@glyph Did you quote post something?
Uncategorized
903
Posts
312
Posters
0
Views
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph Because nothing else worked I had to activate Win11 by reading 20 sets of 6-digit numbers/letters to a chat-bot, which repeatet every set to make sure it understood correctly. 20 minutes of yelling a random wordsalad at your phone while everyone around you laughs manically is hard and a bit humiliating. It is nothing compared to your experience, but goes to show that fucking around with users is intentional.
-
@aburka re: "successor account" I am just referring to features like this https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/repository-access-and-collaboration/maintaining-ownership-continuity-of-your-personal-accounts-repositories and this https://support.apple.com/en-us/102631 and this https://myaccount.google.com/inactive
@aburka basically when you manage your credentials on a website, you actually need to understand edge cases like "how does this website decide if I'm dead so they know when to release my data to my heirs" or "what 'reset' credentials can completely obviate all security on this account". like if you're setting up super hardcore device-bound passkey MFA for some site, but actually a simple simjacking attack can grab a "reset" SMS, it's important to *know* htat
-
@aburka basically when you manage your credentials on a website, you actually need to understand edge cases like "how does this website decide if I'm dead so they know when to release my data to my heirs" or "what 'reset' credentials can completely obviate all security on this account". like if you're setting up super hardcore device-bound passkey MFA for some site, but actually a simple simjacking attack can grab a "reset" SMS, it's important to *know* htat
@aburka you can't understand all that stuff if you can't rehearse it, and you should not need to *re-learn it* for every single website you have to have an account with in order to buy microtransaction tokens for a game your kid plays
-
@nik @agowa338 speaking from personal experience, let me just assure you that "become the enemy of joy" is not a great way to win people over to the cause of free software. I would also encourage you to learn about parents' only realistic alternative to Minecraft in terms of all-ages gameplay; the title may give you some idea of why I prefer the devil I know in Microsoft in this case: https://hindenburgresearch.com/roblox/
-
Two things.
1) Who is there bullying developers to boycott it? WTF?!? That sounds a bit extreme considering the platform is getting more and more annoying to use all by itself by the day...
2) I'm surprised that Microsoft hasn't forced GitHub to use Azure AD for Authentication by now too...
@agowa338 I didn't say "bullying", but if you're interested, here's the campaign. (I think it is misguided, because it severely misunderstands the kind of resource leverage that Github provides, but I can certainly understand why they do not consider Github a trustworthy infrastructure partner.) https://sfconservancy.org/GiveUpGitHub/
-
@nik @agowa338 speaking from personal experience, let me just assure you that "become the enemy of joy" is not a great way to win people over to the cause of free software. I would also encourage you to learn about parents' only realistic alternative to Minecraft in terms of all-ages gameplay; the title may give you some idea of why I prefer the devil I know in Microsoft in this case: https://hindenburgresearch.com/roblox/
I will not continue this discussion as you seem to underestimate the experience I have in this topic, and seem to lack experience in child-safe, open gaming yourself (you could ask for it, but chose to discredit me instead).
(Just one hint: I have a truckload of parents and children here who simply insist in playing MineClonia instead, and it works in all cases.)
-
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
@glyph I agree there and also educating site owners (and have the IdP vendors help) on how to present them coherently.
But also, the spec is deep and confusing and people still don't get the discoverable vs non discoverable distinction and there isn't a clear delineation
-
I will not continue this discussion as you seem to underestimate the experience I have in this topic, and seem to lack experience in child-safe, open gaming yourself (you could ask for it, but chose to discredit me instead).
(Just one hint: I have a truckload of parents and children here who simply insist in playing MineClonia instead, and it works in all cases.)
-
@glyph … and woe betide you if you have the misfortune to both (a) be a teacher in a school system that uses MS infrastructure, and (b) have children studying in the same school system. This appears to be a use case that MS authentication is unable to account for. It doesn’t matter what you’re trying to do - you’re logged into the “other” system, and trying to correct things only makes things worse. Incognito browsing and/or completely separate browsers appears to be the only solution.
Ask me how I know.
@freakboy3742 so, I have not experienced this *exact* alignment of misfeatures, but, let's just say that I have experienced a … sufficiently resonant set of circumstances with this particular system that I am nodding along, grinning amiably as I read this toot, trembling almost imperceptibly and with just the littlest bit of blood trickling out of one of my ears
-
@freakboy3742 so, I have not experienced this *exact* alignment of misfeatures, but, let's just say that I have experienced a … sufficiently resonant set of circumstances with this particular system that I am nodding along, grinning amiably as I read this toot, trembling almost imperceptibly and with just the littlest bit of blood trickling out of one of my ears
@freakboy3742 I can't even fully explain the _full_ disaster that lead to this but suffice it to say that every time Microsoft wants to do anything with a passkey, I have to carefully navigate past an entry that reads "glyph (Microsoft) (Twisted) (Other)" in my password manager, and it can never under any circumstances be deleted
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph This is a very accurate description.
I somehow ended up with three different accounts, one of them split further into "personal" and "organization". Each one appears to have a different set of access rights.
I'm unable to reset the PW on the organizational account, because of some policy. But I'm asked to change that PW every few months, because that's policy too.
I'm pretty sure no real person ever set this up, and I'm not aware of any "admin" person I would be able to ask about it.
-
@glyph … and woe betide you if you have the misfortune to both (a) be a teacher in a school system that uses MS infrastructure, and (b) have children studying in the same school system. This appears to be a use case that MS authentication is unable to account for. It doesn’t matter what you’re trying to do - you’re logged into the “other” system, and trying to correct things only makes things worse. Incognito browsing and/or completely separate browsers appears to be the only solution.
Ask me how I know.
@freakboy3742 @glyph It beats even firefox containers?
-
if this is how most people encounter passkeys it’s no wonder that they fucking hate them. it feels like getting tricked. because it is getting tricked. I was tricked
@glyph every time i log in to minecraft (which is not often but anyway, on new computers), somehow i get to a stage in the auth process that says it's provisioning a new passkey for me (despite not clicking any passkey-related buttons anywhere in the process), and then it fails because it's an embedded web view and not a real browser. it really does feel like microsoft's login flow is really badly broken and that it mistakenly takes you to steps you did not ask for
-
this has nothing to do with copilot or AI or any specific systemic issue. it’s just a mountain of really infuriating but ultimately mundane failures. it’s tempting to diagnose some reason for this but it’s so badly broken that I really can’t imagine how it got this bad
@glyph I feel like at least a big part of how this happens has to come down to the fact that the average end user of Microsoft's software doesn't have a choice in the matter (because their employer is the one making the purchase decision, not them)
-
if this is how most people encounter passkeys it’s no wonder that they fucking hate them. it feels like getting tricked. because it is getting tricked. I was tricked
@glyph if i'm prompted to make a passkey i just assume they're going to store it on their server, not my machine. NO.
it always feels like a snow job.
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph I totally lost access to my work MS account because THEY had a login loop bug in teams. Appeal denied. Second appeal denied. I’m just done with them. Client wants to me to be in their Teams? Sorry.
-
granted, probably 1/3 of the difficulties here have to do with microsoft’s ill-conceived “think of the children” account system, and buying the game as a regular adult with a single account would have been massively easier. but still, you’d think that a PM somewhere in the org would have considered that it is *possible* that a child might want to play … minecraft
@glyph Yes absolutely. The trivial solution to this problem is teaching children you always lie about your age. All it ever took us setting up this stuff was entering password and copying a 2FA code from email.
-
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
@glyph so there's some kind of challenge/response going on?
-
@morgan @glyph You can definitely make Google accounts with non Google email addresses. I and other family members have a number of them, some even made recently. The setup process for a new phone might not allow creation of new Google accounts that way, but you can sign in to them on new phones and in general you can make them.
-
@aburka If you "use passkeys" as a normal person, even with something like 1password, there's a recovery path, even if you have only a single device. For example, the way that this works with Apple is that you drop your phone in a toilet, then when you get a new phone, you enter the *device passphrase for the old phone* to decrypt your iCloud Keychain locally, and it syncs down from the cloud. This doesn't work with Advanced Data Protection, but that is very much opt-in.
@glyph I think we're agreeing on this point -- the passkeys have to be backed up off-device
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@Sirchrism le consultazioni sono uno strumento frequentemente adottato dall'Unione
-
@rl_dane I once dropped my work Thinkpad down two flights of concrete stairs. Still worked. They're indestructible. 🔥
-
Messaggio in codice da Qaanaaq
-
Avete fatto bene ad accendere i caloriferi...
.
#caturday #CatsOfMastodon #Miagolina
-
@poleguy yes, ty! In real time wasd control.
On video below it’s how I see it on pc screen (with actual audio).
-
@js wow, that's *TurboTax*?
-
@ut3usw that's fun. Are you controlling/calculating this in real time?
-
@gmarcosanti buona come la focaccia ligure?
