My Microsoft authenticator app was being very binary.

@netikras since when does proprietary mean bad?

Lemme tell you 3 stories.

CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.

Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!

Can be easily resolved by using opensource VPN client -- openconnect

CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted

OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.

SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in

umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.

Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.

Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.

Computer: Please check your authenticator app to login

Phone: Please fill in the code you see on the screen

Computer: * No code *

Me: * presses the "I can't see the code" button *

Phone: Prompt goes away, 3 seconds later it asks for thr code again

Computer: No changes

I love Microsoft at my job

So here I am, skrewing around with the Google Authenticator app and the dodgiest base32 code generator I've ever built and generating a 56 char unique ID, and a 8 digit time based code.

WTF, all these products, services and logins that use 6 digit codes... and this fucking thing can handle 8 without breaking 😑

Now... to hook it into a QR code class... and spit out an image I can actually scan, without calling google charts api.

I can't say I've written one of those before 🙃

MFA authentication setups that don't support standard authenticator apps, like 1Password or Google Authenticator can burn.

Yes, Microsoft, I am looking at you.

Security Horror Story:

A password authenticator which is case-insensitive and all special characters are treated as the same value. As a bonus, all passwords are truncated to 4 characters.

What the fuck is wrong with Google?!!

Trying to log into Gmail.
Forgot password.
Gmail: To reset, code from authenticator app is required.
Me: Super. Good thing I set it up.
Enters code.
Gmail: Recovery email.
Me : Uh... Forgot that too.
Gmail: Some email address to communicate.
Me: Super!
Enters some other email address.
Receives mail with a link.
Me: Finally!
Opens link

Gmail: "When did you create your account?"
Me: Uh... If I had that kind of memory, we wouldn't be dancing right now.
.
.
.
Gmail: Sorry we couldn't verify you.

WHAT THE FUCK, GOOGLE?!
What sort of sadist play is this?!

Dropped them a mail to get access back. Got a link in the auto reply that explains how to repeat the above process. WTF?!

What the actual fuck?!

IT department of client still doesn't get its shit together. Previously, I've ranted that they insist I access their GitLab through a fucking RDP.

Me: requests an account to their Confluence space

Them: give me a Confluence account. Naturally, Confluence requests that I confirm my email. That needs to be confirmed in the inbox of my.name@theircompany.com. Mail servers hosted by Azure, using Outlook.

Me: ok, let's configure my Outlook, 2FA as they configured to demand it from me... install MS's authenticator app, ok so far so good... Now I'm ready to login and find that email from Confluence and... ERROR 500 INVALID LICENSE

Fucking hell. You just love your siloes so much you actually make it impossible to access it and feel good about my own good will.

Opened up the authenticator on my watch yesterday and one of the codes (yes this is when you can use plural for the word 'code') was 7000000. Unfortunately I wasn't able to snap a photo of it... :(

The annoying thing about using Google Authenticator for everything 2FA, when your phone factory resets itself, you lose EVERYTHING!!!

AGHHHHHH

Short angry rant
What the fuck is wrong with the SalesForce Authenticator logic?! How in the hell do you fuck up a simple 2FA system this hard?!!

Login -> Waiting for Notification... nothing... -> Reload Page -> Login -> Waiting for Notification... nothing -> Click "Use Code instead"... nothing happens... -> Reload Page -> "Login -> don't even wait for notification and just pres "Use Code instead"... nothing -> Reload Page -> Notice there's a "Use Code" button on this page as well -> Finally be able to log into the fucking Aloha piece of shit...

How TF is it, that Duo is able to send me a push notification within 1 second and it ALWAYS works... and THIS FUCKING SHIT NEVER FUCKING WORKS THE FIRST TIME AND AT WORST JUST DOESN'T WORK AT ALL!!!!!

Fucking hell.... Don't offer me a push notification service if you don't know how to make one... jesus fucking christ... All of Salesforce security is fucking stupid, but at least the others mostly work, but this retarded piece of crap is making me actively surprised when it works on first try... Maybe it's because I'm on a slow connection, but again Duo Mobile doesn't have this problem and works *instantly*... so what sort of retarded monkey coded the SF one I don't know, but I hope they are making better products now, because this is a disgrace to programming and security

I've got a kinda basic networking question I can't quite figure out

How does a push notification work?

Like, on an Android app. A good example is an authenticator. Say I don't login to the service for 4 months.

Then, one day, I try to log into the web portal and it prompts me to accept the request on my authenticator app on my phone.

Immediately, there's a push notification on my phone.

Wtf.

Is there a socket open for 4 months? Does it send requests every few seconds for 4 months? I can't imagine that either of these options scale whatsoever: both horrendously waste bandwidth and server connections.

How the fuck does it work? I don't even have the first idea.

!rant
I'm strarting to be scared opening authenticator :D Last account added was GitHub

When you have to login fast and your 25 accounts on google authenticator all look the same!

Dashlane is a fucking mess.
1. This fucker won’t sync.
2. This fucker requires you to pick the american state when you enter addresses so no non-us addresses
3. This fucker uses a really bad vpn company under the hood as “its” vpn
4. This fucker somehow messed up the offline 2fa, the thing that students do successfully in their authenticator apps

I’m gonna go back to noo.js.org, that fucker will sync even without any connection, across infinite number of devices, instantly. Yes it does nothing but passwords, yes you can’t change passwords but at least you’re always synced. And it doesn’t sell your data because it doesn’t even have a server let alone a database.

FUCK YOU DASHLANE

MS Teams with multiple work accounts account swap flow:

1. Try to close the company-bound login modal 10x while being fast enough to also close the main Teams window.
2. Realize it's not gonna work, so login with the account you don't want to be on.
3. Have to type your phone pincode then accept the MS Authenticator login, and retype your pin code.
4. Finally logged in just to log back out and get the generic account choice modal so repeat step 2 & 3 with the correct account.

That moment you setup 17 domains on sparkpost as a email delivery system

make your account secure with 2 factor authentication like a good infoSec enthusiast

Go on with your life

Having a Phone crash but nothing to worry because you made them backupz

Restore backupz

once again go on with your happy life.

Having to setup a different bounce action on sparkpost

logging in to sparkpost to make the adjustments

opening google authenticator

realising the backup you restored was before you added the sparkpost entry

mailing sparkpost asking to deactivate 2factor authentication

Having them tell me that they have no access to Google authenticator so they can't help me and all they can do for me is delete my account if i answer their 7569357 questions that i entered a year ago ..

--
You have access to your database yes ? You can delete my account but you can't adjust a fcking Boolean column from true to false? #@?#&!

Why even offer a feature where you have apparently no control over. Stuff like this happens all the time and almost no one saves that fcking authenticator secret.

Make people use authenticators to keep the hackers out, forces them out instead.

Microsoft, please stop the incomprehensible work vs. school account stuff and if you want to mail me a login code, then please actually do send an email. What's wrong with Microsoft Teams and office always giving its users headaches already when trying to log in?

A customer sent me a "FindTime" link, something like Calendso / Calendly, but "powered" by Microsoft Office. Seems that their power is off again, like ever so often. Microsoft: "can't access your account: You can't sign in here with a personal account. Use your work or school account instead."

Okay, go to bing, and search your error message. Try to use bing page to log in to my account: Microsoft: "We emailed a code." (No you didn't. At least I never received anything. And, yes, I did check my spam folder!) Microsoft: "Other ways to sign in: use Microsoft Authenticator".

me: "dear customer, please feel free to pick any time and date that matches your preference, as the FindTime link has been impossible to use".

How can Microsoft make me feel so dumb again, after more than 20 years as a developer? Have they ever heard about usability?

I love how using the windows authenticator app sometimes just ends with "denied" status despite doing everything right to approve the request because, of course. Do it again.