I can understand if a product has limitations, or odd edge cases, but Microsoft MFA is purposefully designed to be user-hostile.
Some examples that came up recently in "not corner case" scenarios:
1) For tenant-to-tenant guest access, each user must re-register MFA for each tenant they've been invited to. So if you already have the Authenticator app installed and configured, it doesn't matter. It'll prompt you to create a new entry each time. I have dozens already and clocking up.
2) When logging in to Azure, Microsoft has purposefully added "dark patterns" to hide options related to other, non-Microsoft-Authenticator technologies. They're available, but they're always tiny, tiny links squirrelled away so that you're inexorably lead towards using the Authenticator app. Someone at Redmond really wanted their KPIs met at Yubikey's expense.
3) If you get a new iPhone, unlike everything else on the phone, the Authenticator app will not transfer your MFA registrations. Apple IOS will securely transfer your accounts, passwords, etc... but Authenticator is special. You need to first configure a consumer account(!) to back up your enterprise MFA settings, and then restore them manually. At which point... none of them will work, and you get partial instructions that you can't follow. If you've wiped your old phone (e.g.: trade-in or repair), you are now locked out.
All of the above were designed, architected, and developed on purpose. None of these are oversights, bugs, or missing features.
Let me add one that I ran into, which doing a search a whole slew of people have. Their MFA simply does not work - not in edge cases - in very basic straight forward cases.
I sign up for an account. It wants a phone number. I enter the phone number. It sends a text to validate it. Except it never sends the text. I go into my profile and enter it there. It still wants me to enter it for validation, and wants to send a text. Which it again never sends. You can try the next day, you can try two weeks later - they just don't send a text. My carrier is sprint/tmobile, spam/phishing protection is disabled. And no, like most other places, they won't robocall you and voice-read you the code.
A month later, your account is blocked because you didn't validate it.
Now, this is for their free accounts. If you pay them, this issue does not exist. In online forums, their support staff make ridiculous claims: our mfa server is down (for 2 weeks?), reinstall your browser, here's some instructions on how to click the "send sms" button.
So I use free microsoft accounts as temp accounts for orders that are going to spam me, and when they die in a month - all good.
Here's the thing though - for all of microsoft's user hostile practices, google's products are fifty times worse.
funny thing though - if you look at smaller shops specializing in one or two products, you don't have to use microsoft or google stuff, and there is a better alternative for everything those two make.
> MFA simply does not work - not in edge cases - in very basic straight forward cases
I completely agree. At my workplace, attempting to add your account to the MFA app fails. If you click on the big obvious 'add account' button, it asks you to sign in to the account you're setting up MFA for. And when you enter your username and password, it then redirects to the MFA setup page and asks you to set up MFA. And if you follow those prompts, you end up back at the sign-in page. And so on.
Instead, you have to skip past the obvious 'add account' button, and click on a + symbol in the top right, and from there you can add the account by scanning a QR code generated on the MFA settings page.
google authenticator is not the same thing. that's an rsa soft token type thing, not a text to your phone. if you want issues with google texts on cell phones, pick a bad word, add "google fi" to it, and you'll get some hits. then repeat that for google voice.
now, what you can compare it to, is when google sends you an sms for authentication. and you don't get it, and they lock your account. customer service - sure, chat from your phone, as long as you have their app, and if you don't, then install their app - from google play, which is locked because you can't confirm your phone number. then figure out they locked your gmail, phone, and all google apps, while deleting all your data. why? because you worked with a dev on an app 3 years ago, and that dev was found by google to work with another dev 2 years ago, who is now a russian hacker. online chat? you need to log in first. phone number to call? they don't have a phone.
you are free to google for an hour to somehow contact them, and a big if/then loop they call AI will reply with an off-topic template, then delete your youtube channel. if you complain more, they'll trash your employer's production servers in GCP.
I've had trouble with all the services (MSFT and others) sending texts. I blame Verizon more than the big tech folks though, as their SMS is remarkably unreliable.
That said, my first pass through MSFT 2FA hell left me with the indelible impression that they really didn't understand 2FA. I only reluctantly use their products, and have been hit with various "Temporary problem" when attempting to login. Its worse with SSO, in case you are not sure.
More to the point, every scenario where I'm forced to use a MSFT product, another product exists which does a far better job, with far fewer bugs, far better performance, and far better UX/UI. Its as if MSFT hates users.
There is possibility that you configured your T-mobile account to block certain or even all SMS. It happened to me before. Especially if you are in a family account and someone else is the primary account holder, and they mistakenly configured your line.
which is the first thing I checked. which is why I also specifically stated it does this with spam filters and text blocking off. it's in two places: there's an option in you call plan (which is not in mine) and there's a toggle in the portal. You have to have both the service plan option, and the toggle on. I have neither.
The thing is, this was an issue with both sprint and tmobile (before the merger). if you google for it, you'll see people on att and verizon are having this issue as well.
I think the op was correct - they're purposely making it hostile for users of the free tier. which is hilarious, because they do show you ads on the webmail client. you'd figure they'd want people using their email..
which i do. for spam, with the bonus that I don't have to deactivate the account - they kill it for me after i can't validate in a month. it's finally a feature.
when I lived in france i had a second french phone#. amazon worked great. then I was in kiev for a year, and it worked alright with their local number too.
but amazon i never had an issue with, maybe because i've had an account with them from the days when they only sold books. but i actually completely stopped using amazon years ago - the fake crap and fake reviews make the experience not worth my time.
Considering their mfa is depended on by millions of people daily and is a critical part of many people's infrastructure, it would be near impossible for Microsoft to have any outages for more than a few minutes that aren't reported around the world.
I actually agree with design choice #3: the authentication app should be tied to the phone and not the cloud account. Having to re-register your MFA app when you switch phones is exactly how I would design it too.
There's a chicken-and-egg problem here when people don't have access to both the old and new phone at the same time (or, as you say, they do a factory wipe), but to me that only suggests they need a different recovery process, not leak the customer's MFA secrets to the cloud.
Maybe it's a poor example then, I wasn't aware of that.
Mobile BankID (Scandinavian Identity Service), my British Banking app and Okta verify definitely can't transfer to a new phone. I know because I checked recently.
My overall point is: they're not alone, this is a common issue for Apps.
My (Swedish) BankID definitely doesn't run from the sim card. :S I've had 4 phones in Sweden and I had to enroll it as a new device each time in Nordea.
This must be very recent - I changed my phone around June and this was not an option. So I moved all my accounts to Authy, and moved that instead, which brought everything to the new phone flawlessly.
The consumer "workaround" mentioned uses some sort of iCloud "Secure Enclave" Backup file of some sort and will restore data on a new phone if you use the "Recovery" option, which does transfer regular boring TOTP and the primary "consumer" MSA account and the recovery locks/bricks the same data on the previous phone in the process.
The additional issue mentioned is that while it works great for the MSA account and any boring TOTP you have setup it doesn't work at all for other Azure AD accounts of seemingly any stripe (Corporate Microsoft 365 accounts, B2B, B2C), which is surprising given it is Microsoft's Authenticator and they highly recommend using it, but it fails for Corporate MFA transfers. It just gives an error icon and not very useful error message.
Everything about Microsoft cloud and its ecosystem is broken. I recently signed up for onedrive (microsoft business basic, actually), and I didn't even know which domain to navigate to. They have a gazillion different URLs, and each of them is different from the other. Here's a (partial!) list:
Each one of those portals take you to SOME view of your account with a gazillion settings. Many of them are repeated, and changing it on one portal doesn't necessarily reflect in others. For example, I enabled 2FA somewhere (and it worked), but going to admin.microsoft.com showed 2FA disabled.
Even payments, which every other website seems to have figured out, is broken. There was a recent change in regulations in India for subscriptions on credit cards that allow the customer to control the period of subscription, enabling/disabling, etc. Microsoft of course, hasn't implemented the changes (despite the regulations being notified in August 2019), and because of that, transactions are being declined.
So can I go and make that payment online? Well, no. Your subscription shows up as "expired" because it couldn't charge your account, and the only option it gives is for you to "reactivate" the account. Great, so I'll just reactivate. But no, it doesn't allow you to pay when you reactivate - it's going to try and charge your credit card again, itself, as a subscription, sometime. And of course, that's going to fail again. Loop!
Addendum:
So somehow, with the help of Microsoft support, I manage to sign-up for another subscription with the same licenses for the same cost, and they disable the old one. Great. So this time, it tries to charge my card, fails, but then allows me to "settle" the "overdue" amount manually. I do that, and my account is "active" again!
Do they send me a mail saying they've received the amount? Nope. Does my Microsoft account billing page show that I've made any payment to Microsoft? Nope. The only indication that I've made a payment is that my account is active with an expiration date in the future.
I've run into the payment issues before, for some reason it said we were domiciled in the US (we're not) and then I wasn't able to add a new card to our account when the previous one expired. So somehow it doesn't alert me to the fact payments are failing, and just cuts off all access to our entire org. Then after several frantic support calls, the support rep somehow hacks together a configuration that doesn't immediately fail. Only to discover a year later that we're being pursued by a debt collection agency for the previous unpaid bills, which were not viewable on my account. It is truly amazing how held together with string the whole thing is.
Domains: Respectfully, you don't need to know all the permutations, just the ones that get you what you need. Office.com is an easy one to remember, from which you can get to everything else. Who cares about the redirects? If you're trying to default deny new outbound connections and build an allow-list for MS resources, you'll have your work cut out for you though. They have a downloadable cross-reference of subnet/service/apps somewhere that seems about 85-90% accurate at any given time.
MFA enable/disable: there are multiple places and methods to enforce MFA for users in a Microsoft tenant. So yeah, it can be disabled in one place, and enforced in another place. For example, conditional access policies may require it while the older deprecated interface for enforcing MFA may show it as disabled. For better or worse, this is common to many topics in Microsoft-land, a combination of there being three different ways to accomplish the same thing (which is probably most often a feature, honestly), and the relatively rapid pace of change (a double-edged sword) that deprecates terminology, branding, and tooling frequently. It does require you to actively work to stay informed about how the platform evolves over about a 18-24mo period.
Payment History/Billing: It honestly does benefit most business customers to work through a Microsoft partner rather than a direct relationship, oddly enough. A partner will often have far more flexible license commitment terms, more flexible payment methods, occasionally have better pricing, and always have better invoicing and reporting capabilities than are offered in direct relationships. Microsoft's cryptic payment history and invoice reporting is pretty offensive - it works great as long as you never have any questions.
All that said, direct relationships are for customers that just need the basic services without any special requirements; partner relationships are for businesses that have more mature requirements but don't want to be experts on the rabbit hole that is Microsoft-land. Many SMB Microsoft customers attempt to go it alone thinking it's easy (in no small part due to MS marketing) but the minute a business wants to get more than ankle-deep in any technical domain such as endpoint management, data loss prevention, compliance management, threat management, etc., they will quickly find themselves underwater - not because it's complex (it's all easy) but because it requires a lot of deep-quirk knowledge and ongoing maintenance and monitoring. This isn't necessarily particular to Microsoft, though I think a lot of marketing has gone into creating the impression that IT can be 'easy'. But just like a IDS/IPS, buying the tool is the easiest step - it's the care and feeding that really saps your labor force and makes most solutions fail. Policies need to stay relevant, state need to be monitored, deviation needs to be remediated, changes need to be incorporated. It (IT) takes constant work to do it right.
> Domains: Respectfully, you don't need to know all the permutations, just the ones that get you what you need.
That's a bit of a problem, because the sign-up mail they sent me, had a link to onmicrosoft.com, and the billing was on admin.microsoft.com. I had no idea that office.com was the place to go to, to have all the nice things in one place.
I wanted to create a form. So I google for "microsoft forms." First link takes me to forms.office.com, that redirects to a microsoft.com forms landing page that has a sign-in. Great. Click on the sign-in. Get redirected to login.live.com. Try to sign in with my microsoft business basic account.
"That Microsoft account doesn't exist. Enter a different account or get a new one."
Hmm... but I can see a forms license enabled on admin.microsoft.com... Turns out that live.com is only for personal accounts, not business accounts. The microsoft forms landing page says NOTHING about where business accounts should login to access forms.
Ok, so now I want outlook. So, outlook.com? Takes me to outlook.live.com - again same problem. So turns out you've to go to outlook.office365.com to get to the business sign-in. After sign-in, it redirects to outlook.office.com.
outlook.office.com redirects to login.microsoftonline.com (that allows business login), but forms.office.com takes you to login.live.com that doesn't allow business login.
Yeah, I get it, just saying stop worrying and learn to love the bomb - use office.com. If you want to get to outlook use outlook.office.com. If you want to use Forms (and have a license for it) use forms.office.com.
Like I said in my comment, forms.office.com doesn't work. Going to forms.office.com redirects you to login.live.com where you cannot login with a business account. But outlook.office.com works. That inconsistency is the problem.
The payment issue the original comment was talking about, is super basic. I've faced the same issue for months it's not even funny.
Nobody is doing anything complicated. We're just trying to manually pay an overdue bill. Super straightforward in AWS, GCP and DO. In Azure, you don't even know where the "Pay now" button is given that automatic charges are declined due to a new law.
I'm tired of the "It's not just Microsoft, other companies are equally worse" argument.
I'm a single person running a web app on Azure App Service. I don't need an MS Partner. The direct relationship sucks. MS sucks. Stop defending them.
There's a difference between defending them and explaining how to work with the ecosystem better given their limitations. Using a partner (or becoming one) would probably make your life easier given the problems you've described.
Also, you may want to consider switching to 'pay by invoice' rather than setting it up to pay by credit card, which is going to auto-bill by default to my knowledge. It sounds like you're trying to use an autobill payment method from a country that doesn't allow auto-billing. I predict problems. It's entirely fair to be upset that Microsoft's validation does not anticipate this, but there it is.
Lol, here we go again. You make too many assumptions. There are no limitations here. The very process that Microsoft wants us to do is broken. Do you understand the difference? It is like me selling you a coffee machine and asking you to do steps A, B and C and when you get to step C there is no button to press. That is not a "limitation"
Sorry but using a partner or becoming one for running a single fucking web app is absurd. End of the month, I'm moving everything over to DO - solved!
I submitted a request for pay by invoice last year to which I was told I can pay by Credit card. I told them I WANTED to switch again and a representative told they'll get back to me. Nothing ever happened again. I left it at that.
This time however, I got an email from MS stating due to a law that declines automatic payments I'd have to pay the bill by clicking the Pay Bill button on the billing console, which is simply not there. Trying to go through the documentation for it is bizarre since it never tells you where exactly the "Pay bill" button is.
I'm not even mad today cos Azure throws a random error when I go to the billing page. Fuck this.
Partners by structural design can be more flexible with billing and payment than MS direct. That’s just a fact. You can use that fact how you want, only trying to be helpful.
Becoming a partner gives you free Azure credit each month, as well as internal use licenses. That’s something many developers can benefit from relative to the minor annual cost. That you would also be able to set up a distributor relationship to get more flexible payment terms directly instead of through a different partner may be more palatable to your go-it-alone approach. I don’t care what you do one way or the other, again, just giving you more information.
DO is a great hosting option, often cheaper, though with trade offs that may or may not make sense. Anytime you’re on the phone with support, whether MS or DO, you’re already in a bad position. Been there. At some point, because of dependencies, you need to learn the constraints of the platform (whichever one) and work within them.
> Domains: Respectfully, you don't need to know all the permutations, just the ones that get you what you need
Sure but all of them should fit under a single microsoft.com. As it is, I won't be able to tell if some third party has maliciously created office366.com or if it's actually owned by Microsoft. What's the difference between office.com and office365.com? It doesn't matter: both aren't microsoft.com and therefore both are malicious. And microsoftonline.com? That also looks very suspicious. Wanna redirect from one site to another? Oh man all that you're really wanting to do is to train users to allow cross-site forgeries.
So, respectfully, you have no idea how to make a secure product.
As stated, "If you're trying to default deny new outbound connections and build an allow-list for MS resources, you'll have your work cut out for you".
If you're trying to secure your consumption of their product by explicitly allowing communication with only pre-authorized domains, they are still finite in number. The quantity is more than 1, but less than infinity. You can build such a list if you want to, which would exclude office366.ru. I'm not sure I understand the problem - that you must authorize thirty domains instead of one? Or are we arguing a principle here that one domain should be all that the entire Microsoft product catalogue ever uses?
I confess, I may fail to see how one domain vs two vs twenty-two known domains is going to matter, but I am curious to learn more. What are you attempting to do on that domain front?
> I confess, I may fail to see how one domain vs two vs twenty-two known domains is going to matter, but I am curious to learn more. What are you attempting to do on that domain front?
1. Use pihole
2. Use Firefox.
3. Install umatrix. Open its ruleset and add a rule:
* * * block
4. Install noscript
5. Then start adding domains as needed -- first on umatrix, then on the pihole, then on noscript
Nearly all sites will be readable with only their domain enabled (and all else including cookies, CSS, images, scripts, etc) blocked. Most sites work great with only CSS and images unblocked. This is literally the way that the internet is supposed to work. But a few bad actors, such as Microsoft, have made necessary the complications of cookieblocks, scriptblocks, adblocks, dnsblocks, and etc.
You can't log in without cookies. So those are the first things to enable on sites that you need to log in. Some sites work great with just cookies, CSS, and images.
Some sites use cross-site requests to do account lookups though. In those sites, you can't log in without XHR. So those are enabled next.
And in some few places, like Microsoft, you can't login without scripts and "other". Microsoft wants to fingerprint your device for "security". But that security is, at best, broken. I argue it's much more malicious.
Further, in most websites, you only need to enable these things for one or two domains to be able to log in. Google requires three or four depending on the login workflow. Stackoverflow requires two.
Microsoft? Hahaha, I gave up after six. Now I exclusively use Microshit's sites in its own dedicated virtual machine isolated from everything else with its own pihole and separate lookup rules because I can't trust that it won't add yet another domain that's "needed". I can't trust that a third party won't abuse a wide open system like that to sneak in some additional requirement while trying to figure out what works to get logged in.
What am I attempting to do on that domain front? I am attempting to demonstrate that a site doesn't talk willy-nilly to every fucking body else and provide fifty million avenues for:
* cross-site request forgeries
* cookie hijacks
* script injections
* encryption certificate expiration/hijack
* domain name expiration/hijack
* look-alike/typo names "office365.com" vs "0ffice365.com" vs "office-365.io" vs "office-365.azure.com" vs "ms-office-365.cloudfront.net" vs ...
* there's no way I can write an exhaustive list for you
Well, have fun with that. I guess I still don't understand why you're worried about office366-type domains if you're whitelisting allowable domains to begin with. Anyway, everyone's risk analysis is different, sounds like you're managing yours accordingly.
So this freaked me out! A week ago I went passwordless with my Microsoft account; which required setting up Microsoft Authenticator. While I was there, I re-evaluated my entire MFA setup:
* I had already setup Authy OTP codes, which I was actively using. So I left that alone.
* I had already setup an external email. So I left that alone.
* I setup Microsoft Authenticator for the first time.
* I added a pair of FIDO U2F YubiKeys.
* I generated and backed up an account recovery code.
* I REMOVED my cell phone number because SMS is not secure.
* I did NOT look at my aliases because I wasn't aware that was even a thing. It's not part of the Security Dashboard.
Here's what worked: I've been able to sign in with Microsoft Authenticator on my phone, the YubiKeys on supported browsers, and receive codes at my external email if neither of aforementioned devices are available. I have noticed that, even though the Authy OTP code is still listed on my Security Dashboard, I can't trigger a prompt for that code. This isn't a huge deal, since both Authy and Microsoft Authenticator are on my phone.
In reaction to your post, I went and checked out my aliases. My phone number was NOT in there. The only alias I have is my primary Microsoft email. I don't know if my phone number ever was in there. Perhaps it was, and when I deleted my number from the Security Dashboard it also deleted from the aliases? I don't know. I do know that there is no phone number listed under my Account Info or Security Dashboard.
Thanks for this post. It reminds me just how vested we are on certain accounts; accounts that can disappear in an instant. I hope you get your issues resolved!
You can always back up the secret ID on, for example, a piece of paper, if you don’t want to use a TOTP app with sync/backups (there are several, both proprietary and FLOSS)
if using normal TOTP apps, print the QR code and store it somehwere secure. It’s a risk, but it’s one part of the puzzle needed and it reduces a more likely risk of being locked out.
Microsoft Authenticator and Authy both backup to the cloud. I also have a non-Microsoft email linked to receive 2FA codes, as well as 2 hardware security keys, and an account recovery code. I think I'm covered.
> Will government IT systems have fewer glitches than FAANG digital identity systems?
Glitches? Most likely. However, with govt services one can talk to someone after a short predictible bureaucartic tango, unlike faceless cvasi nonexistent customer support that one needs to draw attention to their case on twitter or some other social media, and that if they are somewhat important and their case is being talked about a lot there. John Doe whose account got a random takedown for no reason can wait indefinitely...
What's the democratic process by which taxpayers consented to the exclusion of those same taxpayers from the cities and society funded by their taxes? There are many questions about the lack of science behind these policies of exclusion, even if we ignore the tragic history of previous ill-conceived attempts to segregate society based on identity, digital or otherwise. If we're going to partition society along "essential" lines, should the same be done to identify "essential" taxes?
A printed paper/card that is uniquely associated with a digital database is still a digital identity, and subject to a wide range of glitches, including proof of biometrics to access a portal where the card can be printed.
Do you know how much global business is conducted in restaurants? It's practically part of the workplace for sales professionals. Exclusion from restaurants means exclusion from work for some people. Zoom is not a replacement for business meetings that benefit from face-to-face negotiation.
Remember what history teaches about "people making lists" - it never stops with one list, or one group of list-makers. Today's list-maker can be tomorrow's list-member. There is a reason that most segregated societies have failed.
Basically, if a person chooses not to get the vaccine, they also choose to live under the same restrictions that were imposed on everyone half a year ago, before the vaccinations started rolling out.
Guess what, if you make choices that negatively affect the safety of others in society, society decides to impose negative consequences for you. Same as we have prisons, speeding tickets, fines for polluting, etc.
And as others have pointed out, none of those consequences depend on the digital identity, just on choice not to get vaccinated.
In Europe, this is not true, since recovered immunity is recognized for a pass.
Unlike half a year ago, we now know that Covid-recovered people are least likely to be infected or transmitted. We know that vaccinated people can be both infected (without symptoms even) and transmitting, depending on the time since their last injection.
If the goal is to prevent infection and transmission, we would be limiting public participation to those recovered or with a recent negative test. It's meaningless to speak about vax or unvax, what matters is immune or non-immune. Everyone vaccinated who has never had Covid can only gain immunity (note: not "protection" as defined by CDC) by being infected and recovering. The vaccine reduces the chance of severe illness from that infection.
The latest UK medical data for the week of 7th Oct reports possible reinfection on page 18 as less than one percent of 5.9 million, https://assets.publishing.service.gov.uk/government/uploads/.... That's the upper end of the estimate. The strictest, provable numbers for reinfection, based on genetic sequencing, are under 300 cases = 0.005%.
Intramuscular vaccines are explicitly stated by the CDC and manufacturers as not providing sterilizing immunity. They only provide protection via serum/blood antibodies, against serious illness. Recovery from Covid infection (of vax or unvax) provides nasal/mucosal immunity that can stop future infections in the upper respiratory tract. Future nasal vaccines may provide sterilizing immunity, but injections into the deltoid muscle do not.
Other data sources on reinfection would be appreciated.
I have had panic attacks due to office 365 becoming unlicensed on an RDP server in use. Friday I finally was able to turn off password expiration and get it to properly license. Every year it renews has been full of stress and issues since we buy through a partner program. Nothing like having the scariest issue at our company be a fucking license issue for a product we pay money for every year.
Microsoft VP Identity Division, Alex Simons, apologised on twitter and said they will release a fix overnight. I was actually able to log into my account today. But before you get too excited, what they've done is they've completely disabled the sign-in preferences menu and still have the bug - I cannot enable password-less login as it tries to send a notification to my phone, but that is no longer listed on my account. But the system clearly knows about it and wants to send a notification. Unfortunately, it cannot because it also requires it to be a sign-in option. It's a crazy loop of madness.
Question for folks who work at large technology companies:
In the peasant world, some of us use various combinations of software to go through our logs and monitor errors - 500 and others, as part of our day-to-day. There are products built around this like rollbar, sentry, logrocket etc. Typically we'd encounter these routinely and fix them, or reach out to the users independently if we're unsure of the specific use-case that's leading to the crash.
How does this kind of thing work at large corporations? I imagine there are hundreds of different web applications, and there's a separate devops team, possibly for each of them.
How do the developers in places like FAANG, Microsoft, etc. stay notified about these kinds of crashes? What is the average volume of 500/internal server errors at scale? Is it considered normal to have hundreds/thousands of these a day, thereby creating a needle in a haystack kind of problem?
I work at a big tech company (not MS, though). The short answer is it really all comes down to prioritization.
In my experience, we do have the same kinds of tools for surfacing those issues. Granted, they do tend to differ per function or even per org, although there are some standardized ones you can plug into to get e.g. issue aggregation, stack traces + metadata, etc. Granted... a lot of the time that requires a team to 1. actually plug into this infrastructure (otherwise it can either bubble up as an unknown exception or, worst case, get swallowed by a try/catch) and 2. actually pay attention to things once they do plug in.
The other problem is not just the high scale of traffic (or 5XXs or errors in general) but that high traffic is usually due to a myriad of products, features, etc. And there's just simply too much work for too few people. So, we prioritize based on severity of the inherent issue (e.g. privacy/security issues go to the top) or, if that's equivalent, number of affected users take priority. Which just means low-severity, low-impact bugs almost never get fixed. Especially if they have a workaround that can be surfaced e.g. when someone reports the issue to support.
Happy to elaborate further if that doesn't make sense. I also want to clarify that this explanation isn't meant to be some perfectly valid reason as to why this kind of work doesn't get prioritized. I agree a lot of times big companies fall short here, including where I work. This is just one of the many tradeoff that get made when there is more work than people.
Not even just that. Often we engineers know about the issues, but they are so rare the PMs aren't willing to let us work on them. PMs get bonuses for shipping features, not letting their engineers do KLO work and keep all the rare edge cases functioning.
My team once had a bug on a client app that caused the phone to vibrate randomly, and the PM still wanted us to spend a week to rewrite an Android demo to iOS so he could look better for a presentation to the CEO next week instead of fix it.
Sometimes the release team will put their foot down on a really bad error rate and force a team to fix it or not get into the next release. You pretty much need hundreds of crashes an hour for that, though.
One guy paranoid about people trying to login with his phone number and flipping a weird option would just get set to priority normal, backlog status in the issue tracker and never looked at.
We just launched a new product. It wasn’t really new, though. It’s a copy of a product that we used to buy but for some reason decided to build in house. It got rushed forward by a month (the announcement internally was “the new prod date is X is your team ready?”).
It’s been awful for users since the second it went live. I’ve personally had to spend dozens of hours on it so far and I’m sure some fresh hell will show up tomorrow.
But everyone is excited because it’s one more dot on the PowerPoint of stuff team X has achieved this quarter.
And tracking down errors? Logs? Ppfftttt…guess what got descoped as low priority when everyone had to scramble. So chasing down even seemingly simple bugs is a nightmare.
Remember Microsoft had an issue where a Windows upgrade deleted the contents of your Documents folder as part of the OneDrive migration. Users reported it but it was ignored.
Since then, they added a field on all feedback forms to fast track issues that result in data loss. However, they clearly didn't apply the same logic to login issues, perhaps fearing social engineering.
Honestly, at large companies things work similarly to what you're used to, just at a different scale. But that means that you're usually focusing on issues that are affecting thousands of users - something like what is described in the blog post probably doesn't happen very frequently, so it might not be noticed.
One thing that the author never mentioned is whether or not he used the "Enable Flagging" option that is in one of the screenshots - that would actually be one of the best options, especially if he could then provide the specific correlation IDs in support requests.
Speaking for my own experience, the sheer scale means that there are always errors in varying amounts and you are just dealing with the most important ones at any given time. Running with your needle in a haystack analogy: you will not go looking for a needle in a haystack, nor will that needle be relevant, if right next to it you have a whole bale of needles. And you often do.
Lots of alarms on metrics, with important ones connected to a pager. Issues prioritization comes down to someone forcing the team to fix an issue, whether that be customer support, another internal team, or a org wide mandate.
My team had pretty high thresholds for errors. We’d review dashboards weekly to see any trends or changes.
There is something about Microsoft specifically where they are just willing to leave absolutely broken systems in production and just refuse to acknowledge it or care in the slightest.
Each of the FAANG members seems to have their own signature failure mode and this is theirs, whereas it seems like apple google are more likely to make working software and then just block you out of it because they don't care. While I don't find Microsoft to be the most unlikable they do seem to be by a long margin the least competent.
In the middle of a pandemic with many people working from home, Microsoft flat refuses to acknowledge that all of their VPN products have throughputs limited to about 10-50 Mbps. This includes not just DirectAccess and AlwaysOn VPN, but also their Azure VPN stack as well. I've never seen any MS VPN protocol crack 100 Mbps, even when using 1 Gbps fibre connections on both ends. We have customers getting ~1.5 Mbps effective in typical scenarios.
There are thousands of forum posts about this, with many referencing support tickets, etc...
What surprises me more than the fact that these systems are buggy and can put you in impossible situations is that people continue to accept them. Because no matter how dire things get as soon as it works again it's all forgiven and forgotten until the next near (hopefully) disaster strikes.
They have been in this steady march to pull people in using tricks/dark patterns, then the services they for people into are almost always half-assed and break for no obvious reason, with catastrophic results.
People don't accept these broken ass systems unless they have to. Look at how iPhones, Macs and Chromebooks made inroads. MS is going to lose out on the next generation of computing, but instead of improving, they are doubling down on the BS.
That's incredibly biased. Apple's ecosystem is rife with dark patterns. Ever seen the screen that allows you to say ask me later with an update and then just prompts you to enter your passcode so it will update anyway? Facebook wants my driver's license even though I know the email and username to an account. If you have an issue with Google, good luck getting a response from a human. It goes on and on. Microsoft is easily not the only one with these issues.
Regarding macOS updates: there’s “Try in an Hour”/“Try Tonight” which does the thing you describe and “Remind Me Tomorrow” which only notifies you a day later. Wouldn’t describe that as a dark pattern.
There's a lot to dislike about some Apple software, but it mostly works, kind of.
In comparison MS are legendary for user-hostile experiences that fundamentally don't work and are time-wasting black holes of frustration and lost productivity.
You can even turn off automatic updates on Apple systems. Microsoft lets you pause them for 35 days, then requires you to update before you pause them again.
Because Microsoft is too big to fail. When implementing MFA for BigCorps, their internal infra teams often only know MS products and refuse to accept that there could be a better alternative (even when 100% compatible with their stack). It's the ultimate vendor lock-in.
No, it’s because it’s free with Exchange, and also because this can’t happen (even if you screw up and lose access to all of your global administrator accounts somehow, you can contact Microsoft and prove you own the domain name to get back in).
IIRC it's not free for a wider identity deployment, it has incremental pricing that makes it look free. It works out somewhat cheaper than a third party solution.
By the very nature of edge cases, most people don't experience them (in a given domain like "interacting with Microsoft products"). That said, this setup sounds broken af, maybe it's all so much worse than I realize...
What's the option? If I don't use a public cloud, my competitors will and they will outcompete me with a much smaller operation cost and a myriad of services (AI, etc) that are simple to use.
It's not only MFA, the whole authentication system is broken. And then small details like your skype password is now your microsoft password, so if you forget/change skype password on a separate linux machine or whatever ...
My kids learnt some new words when I had to setup microsoft accounts and family account or whatever it's called so I could buy minecraft bedrock edition for them to play with their friends (in addition to the java versions I already paid for).
Microsoft makes little children cry. In the endless stream of fuckups with their account management they managed to delete all of the Minecraft worlds my son had built. This was two years ago. He was 8 at the time. His passion for Minecraft has significantly waned after that.
Microsoft is the same shitty, incompetent, abusive, predatory company that I remember from the nineties and will likely never change.
Yes, but it got wrapped around an axle where he could neither log in nor in any way move his worlds to a different device. Their advice was to uninstall Minecraft and in the process lose all local data. No migration path was offered. And it all started when they started demanding that he logs in with a Microsoft account.
Microsoft authentication is the worst I’ve ever seen. I too have had to deal with this via Minecraft and it is so bad and confusing that I almost forbid my kid from playing Minecraft.
The confusion of having a Mojang account and Microsoft account is not the dumbest thing I’be encountered but it is one of the dumbest in my history.
The biggest stupidity was that I gave his real age, which made it impossible for him to connect to multiplayer servers until I selected an option but it was impossible to find.
The so-called security is way over-the-top and doesn’t increase security, it just makes it impossible to use. It’s the worst form of “security” I’ve ever seen in a supposedly high tech company
Similar here. The process made me want to donate to the Minetest team because every last one of our worlds is still available and lan parties are still fun. Same with Super TuxCart, so easy to get going.
The only reason I continue to run Windows as my desktop is for gaming, but it is reaching the point where I'm considering making Linux my primary and using a VM with GPU passthrough for any gaming I might want to do (and maybe passing through a hardware TPM as well - I understand Win11 doesn't require it for VMs, but to prevent anti-cheat from kicking in I'd want to impersonate real hardware as closely as possible).
I've been running GPU passthrough setups for years now. It's takes a bit longer when buying hardware and on first-time setup, but is working flawlessly since. I can't imagine going back to not having separate VMs for untrusted software (like mods) or snapshots. I'd highly recommend the switch.
As someone considering this setup, does this have any performance cost at all, even small ? Or is it totally identical, framerate and otherwise, to native ?
I've also been doing this and in 99% of cases the performance appears identical to me. You just need to have an extra keyboard/mouse available so that you can reduce latency.
There's one particular game lately, however, that I've been booting to Windows directly for. Assets seem to load extremely slowly even if I pass the entire hard drive directly to the VM. There might be a tweak for getting that to work but I don't really know what the source of the slowdown is.
It depends on how you set it up. If you don't isolate your CPU cores, you'll notice VM load on the host and the other way around. Other than that, the loss is negligible (unless you're going for benchmarks). I'd say in the sub-5% range, depending on the workload (GPU, for example, is usually not impacted at all). My old workstation with an i5-2500 could still play AAA games in good quality (with a somewhat modern GPU).
Surprisingly, the disk performance of HDDs and SATA SSDs is actually better in VMs for me. It seems that the caching and/or access strategy used by the Linux kernel helps a lot.
Of course there is always small cost; for one, you're running two OS at once, so not all resources are available. You'll also need to have a sound system (unless you have two sound cards or use scream, you might have latency) and if you pass-through USB via the VM subsystem instead of handing an USB controller to the VM, some high-speed devices might make problems (i.e. DJ controllers). But overall, I'd say the cost is negligible for nearly all use-cases.
> The only reason I continue to run Windows as my desktop is for gaming,
I decided to buy into the PlayStation ecosystem for gaming and I've been mostly happy with that. I understand it also gives me better anti-cheat than windows, until the PS4 is really cracked. (Rampant cheaters did eventually ruin my favorite PS3 game, but so far OK for PS4.)
Fortunately, in my case, I wasn't already invested in Windows gaming that I couldn't recoup (e.g., game licenses, in-game leveling and stuff accumulation, player teams). I realize that could be an painful move for some people.
I have ZERO regrets about making Linux my daily driver laptop, and keep all closed software off it (except for wifi firmware blobs). I'm also able to run the same Debian Stable for various home servers, etc.
Ugh playing CoD MW online on the PS4 was a constant stream of mandatory updates which the PS4 needed to install when I had an hour to spare, even though background updates were enabled, leaving just 30 minutes of play time. Frustrating times.
If that or Proton and co fail, there's also cloud gaming options. Depending on your internet the experience is pretty good, and even multiple services cost less in monthly fees than a comparable GPU at today's prices over 4-5 years.
Unless desktop linux makes huge strides that'll most likely be the case. The current LTSC is good until 2029, and it's rumored that the next LTSC won't be based on windows 11 but will be supported until 2031. Hopefully that's enough time for microsoft to get their shit together, or at least for linux desktop to make inroads.
Yeah they do. We just don't hear their complaints about not wanting to create a fucking Microsoft account because they just cave and make the account. Few people want a microsoft account, which is why they force you to get one.
Apple gets this right. You can have a local account on your machine separate from your iCloud account.
Microsoft products and the office suite are like Stockholm syndrome now. I never hear any good reasons for companies actually using them and it's always just breaking or in fear of being broken. It is so shocking to me how bad it is at this point or what value companies are actually getting at the end of the day when they're paying for something this broken and unusable.
That's really weird because I constantly hear about how great Excel (especially compared to gsheets) and OneNote are (on Windows anyway). Outlook has its lovers and haters though.
Google sheets is clearly terrible, but Excel's competition is older versions of Excel (and maybe Apache/Libre/OpenOffice.org(tm)). How many people are excited to upgrade to the latest Excel? Or do they dread to find how Microsoft has messed it up some more.
There is value in being in an Excel spreadsheet, sending a link to someone on Teams, everyone in the channel opens it and you're all collaboratively live-editing the same spreadsheet, some using desktop Excel and some using web Excel, and you add a comment to a cell and @coworker in it, and something inside Office Cloud emails them a notification.
Quietly, Microsoft have turned a world where EditPad was a hot new thing, to a world where a few people could open the same OneNote notebook if it was on a local fileshare, to a world where Office365 is all of your company sitting inside a collaborative cloud-based Microsoft Office environment where everything is connected to everything and you can embed any kind of Office program into Teams channels, access all of them over the web, notify coworkers through the Graph, sync files through OneDrive, search accross all your employer's data with AD based permissions, and do similar with other companies using Microsoft tools, and it's all pluggable with things from Adobe and Trello and whomever, and you hardly have to set anything up for it, no web servers, no database schemas, no daemons, etc.
And it's completely passed the Linux world by. Head-in-the-sand "nothing has changed in computing in decades I can edit text files any way I like" obliviousness that there's any other world out there.
Teams is horrible software, sluggish, buggy, RAM hungry, and yet it could be the greatest strategic success of Microsoft for the 2020-2030 decade. Much more impactful than Windows 11 or Windows Server 2022. It's more immediate than Outlook email, simpler than any VoIP phone system, easier to search than any network fileshare, simpler to setup than Exchange, and yeah you're doing the "no wifi less space than a Nomad, lame" response because "chat programs existed before", and you're wrong to do that, it's more easily remotely usable than any VPN client, pluggable, connectable, bot-scriptable - and right there in every company that uses Office365 unlike (Slack, Discord, Zoom, et al). It's what they tried for with Skype and Lync and LiveMesh and SharePoint 2007 all merged together and they've done it this time and that should make you pay attention. Any ordinary employee who can use Microsoft stuff can use it, it doesn't need an Org Mode tutorial or a `git init` or an email from IT telling you which server address to put in which settings dialog, or a signoff to buy from yet another SaaS vendor.
Outlook will let you make a new Teams meeting from the same place you make a new email. When you write the recipient's emails in the To field, LinkedIn profiles appear for the names you hover over. There were no Zoom plugins, no LinkedIn plugins to install. I don't like it, business people love it. Office quietly gained the ability to search text in pictures, and handwriting. And it is cheap with a lower case c, Office, all of it, desktop and web, and cloud file store, and integrated services, for the price you might pay for a Zoom or a Dropbox or a 3rd party single-purpose cloud service license.
It's not exciting, it's not going to convince anyone who hates Microsoft to switch, it's not great quality software, but Microsoft have not been resting on their laurels; they have been cementing their place in the heart of business IT, putting down roots, and building things people want. It used to be the case that if you wanted Microsoft Excel, other things were polished but nothing else was quite the same. Now it's more likely the case that if you buy from a competitor you get a pile of janky sluggish cloud awfulness just the same, but from another vendor and it's more expensive and less interoperable. Now to make a good all-purpose Excel competitor it needs Windows and Mac and iOS and Web versions and cloud file storage service and good integration and start from $0 for personal use.
"Microsoft doesn't know what they're doing" is not the right response.
Yeah, I can't stand the Teams client experience, in spite of them nailing the threading model--it's just horribly sluggish--but it nails the "it just works". And for large organizations where the majority of folks don't notice 500ms response times in the UI, it's everything they need. And at PAYGo rates, and at uptimes your IT department can only dream of achieving (yes, there's downtime, but at some point it's unavoidable).
"Productivity" is at Microsoft's core here, and for the large majority case, they're nailing it.
There is something about Microsoft specifically where they are just willing to leave absolutely broken systems in production and just refuse to acknowledge it or care in the slightest.
Each of the FAANG members seems to have their own signature failure mode and while I don't find Microsoft to be the most unlikable they do seem to be by a wide margin the least competent.
Please share. I'm in my 20s and vaguely remember hate for MS when I was a kid on PC gaming forums. Now though, Google and FB are the evil ones everyone talks about.
First they fucked over Netscape to the point where they went out of business by messing with Win32 APIs to the point of making it unusable. Then pimped and pushed Internet Explorer down everyone's throats. Then they tried to embrace and extended THE WHOLE INTERNET with their proprietary ActiveX components. We literally came within an inch of having the internet controlled by a single company.
GAFAM is the one usually used for Big Tech, replacing Netflix with Microsoft.
Netflix is not nearly as big as the rest of the group in terms of market cap, but the FAANG term was coined in 2013, in the Ballmer days, when Microsoft was far less cool. The stock hasn't seen considerable growth for over a decade and Microsoft was slowly bleeding away market share on every conceivable front. The company was far from dead, but it wasn't considered a tech leader anymore.
Microsoft's multi-factor authentication system is 100% broken. I'll just leave my anecdote that I mentioned on a previous occasion [0]: https://news.ycombinator.com/item?id=27447820
> I lost my Microsoft account years ago. I still get emails from Microsoft stating that there's suspicious activity on the account. I got two just yesterday.
> Despite that, despite still having access to the email the account is on, I cannot recover the Microsoft account. Despite Microsoft notifying me that the account is still, years later to this day, being abused, cannot use any form of recovery. I cannot access the account with help from support or even after visiting a brick-and-mortar store.
> It's one big reason that I've long since refused to purchase anything more from Microsoft and have ditched Windows.
Funny enough, after reading the article's tl;dr it sounds exactly like what might have happened to my account:
> TL, DR: If you have MFA enabled on your Microsoft account, this automatically adds your phone number as a sign-in alias, supplementing an attack surface to your account. Attempting to remedy this issue by limiting your phone number to only be used during MFA removes your phone number from the MFA backend instead while leaving it on your account. That prevents MFA from working altogether, but it does not disable it for the account. Thus, leaving your account completely inaccessible forever. Microsoft support will then blame their bug on you, the user, and refuse to acknowledge the issue clinging to an internal policy set up entirely incorrectly. If you think account recovery, MFA setup, password reset or account reinstatement forms will work, you would be wrong. All of these rely on the same system that has been allowed to enter an unsupported state and cannot recover independently.
My Microsoft account was hacked 2 years ago, and after spending 3 days with support trying to get my account back, I finally bit the bullet and switched to Linux. Being able to just make an account on my computer without being connected to the internet felt like I was transported to some fantasy realm. What's that, the software store lets me download things without an account? Feels like Cloud 9 to me.
Reaching the front page of HN / Reddit / etc is the only way to get support from Microsoft / Google / etc.
At some point during their growth, companies just flat out cut all ties between customers and people who actually work there. The only way for a customer to reach the people writing the code (and able to fix the error 500) is through external channels. Same for billing issues and similar problems too, there's people working in the billing department but customer service is utterly incapable of actually reaching them.
True. It's a sad state of affairs. I doubt many get lucky enough to get this far. I am hoping at least that this is one post nudging the status quo in a better direction even if only a little bit.
I have the cheapest Microsoft small business plan (forgotten what they renamed it to this time). I tried out a free trial of the next plan up. When that expired it didn't downgrade to the previous plan, and I found out while debugging why my email had turned into /dev/null.
No one ever got fired for buying Microsoft/IBM etc...
I always prefer Zoom but cringe when the other side insists on Microsoft Teams. I always seem to have a new problem with them or others on the call having problems with them. The never ending litany of new "edge" cases never ever seem to be resolved. It's the whack-a-mole software approach.
But companies continue to adopt Microsoft. We at saas pass have so many companies come to us for MFA after finding out different flaws in their MFA. But these flaws seem to be systemic with all their products.
I can't think of a single Microsoft product that is best of breed. Yet I also think Microsoft will continue to increase revenue regardless of how bad their products are architected.
Funny, I just posted on another thread a few days ago how kind of the same thing happened with an old Yahoo account I don't use much. I know the username and password, yet it's impossible to log in. For a while, every time I tried to log in, it tried to make me do something different for 2FA, which I don't want on that account. I refuse to supply a phone number or other email. I think I installed a Yahoo phone app at some point. Then one time, it basically started refusing to do anything, just gave me several options that don't work. I just tried again a few days ago, basically for laughs, and now it won't even let me enter a password at all. I guess that account is just forever inaccessible. Good thing there wasn't anything important on it.
Now I'm kind of afraid to do anything with my Microsoft account on the web. I've never used Microsoft anything on the web, and don't particularly care to, but it seems to be required to have an account to run a Windows computer, so I guess I have one, under my gmail address.
I'd recommend migrating all your important data and code out of that system ASAP. Make (at longest) monthly backups of your code/data, and keep them locally.
I know, this can be impracticable for those with huge infras/data collections. That is, until you assess the risk that with these types of systems, you can, and will, lose access to everything, on a moments notice. With absolutely no help from the vendor.
They really don't care. They rarely put a human in the loop to help solve your issue, as it costs them too much, for the value that provides them. Not you. That is, they don't care about small customer retention. Unless you are writing 1M USD/month or more, you likely don't even have a human you can reach to help you resolve issues.
Every {S,P,I}aaS account you have is a risk surface. If these accounts suddenly went away, what would be the impact upon you?
Microsoft's user UX is just plain terrible. I recently tried Xcloud gaming or whatever it's called now, and it literally took me ~30 minutes of jumping between the US and FR ( I'm physically in France but have English as my preferred language in my browser, and holy hell do they not anticipate such a thing) versions of Xcloud Gaminf, Xbox something, Gamepass etc. with random 404s from times to times on links. In the end I managed to get the trial version, and i put a card that was expiring soon. Well it did expire, and when i try to update it it gives me a popup with a (Backend unavailable) message. And it's been like this for days. I tried cancelling the subscription, but it just sent me to a non-existing page...
After digging a bit in Azure for the purpose of checking it out I left in despair and utterly confused how identity, policy and permission intertwine. Bonus points for enabling Azure DevOps on a Github account and finding out how that ties into your Azure account's identity management system.
A platform that's impossible to use with confidence. Like the US code allows for finding something you're doing wrong with every step you take, the Microsoft platform creates the opportunity more making serious mistakes.
MSFT insists on making itself irrelevant. Most people are sick of the jumping-through-hoops circus act that MSFT makes users do.
But many of them are absolutely too dumb to 'just walk away'.Tell them about all these shenanigans and they'll insist that "It's not a bug, it's a feature".
Organizations must place some people who can take the initiative, do some actions. Whole thing could be solved by a "normal" support employee who can understand that there is a logical issue, and act on it. People tend to follow the instructions 1:1, because it's never risky.
What happened is that MS support has a script they are not allowed to deviate from, and, in their infinite wisdom, it was never considered that their support scripts could be incomplete, that things like this could happen.
Back when I did IT, occasionally changing someone's name would work for everything but Office 365. Only, Office 365 would appear to have the correct name everywhere that we could see, and that MS support could see, but sign into Office on a fresh Windows install to activate it and the wrong name pops up every single time. Some system failed to update somewhere inside the underbelly of MS, which their support cannot acknowledge as a possibility - it must be one of our systems (though they never say what exactly, since then we could disprove their claims).
The only workaround we found was to change the affected users' accounts to something else, wait a couple days, then change it to the correct name, and it usually worked. Keyword: usually. Sometimes you had to repeat the process before whatever mystery system MS runs got fixed. All the while, their support would staunchly deny that this could ever be a problem with their systems. Not a "we'll look into it" form response, even, just a very toned-down version of "you're lying, it's all your fault, fuck off."
The best part is that they know that there's no way we could just stop using Office (or Windows, for that matter), so there's no incentive for them to fix these things. Instead, they can just have support give us the run around claiming their products are perfect.
This seems to happen with all of the big companies. Their customer-base is so unbelievably huge that even if you are a paying customer they just can't help you.
Sorry to hear about this shitty experience. I have a friend who works at MS so I sent them this article and hopefully they might be able to get it properly looked at. Thanks for all the debugging you did and sorry about what you went through.
Some examples that came up recently in "not corner case" scenarios:
1) For tenant-to-tenant guest access, each user must re-register MFA for each tenant they've been invited to. So if you already have the Authenticator app installed and configured, it doesn't matter. It'll prompt you to create a new entry each time. I have dozens already and clocking up.
2) When logging in to Azure, Microsoft has purposefully added "dark patterns" to hide options related to other, non-Microsoft-Authenticator technologies. They're available, but they're always tiny, tiny links squirrelled away so that you're inexorably lead towards using the Authenticator app. Someone at Redmond really wanted their KPIs met at Yubikey's expense.
3) If you get a new iPhone, unlike everything else on the phone, the Authenticator app will not transfer your MFA registrations. Apple IOS will securely transfer your accounts, passwords, etc... but Authenticator is special. You need to first configure a consumer account(!) to back up your enterprise MFA settings, and then restore them manually. At which point... none of them will work, and you get partial instructions that you can't follow. If you've wiped your old phone (e.g.: trade-in or repair), you are now locked out.
All of the above were designed, architected, and developed on purpose. None of these are oversights, bugs, or missing features.