariel some enterprise SSO are shit, I work with a customer which has a system in which if you enter with the wrong account you cannot logout but you have to login again from an anonymous window, change browser or remove cookies to see the login prompt again
  • 1
    @DEVil666 sounds like a potential security vulnerability...
  • 1
    @sariel you’re right, especially considering which when an user clicks logout on Jira/BitBicket/Confluence… he gets a logout confirmation but then if he refreshes the page or opens another link of the “intranet” (which isn’t an actual intranet since most is exposed to Internet) he gets logged back on without any authentication prompt.
    I’m going to raise the issue
  • 2
    @DEVil666 this would make a compliance auditor shit a brick.
Add Comment