Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
The commenter above you had lost their phone and was supposed to log in using this same phone.
They only got access to the account again due to chance, i.e. someone else found their phone.
(There likely is some sort of backup mechanism, but apparently it’s sufficiently well hidden.)
Yeah, I read the story, so I’m aware of the plot.
My comment was aimed at removing MFA completely because OP had a problem once. That is a bad idea and I expressed that by making a joke about using a very bad password because I couldn’t remember my actual password which is also a bad idea.
Google (as any other provider) used the phone option for MFA first because that’s what OP had been using multiple times before they lost their phone. OP wasn’t “supposed to log in using the same phone”, Google just offered the default way that had been used before. OP didn’t see the other login options and went on the internet to tell everybody how stupid Google is and proceeded to smugly proclaim they removed MFA entirely due to Google’s stupidity which inadvertantly revealed OP’s less smart decision I made fun of.
The “Try another way” option is literally right below the input field and one of two links displayed at this point (try it out, go to google.com in a private window and enter your password. The other link is “Resend it”.). It’s not hidden at all and OP had more choices than a stranger finding their phone but they never realized it. But again, that’s not my point. My point is that removing MFA because you had trouble logging in without your phone one time is a bad idea which is why I made a joke about that.
Yeah you know everything, asshole. Including when my story occurred and that nothing has changed about the UI since. You also know that panicking that your trip being ruined by a lost phone is no reason to have trouble using a shitty UI which is so densely created that it mirrors the post we are commenting on.
The way you said everything in this thread assures everyone you’re a prick. I’m glad you feel so good about it though
I can’t get over how god-damn offended you are by a joke. I don’t need to take your insults just because I pointed out your bad security decision in an unflattering way.
I don’t know everything but I know how MFA works and backup codes have literally been implemented since day one.
Let me remind you, that my joke was about your decision to disable MFA, not anything else you’re so eager to accuse me of here.
You didn’t actually miss the “I can’t use my Auth app right now” link, though. Come on.
I don’t go around calling people names because I can’t take a joke, so at least I’ve got that going for me.