[HN Gopher] Can't sign in with FIDO2 key on office.com ___________________________________________________________________ Can't sign in with FIDO2 key on office.com Author : rettichschnidi Score : 117 points Date : 2023-12-02 21:45 UTC (1 hours ago) (HTM) web link (bugzilla.mozilla.org) (TXT) w3m dump (bugzilla.mozilla.org) | grenoire wrote: | Do these guys run integration tests of any kind? Makes it easy to | assume malice in breaking fundamental features. | campbel wrote: | Random stuff breaking or things not working quite right is to | be expected with Microsoft products. | Waterluvian wrote: | Office 365 Calendar broke for me a few weeks back and is | still unusable. It forcibly leaps me weeks ahead whenever I | try to scroll to today's date. I literally cannot view my | work calendar on my phone anymore. | | I often wonder if they're even capable of knowing there's an | issue. | jiggawatts wrote: | > integration tests of any kind | | No! | | Microsoft famously fired their entire QA team. Also... their | technical writing team. And then they outsourced both support | and the bulk of their development to India. | | You get what you pay for, and right now Microsoft is variously | paying either zero or very little. | ilrwbwrkhv wrote: | Microsoft devs have a reputation of being quite sub par. | Rygian wrote: | Now that you mention malice, here's a smoking gun, from the | linked bug report: | | > (it's not an issue with Firefox's implementation. This can be | demonstrated by spoofing the useragent as a Chromium-based | browser and attempting the same login flow [...]). | swells34 wrote: | How is that a smoking gun indicating malice? | DoctorOW wrote: | Because it is not a bug or mistake in the code but a | deliberate loss in functionality based only on the name of | the browser. | eNV25 wrote: | It means that the website doesn't work in Firefox | intentionally. The website was proframmed to not work with | Firefox user agent string. | 13of40 wrote: | Is firefox blacklisted or are chrome and edge | whitelisted? | swells34 wrote: | Ah I see, I thought the parent poster meant malice on the | part of Mozilla, got confused by bouncing between comment | threads. I could see malice, since it is Microsoft, but | what's the "why" of it? I don't really see any motivation | that M$ would have to block Mozilla, all it's going to do | is piss off users. It's not like people are gonna get fed | up and switch to Edge, they'll get fed up and switch to | Chrome. If anything, M$ has a great incentive to improve | Firefox adoption. The market that uses FF is the same | market that is never going to choose Edge. FF and Edge | both have a much better position if they can damage | Chrome's market share. | Rygian wrote: | The cynic in me says we will understand the motivation in | some antitrust trial one of these years. | Rygian wrote: | Changing behavior based on user agent is necessarily | intentional on the part of Microsoft. | | That check lies somewhere along the line between "having | the direct goal of breaking authentication flow (pure | malice)" and "is a completely legitimate programming error | (pure incompetence)." | | I am not ready to assume pure incompetence (and here's | where I might be wrong). | toomuchtodo wrote: | File an FTC complaint. This is potentially anti competitive | behavior with a digital paper trail. Microsoft will ignore | randos, so engage a regulator. | | https://reportfraud.ftc.gov/ | dymk wrote: | Smoking gun is a leaked memo indicating the behavior is meant | to break Firefox in this specific way | esafak wrote: | Meanwhile their TOTP uses a nonstandard "ms-msa" protocol, | forcing you to use their authentication application. | | https://1password.community/discussion/139501/one-time-passw... | okasaki wrote: | I use FreeOTP with it just fine. | olyjohn wrote: | I use Keepass with it just fine. | aetherspawn wrote: | Works fine with 1Password One Time password. | Analemma_ wrote: | Can someone from Microsoft share why the login flow on all things | Office/O365 is such a disaster? No other major company is so bad | about this. You get bounced between a half-dozen domains (which I | assume is somehow the root cause of the issue here), the "keep me | signed in" check box literally does nothing, and so on. And you | can't even blame it on trying to integrate incompatible legacy | systems, this is all on Microsoft's first-party services. | jiggawatts wrote: | The latest madness is that logging on to Azure Portal with | Firefox requires about ten clicks on the user name. | | As in: I log in, jump through the MFA hoops, and then _it goes | back to the list of user names_ to make me re-select the | account I just used to log in. | | Mind you, it always did this, which meant that I couldn't just | open a Portal link in a new tab -- I'd have to select my | account (again) for each tab. | | But now I have to click at least ten times! | | It's broken. | | _Authentication_ is broken and there's no one at the wheels. | nathanaldensr wrote: | There are probably no actual wheels to begin with, knowing | Microsoft. | esafak wrote: | I have spent weeks just trying to log onto Teams to communicate | with an MS contracting shop. I still have not managed to log | in. It is infuriating beyond belief. | magicalhippo wrote: | > You get bounced between a half-dozen domains | | At work one of the cdn domains they use fails to resolve until | it suddenly works. Haven't bothered to look into it yet, but | generally takes about 10-15 minutes to sign into anything | related to Azure AD / Office365. | | Can resolve it just fine on the command line, just in the | browser where it doesn't work. | tremon wrote: | Same with the Azure Portal, I can regularly DoS microsoft by | opening the portal from a bookmark in Edge, or by switching | Azure tenants (via the official button, which has also seen | three different locations in the past year). It signs in, loads | the intended page, then redirects to the home page, which | performs the sign-in again, then redirects to the Azure portal | welcome screen, which redirects to the home page, which | performs the sign-in again -- at which points Microsoft usually | "solves" the redirect loop by informing me that I've tried to | login too many times and I should try again in five minutes. | | With the additional bonus that even after things miraculously | stabilize, I'm not on the page I wanted to go but on the | welcome screen. Pasting the intended link again in the browser | bar seems to have a 10% chance of triggering the redirect loop | again. It's so comically bad, I'm glad my employer is paying me | for my time and not my productivity. | leokennis wrote: | And the domains look ancient or shady as well. Live.com, | aka.ms, msn.com...if you didn't already know they were genuine | Microsoft accounts you'd be smart to assume you were being | scammed. | ano-ther wrote: | They also introduced 2F verification pop ups that don't show up | in the task bar and are therefore not selectable when they are | behind another window. | riffic wrote: | 8 months old too | Waterluvian wrote: | So is it definitely not a Mozilla issue but there's no sensible | issue tracker for it as a Microsoft issue? | | You seem understandably frustrated. :/ | badrabbit wrote: | Damn, I depend on this. I tried to use fido2 on my flipperzero, | MS blocks that as well. Kind of a bummer when you think about it | with companies picking and choosing what keys/clients to allow | when it should be up to the user. | solardev wrote: | Unpopular question: At what point should companies officially | deprecate support for a minority browser? | | Firefox is down to like 6% marketshare, barely above (what's left | of) Opera. Even Edge has nearly twice the usage. | | Is reasonable to expect a company to go out of their way to spend | resources fixing something that works fine for 94% of their | users, using any of several alternate browsers? | | And this is Microsoft after all, the same company that's been | through multiple browser wars and finally caved and joined the | Blink family. Why should they care about Firefox? | realusername wrote: | > Why should they care about Firefox? | | Maybe that's a question for them to answer since they actively | block it with user agent checks | | If they truely did not care about Firefox, it would have | worked. | worble wrote: | At what point are Firefox going to drop having a unique user- | agent and just adopt chromes? There are so many support | issues they could avoid if they just did this, I really don't | see what the benefit is anymore. | realusername wrote: | I'm not against the idea personally, the user agent doesn't | have a purpose anymore and probably is the number one cause | of "bugs" only affecting Firefox. | | It's the same issue on mobile as well, Google still serves | the dumbed down search version to Firefox whereas the one | they serve on Chrome fully works with a user agent change. | mdaniel wrote: | what's old is new again: https://webaim.org/blog/user- | agent-string-history/ | | so, what I'm hearing is that FF should change its current | U-A from `Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; | rv:120.0) Gecko/20100101 Firefox/120.0` to just | `Mozilla/5.0` and skip the pretense :-) | | In all seriousness, Chrome/Chromium actually had a plan to | do some U-A simplification | <https://www.chromium.org/updates/ua-reduction/> but it | doesn't appear they're going as far as evicting the Chrome | branding from it, nor (confusingly enough) dropping the | Safari misnomer (since they don't use WebKit anymore) | hooverd wrote: | They care enough to make to it specifically /not/ work on | Firefox, because it works if Firefox lies about what it is. | db48x wrote: | They actually went out of their way to block Firefox here. The | authentication protocol is a standard supported by all | browsers, and if you change the user-agent string to look like | Chrome's then magically it starts working again. | recursive wrote: | So I guess Safari would go too? | kstrauser wrote: | 6% of 5 billion is disregarding about 300 million users. | | Should MS care enough about 300 megausers to make sure their | login flow works? Uh, yeah. | forgotmypw17 wrote: | My personal opinion, as a foss developer who does more than 90% | of the commits on a relatively complicated Web aplication, is: | NEVER. I have committed myself to supporting every browser in | every configuration, because anything less is non-inclusive and | assumptive about the user's abilities and capabilities. I will | always bend over backwards to accommodate every user, because I | want the experience of visiting my websites to be like that of | a luxury hotel that caters to every need, rather than project | housing or prison that forces to conform. I also think it is | rather rude to assume that the user can change anything about | their setup. I think of this type of accommodation as | wheelchair ramps, which serve only a small demographic, but are | pretty much universally agreed upon as being necessary. | | And yes, I support Internet Explorer, Lynx, and NetSurf. | sgift wrote: | > Is reasonable to expect a company to go out of their way to | spend resources fixing something that works fine for 94% of | their users, using any of several alternate browsers? | | Out of their way implies they have to do anything more than | implement the standard and don't do browser sniffing, which has | always been a bad practice and especially since feature testing | has become more widespread. A sibling comment highlighted the | part that it works if the user-agent is changed to Chrome. | | So, here's my take to your original question: If a feature has | a backing standard, companies, especially those above a certain | size, should be forced to follow the standard for that feature | and not include any kind of "only allow using this feature if | we have tested it in the browser" code. If the company states | they cannot do that (cause they have a policy to only allow | features in browsers they've tested or whatever), they should | be forced to support _everyone_. | | Another good reason to force support for everyone should be if | the company has their own browser. | bastard_op wrote: | It's Microsoft's typical passive-aggressive way of trying to drum | up users for edge being a chrome clone now, since begging you to | stay didn't work when the only thing you use edge for is to | download another browser. What else is new? ___________________________________________________________________ (page generated 2023-12-02 23:00 UTC)