Hacker News new | past | comments | ask | show | jobs | submit login
Can't sign in with FIDO2 key on office.com (bugzilla.mozilla.org)
169 points by rettichschnidi on Dec 2, 2023 | hide | past | favorite | 80 comments



Meanwhile their TOTP uses a nonstandard "ms-msa" protocol, forcing you to use their authentication application.

https://1password.community/discussion/139501/one-time-passw...


Those ms-msa URLs are for bootstrapping the system formerly know as PhoneFactor. It's not a TOTP at all, it's a two-way random value challenge. Microsoft supports TOTP as well, but Authenticator push challenges are more resistant to several types of attacks than TOTP, so some Azure AD admins may make it the only option. There's also a convenience factor since manually entering numbers isn't necessarily required.


MFA via push notifications is vulnerable to the "keep spamming them until they tap allow" attack. You can make the user type a code (like Apple does), but that's it for convenience.


Microsoft allows the administrator to configure either "select one of three" or have the user enter a two-digit code. The default is "select one of three," but there is also some risk scoring to tune which mode a user gets.


Office 365 for Business now has 'enter 2 digits' whereas the personal one defaults to 1 out of 3.


They also don't work at all when there's a network outage and you have no mobile data on your phone. (Whereas TOTP would work). An issue I have run into before.


There's a "use different authenticator app" button, but it can be disabled by the domain admin and that might be the default depending on when your Azure AD domain was set up.

The fact that you can set a domain to MSA/TOTP or MSA-only, but not TOTP-only, is an incredibly scummy, but incredibly predictable move by MS.


Bill Gates would laugh in his grave


He's still alive


Hence tne subjunctive?


I use FreeOTP with it just fine.


I use Keepass with it just fine.


Fortinet do the same, you need their own app to generate the codes. Infuriating.


Works fine with 1Password One Time password.


I use it with 1Password?


Are you sure you tried reading a URL with the ms-msa protocol? I'm on 1PW MacOS 8.10.20


Can someone from Microsoft share why the login flow on all things Office/O365 is such a disaster? No other major company is so bad about this. You get bounced between a half-dozen domains (which I assume is somehow the root cause of the issue here), the "keep me signed in" check box literally does nothing, and so on. And you can't even blame it on trying to integrate incompatible legacy systems, this is all on Microsoft's first-party services.


The latest madness is that logging on to Azure Portal with Firefox requires about ten clicks on the user name.

As in: I log in, jump through the MFA hoops, and then it goes back to the list of user names to make me re-select the account I just used to log in.

Mind you, it always did this, which meant that I couldn’t just open a Portal link in a new tab — I’d have to select my account (again) for each tab.

But now I have to click at least ten times!

It’s broken.

Authentication is broken and there’s no one at the wheels.


There are probably no actual wheels to begin with, knowing Microsoft.


My AAD account is permanently screwed up because I left and rejoined the company I’m at (intern conversion, so I got a new AAD account with the same email).

I get signed out constantly, especially on mobile where my coworkers do not. Trying to sign into ADO sends me to a screen prompting me to configure a new org because it gets confused by two accounts existing with the same email in the same org even though one of them was deleted along with the underlying AAD account. It also just 500s sometimes when trying to login saying there’s something weird happening during authentication, I have to restart the browser to make it work.

As far as I know there’s no way to fix any of it, so I’m stuck with half working SSO.


Why don't they just give you a new email? I mean obviously it's stupid such a solution would be required, but wouldn't that solve your problems?


I think the actual easiest thing would be to get on the horn with MS and have them internally nuke my old ADO account, I’ve just never bothered to figure out who out of IT org could do such a thing. I’ve just learned all the workarounds instead.


Ah, their famous Stochastic Sign-On.


Same with the Azure Portal, I can regularly DoS microsoft by opening the portal from a bookmark in Edge, or by switching Azure tenants (via the official button, which has also seen three different locations in the past year). It signs in, loads the intended page, then redirects to the home page, which performs the sign-in again, then redirects to the Azure portal welcome screen, which redirects to the home page, which performs the sign-in again -- at which points Microsoft usually "solves" the redirect loop by informing me that I've tried to login too many times and I should try again in five minutes.

With the additional bonus that even after things miraculously stabilize, I'm not on the page I wanted to go but on the welcome screen. Pasting the intended link again in the browser bar seems to have a 10% chance of triggering the redirect loop again. It's so comically bad, I'm glad my employer is paying me for my time and not my productivity.


And the domains look ancient or shady as well. Live.com, aka.ms, msn.com…if you didn’t already know they were genuine Microsoft accounts you’d be smart to assume you were being scammed.


> You get bounced between a half-dozen domains

At work one of the cdn domains they use fails to resolve until it suddenly works. Haven't bothered to look into it yet, but generally takes about 10-15 minutes to sign into anything related to Azure AD / Office365.

Can resolve it just fine on the command line, just in the browser where it doesn't work.


They also introduced 2F verification pop ups that don’t show up in the task bar and are therefore not selectable when they are behind another window.


Also some of that bouncing around involves passing your email into the URL (?account=you@outlook.com) which is just bizarre in current day (tm).


I have spent weeks just trying to log onto Teams to communicate with an MS contracting shop. I still have not managed to log in. It is infuriating beyond belief.


I have opened ticket with them for couple months about this now. I am pissed. To be honest, the fix is to switch the user agent to Chrome on Linux, but still.

Even their Edge does not work, just Chromium. If possible, avoid MS login (or all their products in general)


Do these guys run integration tests of any kind? Makes it easy to assume malice in breaking fundamental features.


> integration tests of any kind

No!

Microsoft famously fired their entire QA team. Also… their technical writing team. And then they outsourced both support and the bulk of their development to India.

You get what you pay for, and right now Microsoft is variously paying either zero or very little.


I'd see Microsoft hiring contractors, but do they outsource product development to external companies ?


Not sure about development, but Azure support is almost entire outsourced.


It's double outsourced even. They outsource to Accenture who then outsources it to small companies.

It's really really annoying because these people get penalised for escalating and they don't know much more than what it says in the docs. I read those before contacting them and it's always a hassle to get my case through to real support. They'll stall forever asking for more logs and more tests. I feel like I'm on trial defending that I really have a problem. Not a valued customer.

And mind you, this is already meant to be the "premium" support tier.


At this point I think it's par for the course. There must be some support tiers where you'll get actual Microsoft employees deal with your issues (I don't think Apple's devs get a random contractor reading a script when they report server issues), but short of that I would feel lucky to even get a human to look at the question.


Now that you mention malice, here's a smoking gun, from the linked bug report:

> (it's not an issue with Firefox's implementation. This can be demonstrated by spoofing the useragent as a Chromium-based browser and attempting the same login flow […]).


File an FTC complaint. This is potentially anti competitive behavior with a digital paper trail. Microsoft will ignore randos, so engage a regulator. Include the bugzilla post link in the complaint.

https://reportfraud.ftc.gov/


Microsoft and uncompetitive behavior? No way!


Same thing goes with your state's AG and Microsoft's AG.


I don't think this is a smoking gun at all, because we don't know the story of why the difference in behavior was implemented. What not-infrequently happens is that Firefox is late to add support for some new web standard, so sites gate their usage on the user agent (which indicates that they actually bothered to test on Firefox!), and then it takes time for them to get around to removing the check after Firefox adds support.

In fact it's not completely unlikely that that is what happened here. Firefox still has incomplete support for the web authentication API [1], and in particular FIDO2 devices did not work if a PIN is set until Firefox 114 - only a few months ago! I'm not sure if this could be related, but Firefox also still does not support passkeys [2], so I'm sure someone will get blamed for anti-competitive behavior for that at some point.

[1] https://caniuse.com/webauthn

[2] https://caniuse.com/passkeys


That's a plausible explanation.

If Microsoft solves the issue within the next 30 days, I will consider that you were right.

"30 days" is an arbitrary extension of the timeline for something that was reported 4 months ago to Microsoft, and should have been already fixed.


Smoking gun is a leaked memo indicating the behavior is meant to break Firefox in this specific way


How is that a smoking gun indicating malice?


Changing behavior based on user agent is necessarily intentional on the part of Microsoft.

That check lies somewhere along the line between "having the direct goal of breaking authentication flow (pure malice)" and "is a completely legitimate programming error (pure incompetence)."

I am not ready to assume pure incompetence (and here's where I might be wrong).


It means that the website doesn't work in Firefox intentionally. The website was proframmed to not work with Firefox user agent string.


Is firefox blacklisted or are chrome and edge whitelisted?


Ah I see, I thought the parent poster meant malice on the part of Mozilla, got confused by bouncing between comment threads. I could see malice, since it is Microsoft, but what's the "why" of it? I don't really see any motivation that M$ would have to block Mozilla, all it's going to do is piss off users. It's not like people are gonna get fed up and switch to Edge, they'll get fed up and switch to Chrome. If anything, M$ has a great incentive to improve Firefox adoption. The market that uses FF is the same market that is never going to choose Edge. FF and Edge both have a much better position if they can damage Chrome's market share.


The cynic in me says we will understand the motivation in some antitrust trial one of these years.


Because it is not a bug or mistake in the code but a deliberate loss in functionality based only on the name of the browser.


Random stuff breaking or things not working quite right is to be expected with Microsoft products.


Office 365 Calendar broke for me a few weeks back and is still unusable. It forcibly leaps me weeks ahead whenever I try to scroll to today’s date. I literally cannot view my work calendar on my phone anymore.

I often wonder if they’re even capable of knowing there’s an issue.


Microsoft devs have a reputation of being quite sub par.


It's Microsoft's typical passive-aggressive way of trying to drum up users for edge being a chrome clone now, since begging you to stay didn't work when the only thing you use edge for is to download another browser. What else is new?


Likely just 0 testing.

Today I switched Outlook to the new Outlook and then it couldn't access my email account because of some licensing issue? No other error or how to resolve.

Who allows things like this to be shipped without minimal QA is beyond my imagination...


So is it definitely not a Mozilla issue but there’s no sensible issue tracker for it as a Microsoft issue?

You seem understandably frustrated. :/


I have tried to use a fido2 key years ago and it did not work. I think you need some proprietary sort-of standard key.


It’s probably some sort of intrusion detection system saying Firefox + passkey has been seen 0.1% of the time … abort.


Humble Bundle seems to have started doing that to me at times with a Firefox on Linux user agent. Support just gaslights me about clearing cookies and checking I typed the password correctly, even though it will work if I use Chrome or just wait a few days.


Damn, I depend on this. I tried to use fido2 on my flipperzero, MS blocks that as well. Kind of a bummer when you think about it with companies picking and choosing what keys/clients to allow when it should be up to the user.


8 months old too


If you filter by status, there's nothing in that feedback channel that's had its status changed for several months, and none of the issues there are marked fixed, so there's probably some other way this sort of thing is meant to be reported. According to their help page in outlook.com:

"Microsoft 365 subscriptions include premium customer support, so if you need to contact Microsoft for help, you'll get our highest level of service."


Unpopular question: At what point should companies officially deprecate support for a minority browser?

Firefox is down to like 6% marketshare, barely above (what's left of) Opera. Even Edge has nearly twice the usage.

Is reasonable to expect a company to go out of their way to spend resources fixing something that works fine for 94% of their users, using any of several alternate browsers?

And this is Microsoft after all, the same company that's been through multiple browser wars and finally caved and joined the Blink family. Why should they care about Firefox?


My personal opinion, as a foss developer who does more than 90% of the commits on a relatively complicated Web aplication, is: NEVER. I have committed myself to supporting every browser in every configuration, because anything less is non-inclusive and assumptive about the user's abilities and capabilities. I will always bend over backwards to accommodate every user, because I want the experience of visiting my websites to be like that of a luxury hotel that caters to every need, rather than project housing or prison that forces to conform. I also think it is rather rude to assume that the user can change anything about their setup. I think of this type of accommodation as wheelchair ramps, which serve only a small demographic, but are pretty much universally agreed upon as being necessary.

And yes, I support Internet Explorer, Lynx, and NetSurf.


I disagree. While I appreciate the thinking, it’s not at all like wheelchair ramps. Supporting IE actively made life worse for everyone else. Resources are limited, so dragging that junk heap along meant that developer time was wasted on it instead of adding new features people wanted. Wheelchair ramps are useful for everyone at some time, even if it’s just helping someone push a cart a little more easily.


If a user only has IE and no ability to upgrade it, should I make extra effort to provide them with accessibility, or should I just tell them to fuck off, blocking them from information that is critical for them to access?

I choose the former, because I think the extra effort is worth it. Resources are not unlimited, but it's also quite feasible, if you are creative and not lazy.

And if you cannot even support IE, I guess you think that textmode browsers, visually impaired support, slow network connections, and other accessibility modes are also not worth your time?


That’s so unfair of you not to support Mosaic. What about the people who can’t upgrade past HTML1 browsers?

My point being, it’s great to support all modern browsers (which excludes IE altogether, but definitely including screen readers). If you’re a library, go ahead and support dialup and Lynx, too, if you can afford the dev time. If you’re an e-commerce site, and spending more than hobby time supporting Lynx and 56k, I might think you’re nuts for doing it.


I actually do support Mosaic in the framework, although it is challenging to get working on a live server.


> Is reasonable to expect a company to go out of their way to spend resources fixing something that works fine for 94% of their users, using any of several alternate browsers?

Out of their way implies they have to do anything more than implement the standard and don't do browser sniffing, which has always been a bad practice and especially since feature testing has become more widespread. A sibling comment highlighted the part that it works if the user-agent is changed to Chrome.

So, here's my take to your original question: If a feature has a backing standard, companies, especially those above a certain size, should be forced to follow the standard for that feature and not include any kind of "only allow using this feature if we have tested it in the browser" code. If the company states they cannot do that (cause they have a policy to only allow features in browsers they've tested or whatever), they should be forced to support everyone.

Another good reason to force support for everyone should be if the company has their own browser.


They actually went out of their way to block Firefox here. The authentication protocol is a standard supported by all browsers, and if you change the user–agent string to look like Chrome’s then magically it starts working again.


Exactly. Same here. It's ridiculous they deliberately mess things up for us.


> Why should they care about Firefox?

Maybe that's a question for them to answer since they actively block it with user agent checks

If they truely did not care about Firefox, it would have worked.


At what point are Firefox going to drop having a unique user-agent and just adopt chromes? There are so many support issues they could avoid if they just did this, I really don't see what the benefit is anymore.


I'm not against the idea personally, the user agent doesn't have a purpose anymore and probably is the number one cause of "bugs" only affecting Firefox.

It's the same issue on mobile as well, Google still serves the dumbed down search version to Firefox whereas the one they serve on Chrome fully works with a user agent change.


what's old is new again: https://webaim.org/blog/user-agent-string-history/

so, what I'm hearing is that FF should change its current U-A from `Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0` to just `Mozilla/5.0` and skip the pretense :-)

In all seriousness, Chrome/Chromium actually had a plan to do some U-A simplification <https://www.chromium.org/updates/ua-reduction/> but it doesn't appear they're going as far as evicting the Chrome branding from it, nor (confusingly enough) dropping the Safari misnomer (since they don't use WebKit anymore)


The funny thing is that changing of the UA fixes most problems I had with office 365 in Firefox. Like the basic view appearing sometimes, or the drag and drop off files not working.

So in other words: there's nothing wrong with the technical implementation of the browser engine, but Microsoft consciously degrades the experience for me if they know I run firefox.


I would say that there's a moral imperative to support Firefox for as long as it remains the only major open source alternative implementation of HTML/CSS/JS to Blink. We've been there before, and monocultures are just bad all around, so it's important for something like this to exist and be supported for the eventual inevitable day it will be needed.


6% of 5 billion is disregarding about 300 million users.

Should MS care enough about 300 megausers to make sure their login flow works? Uh, yeah.


They care enough to make to it specifically /not/ work on Firefox, because it works if Firefox lies about what it is.


So I guess Safari would go too?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: