[HN Gopher] Can't sign in with FIDO2 key on office.com
___________________________________________________________________
Can't sign in with FIDO2 key on office.com
Author : rettichschnidi
Score : 117 points
Date : 2023-12-02 21:45 UTC (1 hours ago)
(HTM) web link (bugzilla.mozilla.org)
(TXT) w3m dump (bugzilla.mozilla.org)
| grenoire wrote:
| Do these guys run integration tests of any kind? Makes it easy to
| assume malice in breaking fundamental features.
| campbel wrote:
| Random stuff breaking or things not working quite right is to
| be expected with Microsoft products.
| Waterluvian wrote:
| Office 365 Calendar broke for me a few weeks back and is
| still unusable. It forcibly leaps me weeks ahead whenever I
| try to scroll to today's date. I literally cannot view my
| work calendar on my phone anymore.
|
| I often wonder if they're even capable of knowing there's an
| issue.
| jiggawatts wrote:
| > integration tests of any kind
|
| No!
|
| Microsoft famously fired their entire QA team. Also... their
| technical writing team. And then they outsourced both support
| and the bulk of their development to India.
|
| You get what you pay for, and right now Microsoft is variously
| paying either zero or very little.
| ilrwbwrkhv wrote:
| Microsoft devs have a reputation of being quite sub par.
| Rygian wrote:
| Now that you mention malice, here's a smoking gun, from the
| linked bug report:
|
| > (it's not an issue with Firefox's implementation. This can be
| demonstrated by spoofing the useragent as a Chromium-based
| browser and attempting the same login flow [...]).
| swells34 wrote:
| How is that a smoking gun indicating malice?
| DoctorOW wrote:
| Because it is not a bug or mistake in the code but a
| deliberate loss in functionality based only on the name of
| the browser.
| eNV25 wrote:
| It means that the website doesn't work in Firefox
| intentionally. The website was proframmed to not work with
| Firefox user agent string.
| 13of40 wrote:
| Is firefox blacklisted or are chrome and edge
| whitelisted?
| swells34 wrote:
| Ah I see, I thought the parent poster meant malice on the
| part of Mozilla, got confused by bouncing between comment
| threads. I could see malice, since it is Microsoft, but
| what's the "why" of it? I don't really see any motivation
| that M$ would have to block Mozilla, all it's going to do
| is piss off users. It's not like people are gonna get fed
| up and switch to Edge, they'll get fed up and switch to
| Chrome. If anything, M$ has a great incentive to improve
| Firefox adoption. The market that uses FF is the same
| market that is never going to choose Edge. FF and Edge
| both have a much better position if they can damage
| Chrome's market share.
| Rygian wrote:
| The cynic in me says we will understand the motivation in
| some antitrust trial one of these years.
| Rygian wrote:
| Changing behavior based on user agent is necessarily
| intentional on the part of Microsoft.
|
| That check lies somewhere along the line between "having
| the direct goal of breaking authentication flow (pure
| malice)" and "is a completely legitimate programming error
| (pure incompetence)."
|
| I am not ready to assume pure incompetence (and here's
| where I might be wrong).
| toomuchtodo wrote:
| File an FTC complaint. This is potentially anti competitive
| behavior with a digital paper trail. Microsoft will ignore
| randos, so engage a regulator.
|
| https://reportfraud.ftc.gov/
| dymk wrote:
| Smoking gun is a leaked memo indicating the behavior is meant
| to break Firefox in this specific way
| esafak wrote:
| Meanwhile their TOTP uses a nonstandard "ms-msa" protocol,
| forcing you to use their authentication application.
|
| https://1password.community/discussion/139501/one-time-passw...
| okasaki wrote:
| I use FreeOTP with it just fine.
| olyjohn wrote:
| I use Keepass with it just fine.
| aetherspawn wrote:
| Works fine with 1Password One Time password.
| Analemma_ wrote:
| Can someone from Microsoft share why the login flow on all things
| Office/O365 is such a disaster? No other major company is so bad
| about this. You get bounced between a half-dozen domains (which I
| assume is somehow the root cause of the issue here), the "keep me
| signed in" check box literally does nothing, and so on. And you
| can't even blame it on trying to integrate incompatible legacy
| systems, this is all on Microsoft's first-party services.
| jiggawatts wrote:
| The latest madness is that logging on to Azure Portal with
| Firefox requires about ten clicks on the user name.
|
| As in: I log in, jump through the MFA hoops, and then _it goes
| back to the list of user names_ to make me re-select the
| account I just used to log in.
|
| Mind you, it always did this, which meant that I couldn't just
| open a Portal link in a new tab -- I'd have to select my
| account (again) for each tab.
|
| But now I have to click at least ten times!
|
| It's broken.
|
| _Authentication_ is broken and there's no one at the wheels.
| nathanaldensr wrote:
| There are probably no actual wheels to begin with, knowing
| Microsoft.
| esafak wrote:
| I have spent weeks just trying to log onto Teams to communicate
| with an MS contracting shop. I still have not managed to log
| in. It is infuriating beyond belief.
| magicalhippo wrote:
| > You get bounced between a half-dozen domains
|
| At work one of the cdn domains they use fails to resolve until
| it suddenly works. Haven't bothered to look into it yet, but
| generally takes about 10-15 minutes to sign into anything
| related to Azure AD / Office365.
|
| Can resolve it just fine on the command line, just in the
| browser where it doesn't work.
| tremon wrote:
| Same with the Azure Portal, I can regularly DoS microsoft by
| opening the portal from a bookmark in Edge, or by switching
| Azure tenants (via the official button, which has also seen
| three different locations in the past year). It signs in, loads
| the intended page, then redirects to the home page, which
| performs the sign-in again, then redirects to the Azure portal
| welcome screen, which redirects to the home page, which
| performs the sign-in again -- at which points Microsoft usually
| "solves" the redirect loop by informing me that I've tried to
| login too many times and I should try again in five minutes.
|
| With the additional bonus that even after things miraculously
| stabilize, I'm not on the page I wanted to go but on the
| welcome screen. Pasting the intended link again in the browser
| bar seems to have a 10% chance of triggering the redirect loop
| again. It's so comically bad, I'm glad my employer is paying me
| for my time and not my productivity.
| leokennis wrote:
| And the domains look ancient or shady as well. Live.com,
| aka.ms, msn.com...if you didn't already know they were genuine
| Microsoft accounts you'd be smart to assume you were being
| scammed.
| ano-ther wrote:
| They also introduced 2F verification pop ups that don't show up
| in the task bar and are therefore not selectable when they are
| behind another window.
| riffic wrote:
| 8 months old too
| Waterluvian wrote:
| So is it definitely not a Mozilla issue but there's no sensible
| issue tracker for it as a Microsoft issue?
|
| You seem understandably frustrated. :/
| badrabbit wrote:
| Damn, I depend on this. I tried to use fido2 on my flipperzero,
| MS blocks that as well. Kind of a bummer when you think about it
| with companies picking and choosing what keys/clients to allow
| when it should be up to the user.
| solardev wrote:
| Unpopular question: At what point should companies officially
| deprecate support for a minority browser?
|
| Firefox is down to like 6% marketshare, barely above (what's left
| of) Opera. Even Edge has nearly twice the usage.
|
| Is reasonable to expect a company to go out of their way to spend
| resources fixing something that works fine for 94% of their
| users, using any of several alternate browsers?
|
| And this is Microsoft after all, the same company that's been
| through multiple browser wars and finally caved and joined the
| Blink family. Why should they care about Firefox?
| realusername wrote:
| > Why should they care about Firefox?
|
| Maybe that's a question for them to answer since they actively
| block it with user agent checks
|
| If they truely did not care about Firefox, it would have
| worked.
| worble wrote:
| At what point are Firefox going to drop having a unique user-
| agent and just adopt chromes? There are so many support
| issues they could avoid if they just did this, I really don't
| see what the benefit is anymore.
| realusername wrote:
| I'm not against the idea personally, the user agent doesn't
| have a purpose anymore and probably is the number one cause
| of "bugs" only affecting Firefox.
|
| It's the same issue on mobile as well, Google still serves
| the dumbed down search version to Firefox whereas the one
| they serve on Chrome fully works with a user agent change.
| mdaniel wrote:
| what's old is new again: https://webaim.org/blog/user-
| agent-string-history/
|
| so, what I'm hearing is that FF should change its current
| U-A from `Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15;
| rv:120.0) Gecko/20100101 Firefox/120.0` to just
| `Mozilla/5.0` and skip the pretense :-)
|
| In all seriousness, Chrome/Chromium actually had a plan to
| do some U-A simplification
| <https://www.chromium.org/updates/ua-reduction/> but it
| doesn't appear they're going as far as evicting the Chrome
| branding from it, nor (confusingly enough) dropping the
| Safari misnomer (since they don't use WebKit anymore)
| hooverd wrote:
| They care enough to make to it specifically /not/ work on
| Firefox, because it works if Firefox lies about what it is.
| db48x wrote:
| They actually went out of their way to block Firefox here. The
| authentication protocol is a standard supported by all
| browsers, and if you change the user-agent string to look like
| Chrome's then magically it starts working again.
| recursive wrote:
| So I guess Safari would go too?
| kstrauser wrote:
| 6% of 5 billion is disregarding about 300 million users.
|
| Should MS care enough about 300 megausers to make sure their
| login flow works? Uh, yeah.
| forgotmypw17 wrote:
| My personal opinion, as a foss developer who does more than 90%
| of the commits on a relatively complicated Web aplication, is:
| NEVER. I have committed myself to supporting every browser in
| every configuration, because anything less is non-inclusive and
| assumptive about the user's abilities and capabilities. I will
| always bend over backwards to accommodate every user, because I
| want the experience of visiting my websites to be like that of
| a luxury hotel that caters to every need, rather than project
| housing or prison that forces to conform. I also think it is
| rather rude to assume that the user can change anything about
| their setup. I think of this type of accommodation as
| wheelchair ramps, which serve only a small demographic, but are
| pretty much universally agreed upon as being necessary.
|
| And yes, I support Internet Explorer, Lynx, and NetSurf.
| sgift wrote:
| > Is reasonable to expect a company to go out of their way to
| spend resources fixing something that works fine for 94% of
| their users, using any of several alternate browsers?
|
| Out of their way implies they have to do anything more than
| implement the standard and don't do browser sniffing, which has
| always been a bad practice and especially since feature testing
| has become more widespread. A sibling comment highlighted the
| part that it works if the user-agent is changed to Chrome.
|
| So, here's my take to your original question: If a feature has
| a backing standard, companies, especially those above a certain
| size, should be forced to follow the standard for that feature
| and not include any kind of "only allow using this feature if
| we have tested it in the browser" code. If the company states
| they cannot do that (cause they have a policy to only allow
| features in browsers they've tested or whatever), they should
| be forced to support _everyone_.
|
| Another good reason to force support for everyone should be if
| the company has their own browser.
| bastard_op wrote:
| It's Microsoft's typical passive-aggressive way of trying to drum
| up users for edge being a chrome clone now, since begging you to
| stay didn't work when the only thing you use edge for is to
| download another browser. What else is new?
___________________________________________________________________
(page generated 2023-12-02 23:00 UTC)