That, is only your problem if you make it your problem. Ideally, you wouldn't. But like I already said, it depends on if you're willing to sacrifice the security of all your users because, money I guess?
Eventually you have to choose doing what's right, and doing what's expedient. I can't draw your line for you. Thankfully for me I've always been able to always draw mine at protecting users from abuse.
Users care much more about convenience than security. If you made a phone that wiped itself after 3 incorrect pin attempts then you'd have a lot of very angry users wearing gloves. "It's for your own security!" wouldn't appease them.
It's more like if someone tried to delete/hack your account but you send a confirmation email to protect such a thing, and Microsoft clicked on the accept & delete account button in that email. So you deleted the user's account.
Do you know what users like less than inconvenient security? It's when "security" deletes all of their important data.
Again, still have to draw the line of what's acceptable somewhere. All I'm saying is you don't have to ruin your software because someone else is an idiot. Don't punish everyone because it makes the problem somebody else's to fix... That's what Microsoft is doing here, and it's obviously bad.
> It's more like if someone tried to delete/hack your account but you send a confirmation email to protect such a thing, and Microsoft clicked on the accept & delete account button in that email. So you deleted the user's account.
And then the user says "why did you delete my account?" and you say "well I chose not to support outlook but I didn't tell you that at the start" and the user says "that's stupid, everyone uses outlook" and leaves a bad review
It is not my job to tell Microsoft to correct their behavior and follow standards.
There are standards for a reason [1] and if you break them, no matter how good your intentions you are in the wrong because you've changed the expected behavior. Full stop.
The Internet works because everyone has agreed to follow standards. If Google woke up one day and decided that every IP address that ended in an odd number would receive a captcha every time they searched people would understandably get pissed off. Well ISPs have thousands of IP addresses so for the convenience of the user it's the ISPs that need to assign their users IP addresses ending in an even number so that they can search without captchas, right? No!
Same thing here. Just because Microsoft and Google benefit from economies of scale and have many users does not give them a pass to break standards whenever they see fit. There is a reason why we have RFCs and mailing lists to have these sorts of discussions.
I'm not arguing that it's good that MS is doing something insane, I'm arguing that you can't take the moral high ground and act as if they're not doing that insane thing.
There may be standards for the internet but people do not implement them correctly or consistently and the internet works because everyone adds workarounds for everyone else until things basically kinda work out.
> and Microsoft clicked on the accept & delete account button
If that happened, could one plausibly make a legal case that Microsoft is "hacking" the sites/users by stealing sensitive security info and making unauthorized actions?
But if we asked users "Choose one: the ideal convenience of being able to log in with just your username (but anyone who knows your username can login as you), or the inconvenience of having to enter username plus a secret password?" almost all users would choose the security over convenience, because they would understand the risk/reward. I think users care more about convenience than _theoretical_ security, and that we owe them education on how security impacts them directly.
Eventually you have to choose doing what's right, and doing what's expedient. I can't draw your line for you. Thankfully for me I've always been able to always draw mine at protecting users from abuse.