1. Forum
  2. Newsgroups
  3. alt.os.linux

  • Why *login.microosoft.com* in my MFA dialog?

    From bad sector@forgetski@_INVALID.net to alt.os.linux on Thu Sep 4 15:50:47 2025
    From Newsgroup: alt.os.linux



    My bank 'accepts' the use of a verification code sent to a smartphone
    as ONE of several optional ways to establish MFA, it also offers to
    prompt me instead for my response to a random one of many code prompts
    (stored on their server), etc. I think the second method is superior
    because its reliability rests on a large institutional security
    infrastructure and NOT something as vulnerable and as totally
    unreliablde as my phone or traffic moving through it.

    Now another outfit I deal with INSISTS that I accept the smartphone
    method OR ELSE and will not accept that for all intent and purpose my
    phone is only for the use of my family and will NOT be made available
    to them and that even if they do get a hold of it they will much more
    likely be blacklisted instead of receiving any response.

    A surprise in this chain of events (surprise to me because it's my
    first involvement with the 'requirement or else' arrogance) is that
    while initially trying to set up the establishment of whatever MFA
    dialog might await a few clicks later on their web-site I saw _my_ browser-traffic routed to 'login.microsoftonline.com', a red flag if I
    ever saw one.

    Any wisdom out there that might either dissipate this stench or clarify
    how it might be handled? I don't think "I" need MFA but maybe there is
    a use for it; I certainly don't feel good about ever having microcancer
    in possession of any of my data be that a phone number or the time of
    day.

    TIA



    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.os.linux on Thu Sep 4 18:28:40 2025
    From Newsgroup: alt.os.linux

    On Thu, 9/4/2025 3:50 PM, bad sector wrote:


    My bank 'accepts' the use of a verification code sent to a smartphone
    as ONE of several optional ways to establish MFA, it also offers to
    prompt me instead for my response to a random one of many code prompts (stored on their server), etc. I think the second method is superior because its reliability rests on a large institutional security infrastructure and NOT something as vulnerable and as totally unreliablde as my phone or traffic moving through it.

    Now another outfit I deal with INSISTS that I accept the smartphone
    method OR ELSE and will not accept that for all intent and purpose my
    phone is only for the use of my family and will NOT be made available
    to them and that even if they do get a hold of it they will much more
    likely be blacklisted instead of receiving any response.

    A surprise in this chain of events (surprise to me because it's my
    first involvement with the 'requirement or else' arrogance) is that
    while initially trying to set up the establishment of whatever MFA
    dialog might await a few clicks later on their web-site I saw _my_ browser-traffic routed to 'login.microsoftonline.com', a red flag if I
    ever saw one.

    Any wisdom out there that might either dissipate this stench or clarify
    how it might be handled? I don't think "I" need MFA but maybe there is
    a use for it; I certainly don't feel good about ever having microcancer
    in possession of any of my data be that a phone number or the time of
    day.

    TIA

    Could you use a FIDO stick ? Some of them have a push button,
    and the stick works off a USB port. You push the button and it
    generates a code locally (didn't read the article, maybe by PKI?)
    and that flows through the web session to your organization. There
    are other biometric methods available, but if you Google
    for a merchant to sell you one, the types offered could be
    limited. When you get a stick, buy a short USB extension cord,
    so the USB metal connector, does the plugging and unplugging,
    not the stick connector (which should stay affixed to the extension).
    The FIDO sticks do not have particularly robust construction.
    That's why you're using an extension cable.

    https://en.wikipedia.org/wiki/FIDO_Alliance

    Only a few organizations have mastered how to do this.
    The VA in the USA, use it, or have an option to use it.
    Google and Microsoft, also know FIDO sticks.

    It is supposed to be an alternative to 2FA, which your opponent
    seems to want. And it would allow a person without a phone,
    to authenticate. You buy two sticks, set up both sticks, and
    if one stick fails (you lose it), the second stick could
    be used to bootstrap the setup of a third stick or whatever.
    You keep the second stick in your sock drawer.

    Otherwise, your bank surprise domain of login.microsoftonline.com
    is no different than their "love of Internet Explorer" back in
    the day. And to demonstrate how "with it" the clever bank IT
    people are, when Microsoft has delivered Internet Explorer 11,
    you set up the banking web page so it only works with
    Internet Explorer 10 (the web page doesn't work for all IE,
    just the one specific version). Which of course, sends the customers
    into a tizzy.

    So really, tying a Microsoft/Bing/MSA type login, into the mix,
    that's "just another day at the bank" really. They consider
    their "Microsoft Love" to be a "normal" kind of kink. You would
    think they would check the UserAgent sent by your browser, and,
    um, not do that. Or maybe it is a subtle way of saying "heh,
    we only support Windows here at the ranch".

    Paul
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From bad sector@forgetski@_INVALID.net to alt.os.linux on Sat Sep 6 07:53:19 2025
    From Newsgroup: alt.os.linux

    On 9/4/25 6:28 PM, Paul wrote:
    On Thu, 9/4/2025 3:50 PM, bad sector wrote:


    My bank 'accepts' the use of a verification code sent to a smartphone
    as ONE of several optional ways to establish MFA, it also offers to
    prompt me instead for my response to a random one of many code prompts (stored on their server), etc. I think the second method is superior because its reliability rests on a large institutional security infrastructure and NOT something as vulnerable and as totally unreliablde as my phone or traffic moving through it.

    Now another outfit I deal with INSISTS that I accept the smartphone
    method OR ELSE and will not accept that for all intent and purpose my
    phone is only for the use of my family and will NOT be made available
    to them and that even if they do get a hold of it they will much more
    likely be blacklisted instead of receiving any response.

    A surprise in this chain of events (surprise to me because it's my
    first involvement with the 'requirement or else' arrogance) is that
    while initially trying to set up the establishment of whatever MFA
    dialog might await a few clicks later on their web-site I saw _my_
    browser-traffic routed to 'login.microsoftonline.com', a red flag if I
    ever saw one.

    Any wisdom out there that might either dissipate this stench or clarify
    how it might be handled? I don't think "I" need MFA but maybe there is
    a use for it; I certainly don't feel good about ever having microcancer
    in possession of any of my data be that a phone number or the time of
    day.

    TIA
    that
    Could you use a FIDO stick ? Some of them have a push button,
    and the stick works off a USB port. You push the button and it
    generates a code locally (didn't read the article, maybe by PKI?)
    and that flows through the web session to your organization. There
    are other biometric methods available, but if you Google
    for a merchant to sell you one, the types offered could be
    limited. When you get a stick, buy a short USB extension cord,
    so the USB metal connector, does the plugging and unplugging,
    not the stick connector (which should stay affixed to the extension).
    The FIDO sticks do not have particularly robust construction.
    That's why you're using an extension cable.

    Given the cost and headaches bundled with my last motherboard I'm
    already using these extension cables for every single backpanel port
    including USB, audio, etc. Not only do they take extremely little
    'getting used to' they're actually easier to handle if they're about a
    foot long!


    https://en.wikipedia.org/wiki/FIDO_Alliance

    This particular pimple-on-a-brainstem organization supports ONLY their
    rig of running everything through login.microcancer.com (I suppose much
    like google is elsewhere though less arrogantly) AND one's smartphone.
    The scumbags are herding people's available data augmented by the their
    phone number to the techno gangsters (google isn't getting my phone
    number either).

    Only a few organizations have mastered how to do this.
    The VA in the USA, use it, or have an option to use it.
    Google and Microsoft, also know FIDO sticks.

    It is supposed to be an alternative to 2FA, which your opponent
    seems to want. And it would allow a person without a phone,
    to authenticate. You buy two sticks, set up both sticks, and
    if one stick fails (you lose it), the second stick could
    be used to bootstrap the setup of a third stick or whatever.
    You keep the second stick in your sock drawer.

    Otherwise, your bank surprise domain of login.microsoftonline.com
    is no different than their "love of Internet Explorer" back in
    the day. And to demonstrate how "with it" the clever bank IT
    people are


    I ran into one such birth-defect in my life, the guy was a supervisor
    and all he bragged about all day was how much of an IT guru he was
    because he could click his way through any dialog on winblows. What a
    genetic traffic-jam, I was also using Warp at the time but he had never
    heard of either Warp or Linux, much less UNIX :-))))

    , when Microsoft has delivered Internet Explorer 11,
    you set up the banking web page so it only works with
    Internet Explorer 10 (the web page doesn't work for all IE,
    just the one specific version). Which of course, sends the customers
    into a tizzy.

    So really, tying a Microsoft/Bing/MSA type login, into the mix,
    that's "just another day at the bank" really. They consider
    their "Microsoft Love" to be a "normal" kind of kink. You would
    think they would check the UserAgent sent by your browser, and,
    um, not do that. Or maybe it is a subtle way of saying "heh,
    we only support Windows here at the ranch".

    Paul



    Many ways to skin a cat, here the cat isn't the hacker but the user.

    The bank using the extra question has the right idea; you don't have to
    'buy' anything to get it done, you have total freedom since you can
    devise your own question/answer pairs, and as I said I think it's
    actually much more secure. For example I once composed "What school did
    your second daughter go to"? The answer was 'International Scool of
    Obediance for Women' (no sexism intended). When you think that I have no daughters at all that kind of riddle would be pretty hard to hack. The
    future I think lies in dynamic (formula) question/answer pairs once
    enough customers learn to walk on two legs.

    With the formula being stored on the industrial and thus more secure
    server security would still be far better than a smartphone texto can
    provide. The real reason behind the phone-number MFA campaigns isn't
    security but getting your phone number into the snoop grinder.

    You could instead have innocent looking questions like "What is the
    current day of the month" and the stored answer formula would hold the
    key: 'twice the number of the month in zulu time plus or minus XY
    whichever first yields a positive answer'. Now THAT would be MFA.
    Another one could take the form of stored yard-and-a-half passwords
    permitting any character (something that far too many sites STILL can't
    handle while they nonetheless insist on getting your phone number!). The
    user would be shown a slightly and randomly edited version of this
    password and would remove from or add to it from recall, the recall not
    being stored ANYWHERE, only the encrypted real password.
    --
    "When the axe came into the forest, the trees said: 'the handle is one
    of us'"
    --- Synchronet 3.21a-Linux NewsLink 1.2