Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft IT Technology

Microsoft Account Goes Passwordless (thurrott.com) 148

Anyone with a Microsoft account can now remove their password from the account entirely to enable better security. From a report: "For the past couple of years we've been saying that the future is passwordless, and today I am excited to announce the next step in that vision," Microsoft corporate vice president Vasu Jakkal writes in the announcement post. "Beginning today, you can now completely remove the password from your Microsoft account." As for the "why" of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second. Before you can go passwordless, you'll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that's sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.
This discussion has been archived. No new comments can be posted.

Microsoft Account Goes Passwordless

Comments Filter:
  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Wednesday September 15, 2021 @09:54AM (#61798551) Homepage

    How many of those succeed ? That is the number that is important.

    • by AndyKron ( 937105 ) on Wednesday September 15, 2021 @10:34AM (#61798667)
      Pay no attention to numbers, the emotional impact that's important.
      • by michelcolman ( 1208008 ) on Wednesday September 15, 2021 @10:39AM (#61798685)

        So they went from 2FA to 1FA, great.

        And what happens if you lose your phone?

        Let me guess, they ask for a password? Or better yet, 2 secret questions?

        (Genuinely curious, not judging, my initial knee-jerk reaction might be wrong...)

        • by ceoyoyo ( 59147 ) on Wednesday September 15, 2021 @11:20AM (#61798753)

          Most people dislike multiple factors. It is kind of a pain in the ass for something that doesn't need to be super secure. One time passwords are a nice intermediate option between a classic password and a classic password plus an OTP.

          If you lose your phone you need to install the authenticator app on your new phone and enter the recovery codes, which you wrote down and put somewhere secure... right?

        • This is timely. The latest iOS upgrade wrecked my work phone, so I lost Authenticator so I lost MFA, but Authenticator provides for alternative mfa. Phone which was busted and a personal email. But my personal email had mfa, through a text code, so I went to the att store, swapped my sim into a demo phone, with the managers permission, got my email text, turned off mfa on my private email after I could log in, and now I get authorization codes to there. Now not all of my work tools allow for alternative cod
    • Sadly a lot. Like a lot a lot. You're on Slashdot, and you have a 4 digit UID. I suspect you're good enough at password management and have been in the industry long enough to be completely out of touch with just how stupid people are with their passwords.

      Password reuse, weak passwords, writing down passwords. It's all still there. It's 2020. We've been talking about this for 30 years, and yet the most common password based on the dumps from exploited servers last year *STILL IN 20FUCKING20* is 123456.

      I rem

      • And no it's not 2021. James Bond No Time To Die was set for release in 2020 and it's not out yet.

      • Years ago I had a ICQ account with a low number (5 digits). It got hijacked/stolen by someone in Russia. When you have account IDs that signify early adopters (Slashdot, Twitter, etc), then those accounts will always be high profile targets of theft.

        • by ebh ( 116526 )

          I'm still a little bummed that I was just a bit too late for a 5-digit UID.

      • The problem is that far too many things require accounts/passwords. I happily used Slashdot for over 15 years without having an account and occasionally posting AC. When they tightened things down making that harder, I acquiesced and made an account. If this account gets hacked, I could care less. There's no value to it. No need for a complex password. 90% of the accounts I have are in the same boat. There's no reason to add complexity to my life for securing things which would not impact me if hacke

        • All of my forums use the same password. Why would I need else? Anything with bank or account info gets something much harder to crack.

          • by teg ( 97890 )

            All of my forums use the same password. Why would I need else? Anything with bank or account info gets something much harder to crack.

            You could also do the sane thing and use a password manager - that way, you get unique, secure passwords everywhere. And encrypt that database with a really good passphrase...

            • Sure. Name one password manager that works

              On Android
              On windows
              On Mac
              independent so I can use work computers
              Also on all o that again with my wife under the same account.

              Keypass comes close most of them time. But it struggles when you put the database file anywhere but a local drive. (Ie GDrive, one drive, etc)

      • by bjwest ( 14070 )

        Sadly a lot. Like a lot a lot. You're on Slashdot, and you have a 4 digit UID. I suspect you're good enough at password management and have been in the industry long enough to be completely out of touch with just how stupid people are with their passwords.

        Password reuse, weak passwords, writing down passwords. It's all still there. It's 2020. We've been talking about this for 30 years, and yet the most common password based on the dumps from exploited servers last year *STILL IN 20FUCKING20* is 123456.

        I remind you Spaceballs made a joke about "idiots" doing that in 1987

        I'm sorry, but password security has been an issue since the dawn of publicly available online services close to half a century ago. A good portion of the internet using public were born in the age of needing passwords for online services, and if you're still dumb enough to use 'password1234' or some other dumbass, easy to guess password, especially on an account linked to your finances, then you have no one to blame but yourself. Secure password managers, and I'm not talking about the cloud based ones, h

    • Depends on how easy to guess your password is, most likely.
  • Passwordless? (Score:5, Insightful)

    by Murdoch5 ( 1563847 ) on Wednesday September 15, 2021 @09:55AM (#61798553) Homepage
    "Microsoft Authenticator app" Why? Just use a standard TOTP App of your choice, pair it with a YUBI Key, or another token based authentication mechanism. Microsoft going "passwordless", but then forcing you to use their authenticator app doesn't instill trust or a meaningful attempt to make the move away from passwords.

    You're better off keeping the password, and then adding MFA steps, such as a TOTP Token from an App, and a hardware token such as a YUBI Key. If you have 3FA on an account, and the account is properly secured in data center, then you have nothing to worry about, and you're fair better off then going SFA with a "passwordless" token. It's also worth asking if Microsoft is going to force the use of encrypted / signed email communication, because if you send a token in plaintext, then you're mitigating any reasonable point to this entire shell game.
    • by TechyImmigrant ( 175943 ) on Wednesday September 15, 2021 @10:01AM (#61798579) Homepage Journal

      TOTP? Top Of The Pops? https://en.wikipedia.org/wiki/... [wikipedia.org]

    • Re:Passwordless? (Score:5, Informative)

      by peterww ( 6558522 ) on Wednesday September 15, 2021 @10:32AM (#61798663)

      Because it's push-based and integrates with enterprise security products. You can also require the device be locked down to prevent intrusions. The Authenticator app is basically TOTP but easier as you don't have to enter the token manually into a screen and you can use biometrics to make it a one-push affair. It's very easy and still secure. I prefer it over TOTP or a physical yubi key.

      • Re:Passwordless? (Score:4, Insightful)

        by smooth wombat ( 796938 ) on Wednesday September 15, 2021 @11:28AM (#61798775) Journal
        I prefer it over TOTP or a physical yubi key.

        You know what I prefer? I give my password, you let me in. It's that simple.
        • by Jeremi ( 14640 )

          You know what I prefer? I give my password, you let me in. It's that simple.

          Ideally it is. In real life, however:

          - I give my password, you tell me it's wrong. Crap, I must have misremembered it somehow! Time for a password reset!
          - I give my password, you tell me it's wrong. Crap, I did a password reset yesterday and changed it to something else, and now I can't remember what I changed it to. Time for another password reset!
          - I give my password, it's the same password I used on another site which was subsequently compromised, now my account here is compromised also.
          - I give my

    • You can use for example Google Authenticator, but the advantage of the Microsoft App is you get a notification on your phone and you are presented with a list of three numbers to tap, the login screen on your computer will tell you which one of those you should tap to authenticate. That is a bit easier than opening the app to get a 6 digit number and typing it.

      • The last time I tried to set it up, I could only use the Microsoft App, and there was no provision to add a YUBI Key. Regardless of that, it's still preferred to use MFA instead of SFA.
      • My bank does something similar already and I hate it because I then have to get my phone to login to a website.

        My main problem is that I can see having to install a different app for every website I need to login into. I'll then need to get my phone everytime I want to login to something. This is a major pita compared to the current setup where I don't even have to remember my passwords, never mind type them in. And what happens if I lose my phone? I have to reset a dozen app based logins. Will the reset be

    • "Microsoft Authenticator app" Why? Just use a standard TOTP App of your choice

      Okay. My choice is the Microsoft Authenticator app. It is after all a standard TOTP app that you can pair with a YUBI Key.

    • You know, it's easier to just not get the Microsoft Account in the first place. Then put a lock on the door so that roving band hackers don't break in and deface your background image.

    • Re:Passwordless? (Score:4, Informative)

      by dargaud ( 518470 ) <<ten.duagradg> <ta> <2todhsals>> on Wednesday September 15, 2021 @02:27PM (#61799265) Homepage
      I'm not sure I understood even half of the words you've written, and I've been in IT for 40 years. How do you even imagine the average Joe will secure their account...?
    • by westlake ( 615356 ) on Wednesday September 15, 2021 @02:52PM (#61799363)
      "TOTP App paired with a YUBI key." In less than a single paragraph you've left 99.9 % of your audience who want to ditch their passwords but are not hard-core geeks hopelessly lost about ten miles back.
    • Microsoft authenticator is treated differently from plain TOTP for their MFA service. It goes through a one-time registration process to collect device identifying bits, has some resistance to being backed up/restored to other devices, and so on. When used to approve/deny logins, they use the signal data from the device being logged into, the device with Authenticator, and past user behaviour for risk assessment. A failed assessment may prevent the "smooth" login process and demand more information before a
      • I'll check there process out again, but the last time it was horrible. If it's improved, and is as smooth as you claim, they might have a winner, although with most of the crap Microsoft releases, it's broken before it leaves the gate.
  • by Drethon ( 1445051 ) on Wednesday September 15, 2021 @09:55AM (#61798555)

    Not sure I trust Android/Apple to make my phone more secure than my password.

    • This.
    • I empathize. I'm not sure that I would trust a TOTP method alone, because I use strong unique passwords for everything that I give half a damn about. If I can use a password and TOTP, I do. But most users choose absolutely horrible passwords. For them, this is a huge win. It's also a huge win for Microsoft... If they can get the bulk of users to switch to it.

      • I'm not sure that I would trust a TOTP method alone

        You don't. It remains 2FA. You need to also sign in on your device using Hello (e.g. biometric or PIN). The authenticator app alone does nothing for you.

        • I'm not sure that I would trust a TOTP method alone

          You don't. It remains 2FA. You need to also sign in on your device using Hello (e.g. biometric or PIN). The authenticator app alone does nothing for you.

          That is an option... "Then, you can use Windows Hello, a security key, or a verification code that’s sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location."

          I wouldn't, but some people might, use this to push a verification code (or an I authorize pop up?) to their phone which might not even have a password on it. Maybe I'm misreading things, but it looks like there is the (unfortunate) optio

          • The app can require the phone to have various security measures enabled, i.e. lock screen password or fingreprint. But of course if you can use SMS or email, anything goes.

            We're using Azure instead of our infrastructure for a project for some stupid reason, and I have to use MFA to log in. But the app doesn't fucking work, no matter how many tickets I open, so I just have it send me an SMS with the passcode. Which pops up on the locked screen.

    • It's not so much that phone security is "better," but that requiring MFA is better than a password alone. It's harder to hack two devices simultaneously, than one, that is protected only with a password.

    • Exactly.

  • OT: Excited, eh? (Score:2, Insightful)

    by mi ( 197448 )

    and today I am excited to announce

    I wish, this cliché just died... Is he really — nipples hardened — excited? Probably, not...

    Can't the Public Relations "professionals" come up with some new expression to convey the same meaning — or were all the "Advanced English" and "Creative Writing" classes in vain?

    The only thing comparable in annoyance is the recruiters, who all want to "touch base"...

    • by GrumpySteen ( 1250194 ) on Wednesday September 15, 2021 @10:41AM (#61798687)

      You do realize that "excited" refers to mental states that don't involve sexual arousal, right?

      Like... a two year old can be excited to go to the playground and it doesn't mean the two year old wants to fuck a piece of playground equipment.

    • by EvilSS ( 557649 )
      I'm exited to announce that phrase isn't going anywhere anytime soon.
    • by ceoyoyo ( 59147 )

      "Can't the Public Relations "professionals" come up with some new expression to convey the same meaning"

      Don't tempt them. Everybody is currently "excited" about everything they post on the internet. I expect next they'll be "joyous" or something equally eye roll inspiring.

      • by gtall ( 79522 )

        There should be some sort of Internet Bingo game, over and above Buzzword Bingo, for listening or reading people who repeat catchy phrases. When Saddam was caught, "spider hole" was all the rage. During the Bush Admin (I forget which) Colin Powell uttered "blood and treasure". I can never forgive him for that seeing as every two-bit pol decided it was THE phrase to show they were clued into something. During the Gulf War II, it was "ordnance". Reporters would froth at the mouth to utter "ordnance" to show t

      • by Alumoi ( 1321661 )

        Orgasmic would be better.

    • I wish, this cliché just died... Is he really — nipples hardened — excited? Probably, not...

      How do you know? Some people fuck trees. Announcing boring things no one is interested in may be his kinky fetish.

      • Some people fuck trees. Announcing boring things

        Two semi-equivalent phrases. Unless you drill a pilot hole before boring right in.

    • "Today the Microsoft executive ejaculated the news"

    • and today I am excited to announce

      I wish, this cliché just died... Is he really — nipples hardened — excited? Probably, not...

      Well, it's a Microsoft press drone and this is about as close as he'll ever come to having an orgasm. So, maybe.

  • by queazocotal ( 915608 ) on Wednesday September 15, 2021 @09:58AM (#61798567)
    https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution Delete the authentication section of the login to not need a password.
    Oops.
  • by b0s0z0ku ( 752509 ) on Wednesday September 15, 2021 @09:58AM (#61798573)
    but I don't want to be even more dependent on a smartphone aka an electronic leash.
  • by b0s0z0ku ( 752509 ) on Wednesday September 15, 2021 @10:03AM (#61798581)

    It's just on your phone, not on your computer or browser. It's either your biometric data, which you can't change, and which can be used by cop filth to force you to unlock your phone, or it's the phone passcode itself. So anyone having access to your phone can access everything else.

    Thanks, Mr. Jackal, but I'll stick with a well-crafted, secure password.

    • The difference is, two separate devices now have to agree to authenticate you. Your long password is still distilled down to a fixed-length hash. Two-factor authentication is better than one-factor, regardless of your password security.

    • The other annoyance is that if you are in a location with bad cell service - and many buildings qualify depending on where the carrier's cell tower is at and your location in the building - you have to go outside to get the passcode and then hope you get back to your computer without being waylaid by someone so you can authenticate without it expiring. Sigh. Passwords aren't nearly as irritating.

  • This will now begin the next stage of the account-takeover arms race, where hackers will get better at other kinds of attacks like MITMing e-mails. Same thing happened when everyone went SMS 2FA and suddenly anyone with $10 for a VoIP provider could take over cell numbers.

  • Antiquated news (Score:4, Insightful)

    by WaffleMonster ( 969671 ) on Wednesday September 15, 2021 @10:43AM (#61798695)

    I already have no passwords on ANY of my Microsoft accounts.

  • by Bomarc ( 306716 ) on Wednesday September 15, 2021 @11:03AM (#61798735) Homepage
    MS: We are doing away with password; so we can send you a password.
    Me: Ya; right. I lost my phone.
    MS: You are f*ed. (This already happens with Google)

    I live in the US. Why can't I block access to my account from non-US locations (geo-blocking)? Why are IP addresses that attempt to log in to 20 different accounts in 30 seconds -- allowed to continue?

    I had a similar issue with eBay and my wife's phone. They (eBay, PP, MS and others) assume that your phone is tied to your account (I don't for several reasons). While away from home (taking my wife to a hospital) I had internet access (Wifi) using her phone. Attempted to place a bid on an item; and it/they wanted another level of verification. When I called to ask if there was something that I could do; the 'in person' verification got even stranger (such as: 20 years ago; what address did you live at?)

    Best example -- you left your phone at home (or was stolen) ... you need to log in. What you/they going to do? Send a text to a device that I don't have access to??
    • by lsllll ( 830002 )
      I use Linux except on my gaming/night-time machine, but this would still be a pain in the ass. My screensaver locks after 5 minutes. If I activate this, then rather than just quickly typing a password (12 characters and enter), I have to unlock my phone, fire up some app, take the number from there and hand enter it in the password box, hoping I transposed it right, before I'm presented with a desktop. Why don't they just say "we're gonna make things so cumbersome for you that you'll just decide not to h
      • Even better we have single sign-on at work! This means that I only have to open my phone and authenticate the logins 10 times each morning.

        • I wish we could see more adoption of U2F/FIDO. I have a nice little USB key that I only use on a few accounts. Wish I could use it to replace TOTP entirely.

        • by torkus ( 1133985 )

          I've got the same on my phone - with a daily auth to every MS app on there. So I faceID to unlock my phone then manually click 'send me to auth' then FaceID to authenticate then manually swap back to the app.

          Does anyone else soo the stupidity of this 'security'? it doesn't even haver any obscurity!!! /s

    • Why are IP addresses that attempt to log in to 20 different accounts in 30 seconds -- allowed to continue?

      Slow adoption of IPv6, carrier-grade NAT used all over satellite and cell networks.

  • more secure? By installing a Microsoft app on my devices? I think not! My life is more secure because, I don't use any Microsoft products! period!
    • I don't use any Microsoft products! period!

      So none of this applies to you. But thanks for virtue signaling your anit-M$ position. This story might be more pertinent for the millions and millions of corporate/enterprise users as opposed to neckbeards.

  • by smooth wombat ( 796938 ) on Wednesday September 15, 2021 @11:25AM (#61798769) Journal
    Before you can go passwordless, you'll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that's sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

    Let's make something more complicated and prone to failure while removing a known good, easy-to-use process. It's not like someone's phone can't be stolen, lost, damaged or simply stops working, not to mention the software itself not work. What a great way to get locked out of everything.
    • Before you can go passwordless, you'll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that's sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

      Let's make something more complicated and prone to failure while removing a known good, easy-to-use process. It's not like someone's phone can't be stolen, lost, damaged or simply stops working, not to mention the software itself not work. What a great way to get locked out of everything.

      Law enforcement will love you for having your phone be accessible with Hello and then your MS account accessible with an app on that phone ... I'll be sticking with a 5th and 14th Amendment protected password.

    • Before you can get the Microsoft Authenticator app, you only need to mail us one pint of your blood, obtained after two days of fasting.

  • by ianbnet ( 214952 ) on Wednesday September 15, 2021 @12:22PM (#61798923)

    I fundamentally believe in the passwordless future, BUT - and this is a big but - I get 2-3 notifications per day in my Microsoft Authenticator app asking me to authorize a login.

    It's not from me.

    And the authorization requires nothing but me to say "yes."

    This terrifies me. A slip of a thumb and they're in, without knowing my password.

    There are ways around this - for instance, some prompts (but not others? I have no idea why) require me to match a number on both devices. But some do not, and I don't know why, and I have no control over that. Honestly this feels about as secure as a bad password I repeat on multiple sites.

    • This is why my company doesn't enable the "tap yes" function in the authenticator app. Instead, it produces a six-digit code that you are required to provide as part of the login process. You can't accidentally just tap "yes" to an attack, with this method.

      Still, even with the tap function enabled, this is more secure than just a password.

    • by vux984 ( 928602 )

      2-3 notifications per day that aren't from you? Change your password. Of course that doesn't help if you've turned on passwordless. :p

      That DOES raise an interesting issue with passwordless. Now if they know your email address they can spam you with login alerts all day; interesting DDOS/harrassment scenario.

      Honestly this feels about as secure as a bad password I repeat on multiple sites.

      Everyone knows the strength of a chain is equal to its weakest link -- it doesn't matter how robust you make primary login.

      If your Microsoft or Google or Registrar or Bank or whatever account recovery em

  • We've already gotten the "critical security alert that all our systems will be compromised if we don't eliminate passwords before the end of the year".

    Microsoft said so. Presumably they did a "study" that found the authenticator oh-so-much-safer. This is the dumb shit that will drive users crazy and just pass around the security hot potato.

    Making someone MFA to unlock their computer every time they get up? That's a huge nuisance - even more so than 16 character, full complexity, 90-day expiring, etc. pas

  • "Anyone with a Microsoft account can now remove their password from the account entirely to enable better security."

    Is it April 1st again?

    Seriously, MS, please fuck off. You're removing one medium-level vulnerability and replacing it with something that has an attack surface 1000 times as large.

  • This is not "getting rid of the password". It is merely using a different type of password. The fuckwads that come up with this drivel should be shot in the head in order to stop them from breathlessly promulgating lies.

  • So to log into your Microsoft account a secure code will be sent to one of many Microsoft services, all of which are secured by ... wait for it, the Microsoft account you are trying to log into.

    Genius, what could possibly go wrong?

    All anyone needs now is social engineering attacks against the support line that will be dealing with all the requests.

    • Not quite, the code is sent to a Microsoft service (the MS phone app), but this is secured by the biometrics on your phone. I.e. a completely separate attack vector from your Microsoft account. One the other hand if your phone is compromised then the presence of the app probably means your MS account is toast.

  • To use Microsoft products is one thing, but to believe they know anything about security is quite another. : P
  • I remove the Microsoft Account from my password!

  • I'm looking forward to his response on this idea. I'll certainly be more thought out than some MS press release.

"It's like deja vu all over again." -- Yogi Berra

Working...