robchandhok
Lesley Carhart 
One of my favorite modern cybersecurity design things is when something on the server side authentication fails instead of your actual credentials / MFA, but the failure error message is identical so you spend an hour doing resets and second guessing yourself only to have everything work perfectly a little later on.
Tim Panton@hacks4pancakes There is a _fantasticly_ annoying feature in Apple Music - where if you need to sign in on a rebuilt machine that isn't synced to iCloud 3 or 4 different service all popup the same login dialog in turn. I initially assumed I'd mistyped the credentials - but no. Super confusing to anyone who encounters it.
MostlyBlindGamer@hacks4pancakes I could understand this as a way to not reveal exploitable bugs, but… it’s a headache.
Peter H Coffin 🐀@MostlyBlindGamer @hacks4pancakes One doesn't have to give the EXPLANATION to the user. "Internal Error" is fine. Just ensure that anything that ISN'T the user's fault doesn't look like it is, and gets logged with enough severity to make someone pay attention to it.
@hellsop @hacks4pancakes yes, exactly. I could kind of excuse it, but won’t.
xtrat@hacks4pancakes homogeneous encryption??
Patrick Coyle@hacks4pancakes You know that old definition of crazy (repeating the same actions and expecting a different outcome), why doesn't it apply to all things cyber? (SIGH)
Tindra@hacks4pancakes I had a fun one a couple weeks ago where the network was complaining I needed a new password (we only do new passwords annually, also MFA).
Which was a great theory, except… the network wasn’t letting me on the network (because expired credentials), so it couldn’t pass my attempt to update password to a system that would then let me on the network.
(I eventually got it to work by hotspotting, logging onto my cloud account via web browser, and resetting password there, then I entered that into the network authentication and it let me in. But still frustrating to see the failure mode of ZT-ish architecture be something I could only fix by circumventing things)
Mike (no not that one)@hacks4pancakes It's kind of a frustrating piece of conflicting guidance you seem to get in application design. You're told not told divulge internal errors to external parties, but then UX becomes much worse in cases like this.
Skyler 
@hacks4pancakes
Something like this happens to the NHSN (part of the CDC) at least a few times a month. Sometimes their backend is not working correctly and won't let you log in with the correct credentials and sets a lockout flag for 3 hours, which only gets set if you log in three times with the wrong credentials, even if it's your first login attempt.
Something like this happens to the NHSN (part of the CDC) at least a few times a month. Sometimes their backend is not working correctly and won't let you log in with the correct credentials and sets a lockout flag for 3 hours, which only gets set if you log in three times with the wrong credentials, even if it's your first login attempt.
Sam Grubb@hacks4pancakes up there with having a BEC and signin show ‘MFA Successful’. Everyone freaks out thinking the attacker compromised MFA only to see it was ‘previously satisfied by token’ when you dig in to the actual log.
Chris@hacks4pancakes Yes! Just did this recently when there was a Duo SSO outage. We assumed it was a proxy failure and I scrambled to set up SAML to Azure AD instead, only to get an outage notice 5 minutes after I finished.
Dewey Ritten 
@hacks4pancakes it's like technical gaslighting
Az@hacks4pancakes my man this explains so much
MattPounsettI can sorta understand how they got there:
- every auth failure looks the same so there are no information leaks
- back-end auth method only returns success or failure
Annoying as hell if you're on the outside and can't see what's going on. :(
More internal methods with boolean results need a third possible return code to cover internal errors: `true | false | null` comes to mind.
SpaceLifeFormInformative error messages are worth their weight in gold, as long the user can see them. It does no good to just log them if the user does not have access to the logs.
Thomas Broyer@hacks4pancakes
```
try {
return doAuthenticationHandwaving(args);
} catch (Exception e) {
return ErrorState("Every error looks like a user error");
}
```
```
try {
return doAuthenticationHandwaving(args);
} catch (Exception e) {
return ErrorState("Every error looks like a user error");
}
```
JohnOCFII@hacks4pancakes IT NEVER believes it could be their back-end SSO infrastructure. Listen, I was there when SSO was new. It CAN be the backend. So frustrating.
Teixisomehow everyone are skipping to teach & allow users to read & check auth logs