Cybersecurity

8813 readers

66 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Outlook login 2FA behavior (lemmy.world)

submitted 2 years ago by Endor@lemmy.world to c/cybersecurity@sh.itjust.works

5 comments fedilink hide all child comments

Just got a 2FA prompt on my phone, asking me to select one of three numbers to log in.

Seeing how every other 2FA thing like this doesn't send those prompts unless you have entered the correct password I got quite concerned.

However, it seems that is the first thing you get after correctly entering your email address, tried on a separate computer that I have never used my email on with a VPN to another country, and I instantly got the 2FA prompt without entering my password.

Imo it's a very shit way to do it. I can see some pensioner or similar accidentally just clicking a number and then it's 1 in 3 they get in (assuming they have 2FA to begin with, but still.).

Anyway, figured I'd post it just in case someone else got spooked the same way. I'd also like to know if someone thinks it is a good idea having it work this way and why?

you are viewing a single comment's thread
view the rest of the comments

[–] Endor@lemmy.world 1 points 2 years ago* (last edited 2 years ago)

Right, what is described in that link is reasonable, none of those seem to have a reasonable chance of accidental approval (Even so I wouldn't want for them to appear without me entering my password.), but that's not what I got, while I doubt I personally would accidentally approve the 3 number one I got I can easily imagine someone doing it.

This kind of thing is what I got. https://janbakker.tech/number-matching-with-microsoft-authenticator-app-in-azure-mfa/ in the picture on that site it's also one fat-finger from granting access to an attacker should it have been someone else. EDIT: To be fair this is 2 clicks on what I get, doesn't change much though.

Also about the far away IP thing. I get this everywhere I try to log in, I tried my main PC and a separate PC on VPN in 3 different locations, not once did I have to enter my password for the prompt to appear on my phone.

I was gonna say, contrast this to Steam where I have to enter my username and password and only then get prompted to enter a 6 digit code from the phone on the PC where I want to log in. But they seem to have done away with the code for convenience (I assume) as well, anyway it's still better because I have to enter my password for the prompt to appear so I know that if it does appear my password is compromised (What I assumed had happened for my email.). Add to this that steam also has a QR code you can scan with your phone for instant login without entering your pass or username so they win on convenience anyway.