How many developers does it take create a login flow that works?

A Samsung login story

I needed to login to my Samsung Account to keep it from being deleted for inactivity. Why not just let it be deleted if your not using it you ask? Because Samsung loves to shoehorn logging in into every product they create. I don’t plan on buying any future products from them, but I don’t want to be unable to use my wireless earphones one day because they’ve moved device pairing behind login in their Wearables app or something equally moronic.

This brings me to the first broader complaint which I’ll direct at Samsung, but really at all online accounts: don’t assume I’m a frequent user of your service! Don’t make me jump through 38 hoops to login to your feature-free dashboard that only exists in order to try and trick me into agreeing to more and more invasive Terms of (Dis)Service.

So, 14 days ago, following the notification that my account will be deleted permanently if I don’t log in within the next 60 days, I try and login, only to discover that Samsung at some point automatically enable SMS based 2FA using the number that was on my account at the time, a New Zealand number that I no longer have.

(If ever I’m setting up 2FA myself, and SMS is the only option, I always use my UK number that I’ve had for more than fifteen years, and is my only stable number.)

Thankfully, there is a process for changing this number, and sensibly there is a 14 day cooldown period on this process to somewhat protect against hostile account takeovers. So I go through the form and submit my change request.

Two weeks later I get another email saying the phone number registered to my account has been successfully changed. Brilliant, and I still have 46 days to login before my account is deleted. Thankfully no major life disaster befalls me around this time to distract me from the massively mundane procedure long enough for the account to be unceremoniously deleted anyway. So I login again — again, tapping out my email in full because a 300 billion US dollar corporation can’t handle creating a proper login form that browsers can auto-fill — toggle my UK SIM on on my phone (I’m in Georgia at the moment, having just crossed the border from Turkey, and I don’t keep my UK number switched on all the time), wait three minutes for the SMS to arrive, the web portal tells me that code has expired before it even arrives, request another 2FA code (which thankfully arrives a bit quicker) and… I’m in!

But wait, now Samsung is trying to trick me into clicking an accept all button on an egregious list of permission to mine all my data for any morsel of information they might be able to sell directly to the highest bidder. I accept the required Terms of Service, and reject the “optional” insults.

I go straight to the Security tab to configure an actually sane 2FA scheme (TOTP), and… it’s not there. I can click the tab, but it’s empty. I refresh, change tabs, try again — nothing. I logout, clear the browser cache, log back in (tapping out my email again), put in another 2FA SMS (because I cleared the cache), and try the Security tab again. Hurrah, it works this time!

TOTP setup is done in the usual way using a QR code, but I need the plaintext of that because I’m on my laptop, thankfully Samsung does show the TOTP secret beneath the QR code, but in order to backup the OTP I have to construct the URI myself, eg:

otpauth://totp/$EMAIL?secret=$SECRET&issuer=Samsung

Once I’ve done that and saved it into my vault, I scan the QR code with my phone to have it at hand in my mobile authenticator app too, input one of the codes to confirm, and Samsung cheerfully says everything is setup correctly! But it isn’t. I refresh the page, logout and login. TOTP still shows as not setup on the account. I go through the entire flow again, guessing that there is perhaps a silent timeout on the setup that I went over, and sure enough, by going through the flow and replacing the OTP in my vault and phone a bit faster this time, get the same cheerful confirmation, but this time thankfully it is actually set up.

In summary:

  1. The login page doesn’t properly label the email input, so browsers can’t auto-fill it.
  2. Samsung may forcibly enable SMS based 2FA on your account.
  3. Two week delay on changing numbers (this is a good thing, but it was only necessary because of failure #2)
  4. The login page still doesn’t properly label the email input.
  5. The first 2FA SMS takes so long to arrive it has already expire by the time it comes.
  6. The Security tab just loads a blank page the first time, forcing me to logout, clear the cache, and go through half the above steps again.
  7. Setting up TOTP 2FA fails silently the first, probably due to some invisible timeout, but still tells me it has been setup just fine.

Samsung, you absolute clowns… Please. Do. Better.

Yours insincerely,

One of your several hundred million dissatisfied customers.