Yesterday,
I was a bit drunk.
But I wanted to improve security of the company. So, I went in Azure and activated “Security defaults” which forces MFA for all users in the company. (Because RH always forget to enable MFA for new employees, and I actually care about security)
Then I went in office 365 management and instead of resetting MFA for all users (Forcing everyone to redo MFA setup), I (by mistake) clicked on reset all passwords.
I tested my own account it was fine and went to sleep.
Got a call from CEO at 7am, all 30 employees cannot login in, cannot work.
What a shit show I made…
I have a call with CEO in about 2 hours, I don’t even know how to justify myself…
So children: don’t activate company wide options while drunk. Ever.

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

Highlights from my week:

Prod access: Needed it for my last four tickets; just got it approved this week. No longer need it (urgently, anyway). During setup, sysops didn’t sync accounts, and didn’t know how. Left me to figure out the urls on my own. MFA not working.

Work phone: Discovered its MFA is tied to another coworker’s prod credentials. Security just made it work for both instead of fixing it.

My merchant communication ticket: I discovered sysops typo’d my cronjob so my feature hasn’t run since its release, and therefore never alerted merchants. They didn’t want to fix it outside of a standard release. Some yelling convinced them to do it anyway.

AWS ticket: wow I seriously don’t give a crap. Most boring ticket I have ever worked on. Also, the AWS guy said the project might not even be possible, so. Weee, great use of my time.

“Tiny, easy-peasy ticket”: Sounds easy (change a link based on record type). Impossible to test locally, or even view; requires environments I can’t access or deploy to. Specs don’t cover the record type, nor support creating them. Found and patched it anyway.

Completed work: Four of my tickets (two high-priority) have been sitting in code review for over a month now.

Prod release: Release team #2 didn’t release and didn’t bother telling anyone; Release team #1 tried releasing tickets that relied upon it. Good times were had.

QA: Begs for service status page; VP of engineering scoffs at it and says its practically impossible to build. I volunteered. QA cheered; VP ignored me.

Retro: Oops! Scrum master didn’t show up.

Coworker demo: dogshit code that works 1 out of 15 times; didn’t consider UX or user preferences. Today is code-freeze too, so it’s getting released like this. (Feature is using an AI service to rearrange menu options by usage and time of day…)

Micromanager response: “The UX doesn’t matter; our consumers want AI-driven models, and we can say we have delivered on that. It works, and that’s what matters. Good job on delivering!”

Yep.
So, how’s your week going?

MFA authentication setups that don't support standard authenticator apps, like 1Password or Google Authenticator can burn.

Yes, Microsoft, I am looking at you.

NO FUCKING GOOD NIGHT FOR FLOYD.

THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.

So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.

But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.

Well, post reinstalling, the app does not detect the linked Org account.

I was cool, when I'll login, the system will throw a prompt to map the phone.

So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.

But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.

What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?

So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.

Cool. Let's do that.

I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.

I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.

Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.

If this is the most common use case then why the fuck not add a feature to help people overcome this shit?

And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.

Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.

anyone else here reads “MFA Code” as Motherfucking Access Code? or is it just me?

Windows file system is a slow piece of shit.

The update regime on most applications for Windows desktop is an unmanageable piece of shit.

Windows Store is a broken piece of shit.

The login process on a Windows computer is a tedious piece of shit.

The Windows Hello authentication is a half-baked piece of shit.

Microsoft MFA is a hostile piece of shit.

Windows Update is a destructive piece of shit.

Windows Defender is a resource-hogging piece of shit.

Windows system fonts are ugly as a piece of shit.

Worst interview rejection.

I was just out of college and making the interview rounds set up through my college's job placement.

I wish I still had the letter (I would have attached a screenshot), which
started out nice enough with the usual 'It was a pleasure meeting you and thank you for your interest in the position..' blah blah blah.

Ending with "You will never be considered for a developer position here at MFA Oil."

I was like "What the hell happened?!" I thought the interview went great..I had no experience and she made it clear they were looking for experienced developers, but no weird questions+answers, nothing. If anything, I had to be the most vanilla of the 10+ other college-grad devs waiting in the waiting room. Interview was maybe 10 minutes with the standard script of questions like 'Where do you want to be in 5 years?' which we all knew and rehearsed.

My only guess was they had me confused with someone else.

Fucking hell the AWS IAM documentation is confusing as fuck. Trying to set up a fucking role is harder than cutting a rock with a fucking spoon.

And who the fuck thought it would be a good idea to allow a CLI user to run any command he's allowed to without any form of authentication??
Oh, set up MFA for the CLI you say? Good fucking luck with that, if you ever manage to figure out how to set that shit up!
Fuck this shit!

Friends, gather round for a story of "the user".

Two days ago I assisted a friend in reviving their scammed Instagram account with final confirmation it was back in their possession yesterday. I stated "make sure you clean out phone numbers, emails and change the password. WHATEVER YOU DO DON'T USE THE SAME PASSWORD"....I bet you know where this is going....

Queue 6:45am: "HELP! THEY DID IT AGAIN! THEY TOOK MY FACEBOOK THIS TIME TOO!" as a safety measure, I told her to link them for recoverability.....not thinking you just created a bridge to the facebook...

Now We're going through EVERY account BY HAND and changing EVERY password for EVERY service and enabling MFA. We've also learned the power that the forgot password button wields for everyone.

ProTip: If your friend was "hacked" be patient, friendly and soft to get every detail...sometimes you learn more and can position them better.

Now I'm upset with myself because I couldn't save their accounts and at this point we've lost the only footing we had to them. Social Media is a curse.

Am currently developing an app which uses an IaaS named Auth0. Great experience so far, reasonable docs, unlimited users, social login, sso and support for about $29/m.

After an inquiry from a customer to provide MFA, I contacted Auth0 to see what​ it would take to use this feature.

"We only offer this in our Enterprise plan which starts at $18k/yr."

Well, fuck me with a pitchfork and call me Bridget the midget. I'll code it my goddamn self.

I find still very funny that Desktop outlook (So Microsoft) doesn't support MFA from Office 365.

I'm kind of tired to tell user go and geerate "app specific" pass which bypasses MFA.

Specially when even default Windows 10/11 mail client supports MFA just fine and fucking faster than outlook.

This is the part of my job I hate : Administrating users, search how to make thier PC/MAC work (Btw Mac client does suppoort MFA ironicly).

Can I just get back to Infrastructure, redis caches, step in Q# ? .

Due to my company's microsoft AD team being amateurs, I have to MFA on my work-issued computer at least 4-6 times a day, for each individual work system I access.

Today I had to reset my password. It's double-prompts for me today 😂

rantHeader = "Merry Christmas to me!"
subHeader = "How a phone survied a three stories fall but dropping it from 1 meter high shattered its glass"

And it's Christmas with my direct manager on holiday till Februrary the 33th 2085 meaning I will get a new phone in 1/2 years if all goes well...

Well at least I have a good excuse not to connect to work during my holidays as MFA app is on this phone...

I love MFA as much as the next guy, but I bet I spend close to 30 minutes each day waiting on it. Do I really need to go through MFA in a separate app every time I want to use sudo on my local machine...?

Azure. Oh well.