Microsoft Account Goes Passwordless (thurrott.com) 148
Anyone with a Microsoft account can now remove their password from the account entirely to enable better security. From a report: "For the past couple of years we've been saying that the future is passwordless, and today I am excited to announce the next step in that vision," Microsoft corporate vice president Vasu Jakkal writes in the announcement post. "Beginning today, you can now completely remove the password from your Microsoft account." As for the "why" of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second. Before you can go passwordless, you'll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that's sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.
"579 attacks every second." (Score:3, Insightful)
How many of those succeed ? That is the number that is important.
Re:"579 attacks every second." (Score:5, Funny)
Re:"579 attacks every second." (Score:4, Insightful)
So they went from 2FA to 1FA, great.
And what happens if you lose your phone?
Let me guess, they ask for a password? Or better yet, 2 secret questions?
(Genuinely curious, not judging, my initial knee-jerk reaction might be wrong...)
Re:"579 attacks every second." (Score:5, Insightful)
Most people dislike multiple factors. It is kind of a pain in the ass for something that doesn't need to be super secure. One time passwords are a nice intermediate option between a classic password and a classic password plus an OTP.
If you lose your phone you need to install the authenticator app on your new phone and enter the recovery codes, which you wrote down and put somewhere secure... right?
Re: "579 attacks every second." (Score:2)
My personal favorite was 1. Enter user name and password 2. Enter code from MFA app to sms code 3. Now prove youre a human and solve a captcha. Just pure irritation
Re: (Score:2)
for something that doesn't need to be super secure
Like voting?
Re: "579 attacks every second." (Score:2)
Get a new phone I went for years with Google athenticator app. Getting a new phone took an extra hour at the store setting up with new and old phones side by side soni could log in disable and the reset all the 2fa stuff. All that typing sucks on a phone too.
Re: "579 attacks every second." (Score:3)
Re: "579 attacks every second." (Score:2)
They use rectal probes as an emergency solution.
Re: (Score:3)
Sadly a lot. Like a lot a lot. You're on Slashdot, and you have a 4 digit UID. I suspect you're good enough at password management and have been in the industry long enough to be completely out of touch with just how stupid people are with their passwords.
Password reuse, weak passwords, writing down passwords. It's all still there. It's 2020. We've been talking about this for 30 years, and yet the most common password based on the dumps from exploited servers last year *STILL IN 20FUCKING20* is 123456.
I rem
Re: (Score:2)
And no it's not 2021. James Bond No Time To Die was set for release in 2020 and it's not out yet.
Re: (Score:3)
Years ago I had a ICQ account with a low number (5 digits). It got hijacked/stolen by someone in Russia. When you have account IDs that signify early adopters (Slashdot, Twitter, etc), then those accounts will always be high profile targets of theft.
Re: (Score:2)
I'm still a little bummed that I was just a bit too late for a 5-digit UID.
Re: (Score:3)
The problem is that far too many things require accounts/passwords. I happily used Slashdot for over 15 years without having an account and occasionally posting AC. When they tightened things down making that harder, I acquiesced and made an account. If this account gets hacked, I could care less. There's no value to it. No need for a complex password. 90% of the accounts I have are in the same boat. There's no reason to add complexity to my life for securing things which would not impact me if hacke
Re: "579 attacks every second." (Score:2)
All of my forums use the same password. Why would I need else? Anything with bank or account info gets something much harder to crack.
Re: (Score:2)
All of my forums use the same password. Why would I need else? Anything with bank or account info gets something much harder to crack.
You could also do the sane thing and use a password manager - that way, you get unique, secure passwords everywhere. And encrypt that database with a really good passphrase...
Re: "579 attacks every second." (Score:2)
Sure. Name one password manager that works
On Android
On windows
On Mac
independent so I can use work computers
Also on all o that again with my wife under the same account.
Keypass comes close most of them time. But it struggles when you put the database file anywhere but a local drive. (Ie GDrive, one drive, etc)
Re: (Score:2)
Sadly a lot. Like a lot a lot. You're on Slashdot, and you have a 4 digit UID. I suspect you're good enough at password management and have been in the industry long enough to be completely out of touch with just how stupid people are with their passwords.
Password reuse, weak passwords, writing down passwords. It's all still there. It's 2020. We've been talking about this for 30 years, and yet the most common password based on the dumps from exploited servers last year *STILL IN 20FUCKING20* is 123456.
I remind you Spaceballs made a joke about "idiots" doing that in 1987
I'm sorry, but password security has been an issue since the dawn of publicly available online services close to half a century ago. A good portion of the internet using public were born in the age of needing passwords for online services, and if you're still dumb enough to use 'password1234' or some other dumbass, easy to guess password, especially on an account linked to your finances, then you have no one to blame but yourself. Secure password managers, and I'm not talking about the cloud based ones, h
Re: (Score:2)
Passwordless? (Score:5, Insightful)
You're better off keeping the password, and then adding MFA steps, such as a TOTP Token from an App, and a hardware token such as a YUBI Key. If you have 3FA on an account, and the account is properly secured in data center, then you have nothing to worry about, and you're fair better off then going SFA with a "passwordless" token. It's also worth asking if Microsoft is going to force the use of encrypted / signed email communication, because if you send a token in plaintext, then you're mitigating any reasonable point to this entire shell game.
Re:Passwordless? (Score:4, Funny)
TOTP? Top Of The Pops? https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
both google and duckduckgo return that as the first result.
Strange . . . Google returned porn for me.
Google (Score:2)
Yup, G. personalises results... and when they only show the variety of material that you've been viewing on youpr0n, then start gettin' worried.
Re: (Score:2)
But my brain returned Top of the Pops because it's the longest running music show, ran for the entirety of my childhood and way predates the new fangled time based passwords. Kids these days...
TBOTP doesn't work so well. They (the people overloading the TOTP name) should have thought that one through.
Re:Passwordless? (Score:5, Informative)
Because it's push-based and integrates with enterprise security products. You can also require the device be locked down to prevent intrusions. The Authenticator app is basically TOTP but easier as you don't have to enter the token manually into a screen and you can use biometrics to make it a one-push affair. It's very easy and still secure. I prefer it over TOTP or a physical yubi key.
Re:Passwordless? (Score:4, Insightful)
You know what I prefer? I give my password, you let me in. It's that simple.
Re: (Score:2)
You know what I prefer? I give my password, you let me in. It's that simple.
Ideally it is. In real life, however:
- I give my password, you tell me it's wrong. Crap, I must have misremembered it somehow! Time for a password reset!
- I give my password, you tell me it's wrong. Crap, I did a password reset yesterday and changed it to something else, and now I can't remember what I changed it to. Time for another password reset!
- I give my password, it's the same password I used on another site which was subsequently compromised, now my account here is compromised also.
- I give my
Re: (Score:2)
Elastane. If you're going to be an ass at least get it right.
Re: (Score:2)
You can use for example Google Authenticator, but the advantage of the Microsoft App is you get a notification on your phone and you are presented with a list of three numbers to tap, the login screen on your computer will tell you which one of those you should tap to authenticate. That is a bit easier than opening the app to get a 6 digit number and typing it.
Re: (Score:2)
Re: Passwordless? (Score:2)
My bank does something similar already and I hate it because I then have to get my phone to login to a website.
My main problem is that I can see having to install a different app for every website I need to login into. I'll then need to get my phone everytime I want to login to something. This is a major pita compared to the current setup where I don't even have to remember my passwords, never mind type them in. And what happens if I lose my phone? I have to reset a dozen app based logins. Will the reset be
Re: (Score:2)
"Microsoft Authenticator app" Why? Just use a standard TOTP App of your choice
Okay. My choice is the Microsoft Authenticator app. It is after all a standard TOTP app that you can pair with a YUBI Key.
Re: Passwordless? (Score:2)
Re: (Score:2)
You know, it's easier to just not get the Microsoft Account in the first place. Then put a lock on the door so that roving band hackers don't break in and deface your background image.
Re:Passwordless? (Score:4, Informative)
Next Time In English, Please. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
So phone security is better? (Score:5, Insightful)
Not sure I trust Android/Apple to make my phone more secure than my password.
Re: (Score:2)
Re: (Score:2)
I empathize. I'm not sure that I would trust a TOTP method alone, because I use strong unique passwords for everything that I give half a damn about. If I can use a password and TOTP, I do. But most users choose absolutely horrible passwords. For them, this is a huge win. It's also a huge win for Microsoft... If they can get the bulk of users to switch to it.
Re: (Score:2)
I'm not sure that I would trust a TOTP method alone
You don't. It remains 2FA. You need to also sign in on your device using Hello (e.g. biometric or PIN). The authenticator app alone does nothing for you.
Re: (Score:2)
I'm not sure that I would trust a TOTP method alone
You don't. It remains 2FA. You need to also sign in on your device using Hello (e.g. biometric or PIN). The authenticator app alone does nothing for you.
That is an option... "Then, you can use Windows Hello, a security key, or a verification code that’s sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location."
I wouldn't, but some people might, use this to push a verification code (or an I authorize pop up?) to their phone which might not even have a password on it. Maybe I'm misreading things, but it looks like there is the (unfortunate) optio
Re: (Score:2)
The app can require the phone to have various security measures enabled, i.e. lock screen password or fingreprint. But of course if you can use SMS or email, anything goes.
We're using Azure instead of our infrastructure for a project for some stupid reason, and I have to use MFA to log in. But the app doesn't fucking work, no matter how many tickets I open, so I just have it send me an SMS with the passcode. Which pops up on the locked screen.
Re: (Score:2)
It's not so much that phone security is "better," but that requiring MFA is better than a password alone. It's harder to hack two devices simultaneously, than one, that is protected only with a password.
Re: (Score:2)
Exactly.
OT: Excited, eh? (Score:2, Insightful)
I wish, this cliché just died... Is he really — nipples hardened — excited? Probably, not...
Can't the Public Relations "professionals" come up with some new expression to convey the same meaning — or were all the "Advanced English" and "Creative Writing" classes in vain?
The only thing comparable in annoyance is the recruiters, who all want to "touch base"...
Re:OT: Excited, eh? (Score:5, Funny)
You do realize that "excited" refers to mental states that don't involve sexual arousal, right?
Like... a two year old can be excited to go to the playground and it doesn't mean the two year old wants to fuck a piece of playground equipment.
Re: (Score:2)
How would you know? Do you ask them?
Re: (Score:3)
Re: (Score:2)
"Can't the Public Relations "professionals" come up with some new expression to convey the same meaning"
Don't tempt them. Everybody is currently "excited" about everything they post on the internet. I expect next they'll be "joyous" or something equally eye roll inspiring.
Re: (Score:2)
There should be some sort of Internet Bingo game, over and above Buzzword Bingo, for listening or reading people who repeat catchy phrases. When Saddam was caught, "spider hole" was all the rage. During the Bush Admin (I forget which) Colin Powell uttered "blood and treasure". I can never forgive him for that seeing as every two-bit pol decided it was THE phrase to show they were clued into something. During the Gulf War II, it was "ordnance". Reporters would froth at the mouth to utter "ordnance" to show t
Re: (Score:2)
Orgasmic would be better.
Re: (Score:2)
I wish, this cliché just died... Is he really — nipples hardened — excited? Probably, not...
How do you know? Some people fuck trees. Announcing boring things no one is interested in may be his kinky fetish.
Re: (Score:2)
Some people fuck trees. Announcing boring things
Two semi-equivalent phrases. Unless you drill a pilot hole before boring right in.
Perhaps you prefer (Score:2)
"Today the Microsoft executive ejaculated the news"
Re: (Score:2)
and today I am excited to announce
I wish, this cliché just died... Is he really — nipples hardened — excited? Probably, not...
Well, it's a Microsoft press drone and this is about as close as he'll ever come to having an orgasm. So, maybe.
Passwordless particularly amusing today. (Score:3)
Oops.
Sorry, Mr. JACKAL... (Score:5, Insightful)
Also, there is still a password... (Score:5, Insightful)
It's just on your phone, not on your computer or browser. It's either your biometric data, which you can't change, and which can be used by cop filth to force you to unlock your phone, or it's the phone passcode itself. So anyone having access to your phone can access everything else.
Thanks, Mr. Jackal, but I'll stick with a well-crafted, secure password.
Re: (Score:2)
The difference is, two separate devices now have to agree to authenticate you. Your long password is still distilled down to a fixed-length hash. Two-factor authentication is better than one-factor, regardless of your password security.
Re: (Score:2)
The other annoyance is that if you are in a location with bad cell service - and many buildings qualify depending on where the carrier's cell tower is at and your location in the building - you have to go outside to get the passcode and then hope you get back to your computer without being waylaid by someone so you can authenticate without it expiring. Sigh. Passwords aren't nearly as irritating.
Re: (Score:2)
Re: (Score:2)
If you have a problem with the enforcement of those laws, you really have a problem with the legislature that passed the laws, not the police who are sworn to uphold them.
Re: (Score:3)
If you have a problem with the enforcement of those laws, you really have a problem with the legislature that passed the laws, not the police who are sworn to uphold them.
If things were that simple, then police would enforce littering and vandalism with the same vigor and tenacity as vice crimes and murder.
Re: (Score:2)
Re: Also, there is still a password... (Score:4, Informative)
Lol. You antifa fucks would not last a day without the police protecting you from the animals.
Sure we would! That's the job of Animal Control, not the police.
Re: (Score:2)
I'm picturing the police trying to take down a rampaging bear now...thanks.
Re: (Score:2)
Re: (Score:3)
Note that this is NOT the real "rsilvergun", this is a troll with some extra letters masquerading as him.
Re: (Score:2)
Arms Race expands (Score:2)
This will now begin the next stage of the account-takeover arms race, where hackers will get better at other kinds of attacks like MITMing e-mails. Same thing happened when everyone went SMS 2FA and suddenly anyone with $10 for a VoIP provider could take over cell numbers.
Antiquated news (Score:4, Insightful)
I already have no passwords on ANY of my Microsoft accounts.
Doing away with PW - to send you a PW (Score:5, Insightful)
Me: Ya; right. I lost my phone.
MS: You are f*ed. (This already happens with Google)
I live in the US. Why can't I block access to my account from non-US locations (geo-blocking)? Why are IP addresses that attempt to log in to 20 different accounts in 30 seconds -- allowed to continue?
I had a similar issue with eBay and my wife's phone. They (eBay, PP, MS and others) assume that your phone is tied to your account (I don't for several reasons). While away from home (taking my wife to a hospital) I had internet access (Wifi) using her phone. Attempted to place a bid on an item; and it/they wanted another level of verification. When I called to ask if there was something that I could do; the 'in person' verification got even stranger (such as: 20 years ago; what address did you live at?)
Best example -- you left your phone at home (or was stolen)
Re: (Score:2)
Re: (Score:2)
Even better we have single sign-on at work! This means that I only have to open my phone and authenticate the logins 10 times each morning.
Re: (Score:2)
I wish we could see more adoption of U2F/FIDO. I have a nice little USB key that I only use on a few accounts. Wish I could use it to replace TOTP entirely.
Re: (Score:2)
I've got the same on my phone - with a daily auth to every MS app on there. So I faceID to unlock my phone then manually click 'send me to auth' then FaceID to authenticate then manually swap back to the app.
Does anyone else soo the stupidity of this 'security'? it doesn't even haver any obscurity!!! /s
This! (Score:2)
+1
Re: (Score:2)
Why are IP addresses that attempt to log in to 20 different accounts in 30 seconds -- allowed to continue?
Slow adoption of IPv6, carrier-grade NAT used all over satellite and cell networks.
OK, so I will be making my life (Score:2)
Re: (Score:2)
I don't use any Microsoft products! period!
So none of this applies to you. But thanks for virtue signaling your anit-M$ position. This story might be more pertinent for the millions and millions of corporate/enterprise users as opposed to neckbeards.
J.F.C.! (Score:3)
Let's make something more complicated and prone to failure while removing a known good, easy-to-use process. It's not like someone's phone can't be stolen, lost, damaged or simply stops working, not to mention the software itself not work. What a great way to get locked out of everything.
Re: (Score:2)
Before you can go passwordless, you'll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that's sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.
Let's make something more complicated and prone to failure while removing a known good, easy-to-use process. It's not like someone's phone can't be stolen, lost, damaged or simply stops working, not to mention the software itself not work. What a great way to get locked out of everything.
Law enforcement will love you for having your phone be accessible with Hello and then your MS account accessible with an app on that phone ... I'll be sticking with a 5th and 14th Amendment protected password.
Re: (Score:2)
Before you can get the Microsoft Authenticator app, you only need to mail us one pint of your blood, obtained after two days of fasting.
You can still accidentally say "yes" to an attack (Score:5, Interesting)
I fundamentally believe in the passwordless future, BUT - and this is a big but - I get 2-3 notifications per day in my Microsoft Authenticator app asking me to authorize a login.
It's not from me.
And the authorization requires nothing but me to say "yes."
This terrifies me. A slip of a thumb and they're in, without knowing my password.
There are ways around this - for instance, some prompts (but not others? I have no idea why) require me to match a number on both devices. But some do not, and I don't know why, and I have no control over that. Honestly this feels about as secure as a bad password I repeat on multiple sites.
Re: (Score:2)
This is why my company doesn't enable the "tap yes" function in the authenticator app. Instead, it produces a six-digit code that you are required to provide as part of the login process. You can't accidentally just tap "yes" to an attack, with this method.
Still, even with the tap function enabled, this is more secure than just a password.
Re:You can still accidentally say "yes" to an atta (Score:4, Insightful)
This is not more secure than a password. The OTP string is the password.
All this shit is promulgated by completely and utterly stupid dumb fucks -- probably from the Great Unwashed.
They are like politicians -- you know they are lying because their lips are moving.
Re: (Score:3)
2-3 notifications per day that aren't from you? Change your password. Of course that doesn't help if you've turned on passwordless. :p
That DOES raise an interesting issue with passwordless. Now if they know your email address they can spam you with login alerts all day; interesting DDOS/harrassment scenario.
Honestly this feels about as secure as a bad password I repeat on multiple sites.
Everyone knows the strength of a chain is equal to its weakest link -- it doesn't matter how robust you make primary login.
If your Microsoft or Google or Registrar or Bank or whatever account recovery em
Re: (Score:2)
Good point.
There are 2 MITM attacks -- the first where they phish you, you enter your email address, they capture it and pass it to MS themselves, tripping the passwordless prompt which you approve and they're in, and then they show you an error or something. This is the same Real-time phishing which already works against passwords + 2FA so nothing new here.
But there is a 2nd MITM which you allude to... if they can discover when you are legitimately trying to login they can double up on it and try to login
This is why I hate my job (Score:2)
We've already gotten the "critical security alert that all our systems will be compromised if we don't eliminate passwords before the end of the year".
Microsoft said so. Presumably they did a "study" that found the authenticator oh-so-much-safer. This is the dumb shit that will drive users crazy and just pass around the security hot potato.
Making someone MFA to unlock their computer every time they get up? That's a huge nuisance - even more so than 16 character, full complexity, 90-day expiring, etc. pas
Is it.... (Score:2)
"Anyone with a Microsoft account can now remove their password from the account entirely to enable better security."
Is it April 1st again?
Seriously, MS, please fuck off. You're removing one medium-level vulnerability and replacing it with something that has an attack surface 1000 times as large.
Dorkus (Score:2)
This is not "getting rid of the password". It is merely using a different type of password. The fuckwads that come up with this drivel should be shot in the head in order to stop them from breathlessly promulgating lies.
What if you want to log in to... (Score:2)
So to log into your Microsoft account a secure code will be sent to one of many Microsoft services, all of which are secured by ... wait for it, the Microsoft account you are trying to log into.
Genius, what could possibly go wrong?
All anyone needs now is social engineering attacks against the support line that will be dealing with all the requests.
Re: (Score:2)
Not quite, the code is sent to a Microsoft service (the MS phone app), but this is secured by the biometrics on your phone. I.e. a completely separate attack vector from your Microsoft account. One the other hand if your phone is compromised then the presence of the app probably means your MS account is toast.
MS is Cray-Cray (Score:2)
Cue Soviet Russia joke (Score:2)
I remove the Microsoft Account from my password!
What does Bruce Schneier have to say? (Score:2)
Re: (Score:2)
Well that's pretty much the definition of 2FA/MFA - something you have and something you know.
They're just adding an idiotic "use our app and the interwebs so there's more to break" approach.