Another password debacle thread lol

[lan101]

Absolutely. Particularly if so-called "passwordless" authentication becomes the only form. Even with all the issues I see with passwords, they're the thing that, ultimately, most users will remember if all else fails or else be able to go through the account recovery process even when they can't based on security questions and a couple of passwords they do remember.

I will always want something that I carry around in my head for accounts I have to access relatively frequently and might have to access when I'm not at my own computer.

Hotmail has been pushing the hell out of the passkey option lately. I think sooner or later Google, Microsoft, etc. will all go passkey...I'm fine with it as an option but yeah I feel like it's gonna create tons of issues for the non tech savvy person.

 

[YeOldeStonecat]

My trending issues is people getting new phones and their 365 business accounts are MFA's on the old phones, or their app isn't working, or.....or...something else. 5 in the past few weeks, all have to go through the data protection team. None are locked out of email but can't get in the admin portal.

We deal with clients getting new phones all the time. A simple "reset MFA devices" on their user account launches the wizard. Or...can just manually go in (as the admin) ..remove their prior phones Auth account, and set up a new one from scratch.

Of course yes that involves going in "behind the scenes" into the tenant with our global admin account...which we have for every single one of our clients. And a "in case of emergency break glass GA account" too. Granted "new incoming customers" may not have one of those, they may have sadly been set up all along as the primary user having the GA account..and they're using that account as their daily driver account for their email, etc etc. Ugh! But..it's an opportunity to put on the "IT Professional consulting hat" and get them set up properly...separate GA accounts.

 

[carmen617]

We deal with clients getting new phones all the time. A simple "reset MFA devices" on their user account launches the wizard. Or...can just manually go in (as the admin) ..remove their prior phones Auth account, and set up a new one from scratch.

Of course yes that involves going in "behind the scenes" into the tenant with our global admin account...which we have for every single one of our clients. And a "in case of emergency break glass GA account" too. Granted "new incoming customers" may not have one of those, they may have sadly been set up all along as the primary user having the GA account..and they're using that account as their daily driver account for their email, etc etc. Ugh! But..it's an opportunity to put on the "IT Professional consulting hat" and get them set up properly...separate GA accounts.

That doesn't help those of us who support end users who muddle themselves into trouble and then hire us as a one-off to solve the problem. And yes, there is a good living to be had doing that - not everybody has to be an MSP supporting business clients. However, it's very discouraging when a hapless end user comes in seeking help solving a problem that is unsolvable because their "free" services (which approximately 99% of all end users take advantage of) has upped their security to the point where they are now unable to access their own accounts.

 

[YeOldeStonecat]

That doesn't help those of us who support end users who muddle themselves into trouble and then hire us as a one-off to solve the problem.

I realize that and already acknowledge that by stating "Granted "new incoming customers" may not have one of those".
I know break/fix peeps run into this a lot. (35 years in the IT biz, not my first day on the job)
We recently took on a business client whos prior IT guy..a 1x man show...quickly passed away. Inherited quite a mess, including no unlicensed GA account, not provisioned through a CSP, and the primary user, who had the only GA account, did not know his password.

Luckily it's not too bad of a process going through Microsofts recovery team branch.

 

[HCHTech]

I have been avoiding passkeys for my own accounts that push them even though, presumably, I would be conscientious about migrating them to a new device. I'm not concerned about that bit, but I AM absolutely concerned that something will go wrong with the migration process itself, or some other unavoidable problem will surface (I'm sorry, your new phone is running Android v18 and your old phone was on 15 which can't migrate directly because blah blah blah). I'm going to stick with passwords & 2FA for a while, thank you.