Published 2024-09-09
tag(s): #yell-at-cloud
I almost add the tag #overblown-minor-annoyances but, to be honest, I do care
about this sort of thing. It took quite a few years for me to care, but now I "get it".
Shout-out to my friend Diego who was an early influence. Even if I dismissed his warnings for a
long time, he was right.
Last week I changed my password at work (itself an outdated security recommendation), and turns out that domain policy was changed to allow only Microsoft Authenticator. I stopped using a separate Authenticator app some time ago, when I started paying for BitWarden.
Two things bother me about this change. The first one is that I don't want to install that
crap in my phone. The alternative is to have a separate work phone, which is a bigger
hassle.
And second, there's no real reason to favor that Authenticator over any other. The whole TOTP
thing is detailed in an RFC [1], anyone can write an authenticator.
Microsoft's one isn't open so there's no way of knowing if it has vulnerabilities, for example.
The reason for this title is that I am sure this is a recommendation by Microsoft to domain admins, and just like with other tools, they keep pushing their closed crap over existing, open stuff. For example, IMAP access in Exchange is disabled in most organizations, so you are forced to use (or rather, endure) Outlook.
For the record, I was a .NET developer for years, and used Microsoft tech more than your
average Free Software Advocate™️
I still think a lot of their tooling can be good, even great. But if you pay attention,
there's always these little things with Microsoft, that shows that they haven't really changed
their DNA, and will push for their own stuff to the detriment of user experience as soon as
they can. And even quicker if they can stomp over some perfectly serviceable standard with a
sub-par alternative.
Anyway, I just wanted to vent, and I happen to have a website, so here we are. It has been useful before, to get it off my chest. 🤷