Two Factor Aggravation

Finish second cup of coffee. Check the clock. Time to join the workforce.

Pick up cellphone. Screen is black, even though it’s perpetually plugged into its charger. Cellphones just do that; they aren’t designed to even think about getting out of Energy Saver mode, they take naps to conserve battery even when there’s AC going into their adorable little innards. Swipe once, twice, thrice, get a screen of alerts with red “X” and green “>” symbols, none of which I care about. More swipes to get that chazzerai dismissed. Bring up the Microsoft Authenticator app.

Webmail first. That browser window is demanding I log in. Type work email, hit button. Type password. It asks me to authenticate on the phone app.

Phone screen went black while I did that. Swipe, swipe, swipe, swipe, swipe, curse, swipe, swipe. Oh, now Authenticator wants me to authenticate itself somehow here on the phone. Gimme a break. Yes that account. No, you already freaking have my password, stupid phone app. Swipe. Re-click Authenticator. Hit OK button, yes it’s really me.

Web browser dialog says I took too long and that I have to start over. Lather, rinse, repeat. Back to phone. Phone went black. Yeesh, maybe I should use the damn iPhone instead, I keep the Android around despite lack of a SIM card because it’s on my WiFi and I can just leave it here, whereas the iPhone gets toted around to where I might need mobile telephony. But yeesh.

Pick up iPhone. Swipe, swipe. Wants my six-digit authentication, yes it’s really me here. Bring up Microsoft Authenticator. Back in web-browser-land on the laptop, enter email for account, click “Next”, type in password, go to phone and hit “OK” button.

Web Mail stays stuck on “Approve sign in request”, with the instruction to “Open your Microsoft Authenticator app and approve the request to sign in”. Has link below that: “I can’t use my Microsoft Authenticator right now” which, if you click on it, gives you two options, neither of which make sense in the context of the link one just clicked: to use it anyway in exactly the same way, or to use it anyway except to type in the six digits that pop up on the cell phone screen. Oh, dammit, the iPhone is back to requiring its own six digits. But this time I get that done and read the other six digits (the ones in Authenticator) and type them in to the web browser’s dialog. Finally, it accepts that instead of saying I took too long.

Go to Calendar which is in a different web tab and also logged out. Click “Back” button, calendar conveniently refreshes because the browser is authenticated already.

But the VPN isn’t. Bring the Secure Access Client to the front and click the “Connect” button. Both phones buzz. The Android has the “OK” button available while the iPhone has gone back to its “enter your six digits” security screen, so I hit the ‘OK’ on Android. Secure Access doesn’t take it. I hit “I can’t use my Microsoft Authenticator” and then “Authenticate using Microsoft Authenticator on my Phone” and his the “OK” button again. It takes it, thinks about it, then the Secure Access status goes green.

It asks if I want to stay logged in and prevent having to redo this, and as usual I say “Yes” to “keep me logged in”.

It won’t.

I sure am glad we protect our digital workspaces this way with the secure power of our cellphones. Nobody could break in by, let’s say, picking up my cell phone if I laid it down and opening the email and calendar there, where the authenticator would pop up right there on the same device and the thief could hit the “OK” button. Or hacking it to make it spit out the stored password. Good thing nobody knows how to hack a cell phone, right? (My laptop has this place where one can press one’s finger or thumb and authenticate using one’s fingerprint. It also has a good video camera that could image my eyeball. But we don’t use that technology because we have cellphone-based two factor authentication, yay us).

I put both phones back on their respective chargers and remote in with MS Remote Desktop Connection and authenticate with the same damn password to get into my Windows account and begin my workday.

Reported for using a hacked account.

Never mind (humor-impaired OP reply deleted)

You’re not alone, AH – that’s in MPSIMS, though.

It’s not exactly aggravation, but why does a financial site where I appreciate two-factor authentication only require it some of the time?

“We trust that you’re who you say you are…whoops, not this time though.”

You mean it does it randomly? That’s not very smart, if true. In my experience 2FA is activated when there is a specific condition that requires extra security, otherwise most systems are content to leave you in peace.

Paypal constantly shifts me to a no-password state. No, I didn’t tell you to trust my device. I want the password to be required.

It’s authentications all the way down.