Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying "Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers" It has a screenshot showing the microsoft authenticator app.
This is why I hate passkeys and authenticators (as mandatory requirements). The moment I lose my phone I’m just completely fucked with no recourse, in actual use case.
Yeah I had a beautiful moment trying to use Google's find my phone feature in another country when it asked me to use MFA on...my fucking phone. Turned off Google MFA forever after that near nightmare. Luckily another kind tourist found and turned in my phone to the nearest worker at the place I was visiting
Yeah, I also had a beautiful moment trying to use Google's find my phone feature in another country when I didn't know my password. Used "password123" after that near nightmare.
Security works best when it's really easy to get into my account even though I don't remember my credentials.
Bit of a shit take there really, that's not the same thing at all.
No, it's not the same thing at all. It's an analogous thing. Reducing account security because you lost your credential isn't very smart and that's the common denominator in both examples.
The commenter above you had lost their phone and was supposed to log in using this same phone.
They only got access to the account again due to chance, i.e. someone else found their phone.
(There likely is some sort of backup mechanism, but apparently it's sufficiently well hidden.)
Yeah, I read the story, so I'm aware of the plot.
My comment was aimed at removing MFA completely because OP had a problem once. That is a bad idea and I expressed that by making a joke about using a very bad password because I couldn't remember my actual password which is also a bad idea.
Google (as any other provider) used the phone option for MFA first because that's what OP had been using multiple times before they lost their phone. OP wasn't "supposed to log in using the same phone", Google just offered the default way that had been used before. OP didn't see the other login options and went on the internet to tell everybody how stupid Google is and proceeded to smugly proclaim they removed MFA entirely due to Google's stupidity which inadvertantly revealed OP's less smart decision I made fun of.
The "Try another way" option is literally right below the input field and one of two links displayed at this point (try it out, go to google.com in a private window and enter your password. The other link is "Resend it".). It's not hidden at all and OP had more choices than a stranger finding their phone but they never realized it. But again, that's not my point. My point is that removing MFA because you had trouble logging in without your phone one time is a bad idea which is why I made a joke about that.
Yeah you know everything, asshole. Including when my story occurred and that nothing has changed about the UI since. You also know that panicking that your trip being ruined by a lost phone is no reason to have trouble using a shitty UI which is so densely created that it mirrors the post we are commenting on.
The way you said everything in this thread assures everyone you're a prick. I'm glad you feel so good about it though