this post was submitted on 19 Feb 2024
256 points (97.4% liked)
Cybersecurity
5687 readers
34 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Azure products ask you for your identity and signin a lot. Honestly, I'm asked to log in again at least once every 24 hours. That's assuming I don't traverse some sort of service wall where I'm now in a different system after clicking a link.
I do cloud engineering for a living, and I would probably fall for at least some phishing things around Azure, specifically because azure identity management is so obtuse and constantly asking for things.
It's absolutely on the system that Microsoft designed , and the practices they encourage, and the mitagations that apparently don't exist.
MS products in general are a Rube Goldberg machine of domain redirects and authentication requests so you could easily(...?) slip another sneaky phishing site in the middle of the 14th ball drop and 18th cup-on-a-string-swinging-over-a-gap and I'd be one to fall for it. I use 1Pass and it's pretty much constantly popping up in MS website dialogue boxes demanding another password sacrifice before it will let me access some MS service that I was just on five minutes ago.
My school uses MS for a bunch of the logins. 2FA is setup through your phone, which isn't annoying or anything. So anytime I login, I need my phone handy, and then I have to type in the stupid code into my phone and then a password to approve it and then maybe 25% of the time it decides me clicking "yes this is me" actually means "no, deny!" and boots me out and then I have to authenticate a different way. And if I sign into a different school website that uses the same damn MS login it kicks me from any other school websites I'm currently logged into so I have to log back into them even if they're still open in another tab and I'm actively working in then. So yeah, I'd like to think I'm smart, but I'd definitely just rush through another MS authentication request because I'm so damn sick of them.
bing bing bing bing!
"Sign into your Microsoft account" here...
"Link your Microsoft account to Edge/[Insert MS product here]"
"Let's get you signed in" there.
"Try our Windows Hello! A new method of accessing your Microsoft account!" over there.
"Sorry you can't use your organization account here, sign into your personal account"
This is the monster Microsoft unleashed upon itself.
Microsoft, and all the cybersecurity folks who blindly accept any recommendation from third party firms.
When we need to remote in to our work PCs we have to use our Microsoft account with MFA just to access the remote connections, then use the same credentials to access the pool, then if we want to RDP into our PC we use the same credentials.
Thank you. Security verification has become so cumbersome that people just try to push through without thinking.
Yeah, needing to sign back into multiple systems after doing something different for 15 minutes is just exhausting.
The amount of times I have had to do an MFA challenge for non-elevated access stuff while on company owned hardware connected to the company owned network is absurd.
I'm security minded and I absolutely hate using Microsoft because of this very reason.
I have a Microsoft account because stupid ass Windows needs it, I wanted PC GamePass and I was sick of constantly doing workarounds for the past 15 years. And what do I get for it? I need to log in for so many things. Accidentally open up Microsoft word? Login. Open game pass? Login. Play a game? Login. Game suddenly crashes? Oh because it failed to authenticate and I had to login into game pass again.
I would absolutely fall for this if I had to use microsoft products at work because of logging fatigue.