Forgot your password?
typodupeerror
Microsoft Security

Microsoft Hops On Two-Factor Authentication Bandwagon 132

Posted by Soulskill
from the not-last-and-not-least dept.
itwbennett writes "Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products. Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on."
This discussion has been archived. No new comments can be posted.

Microsoft Hops On Two-Factor Authentication Bandwagon

Comments Filter:
  • by Anonymous Coward on Wednesday April 17, 2013 @04:58PM (#43476745)

    Will I not be able to pirate Win8.1?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Who cares?

  • I'm not sure Microsoft actually understands two factor authentication. The description (could be wrong, didn't read the article) doesn't sound like two factor authentication to me.

    • by BradleyUffner (103496) on Wednesday April 17, 2013 @05:10PM (#43476869) Homepage

      It is 2 factor authentication.

      The 3 authentication factors are:
      Something you Know.
      Something you Have.
      Something you Are.

      This meets 2 of those factors, a password (know), and your phone (have).

      • by wonkey_monkey (2592601) on Wednesday April 17, 2013 @05:59PM (#43477479) Homepage

        It is 2 factor authentication.

        The 3 authentication factors are:
        Something you Know.
        Something you Have.
        Something you Are.
        And a fanatical devotion to the Pope- Four! Four authentication factors!

    • Re: (Score:3, Funny)

      Yes. Microsoft, who hires thousands of the best developers including elite Ph.D researchers and pays them large sums of money doesn't know what two factor authentication is.

      You cracked the case, Murder She Wrote.

    • I'm not sure Microsoft actually understands two factor authentication. The description (could be wrong, didn't read the article) doesn't sound like two factor authentication to me.

      I suspect they understand what two-factor authentication is quite well, and that is the reason that their label for what they are doing is "two-step authentication", which is only confusingly similar to "two-factor authentication". They very carefully do not actually call it "two-factor authentication".

  • by DragonWriter (970822) on Wednesday April 17, 2013 @05:24PM (#43476999)

    The new option Microsoft authentication approach, as they describe [technet.com] it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.

    Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)

    (Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)

    I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.

    • Indeed. At best this is pseudo two factor. At work we have RSA tokens for the second factor. If someone stole a user's token, they still need to know the user's username/password to get in.
      • If you store your password on your phone then you aren't using this correctly. You say your use RSA tokens, and you consider that 2-factor. If some user choose to write their user name and password on the back of the RSA token then THAT USER is using it incorrectly, NOT you. The same situation applies here for microsoft, if you choose to store your password on the same token generating device then you broke it, not microsoft.

        • The system that MS describes requires you to know two static pieces of information. Yes the second piece was sent to your phone via an unsecured connection. It doesn't require that you actually have the phone. RSA tokens require you to have the token for two minutes or so. After that any information you have copied is useless.

          If some user choose to write their user name and password on the back of the RSA token then THAT USER is using it incorrectly, NOT you. The same situation applies here for microsoft, if you choose to store your password on the same token generating device then you broke it, not microsoft.

          A user choosing to be callous with the secret information that they know is a red herring. It doesn't change the fact they they were required to know it. Just like some two-facto

    • The new option Microsoft authentication approach, as they describe [technet.com] it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.

      Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)

      (Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)

      I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.

      According to the article the message is sent to your phone via Text Message, NOT email. This means you have to physically have access to the phone to receive the message. Combine this with your password and that sure seems like 2 factors to me.

      • According to the article the message is sent to your phone via Text Message, NOT email.

        Both TFA [1] and, more importantly and more explicitly, the actual Microsoft announcement [technet.com] [2] linked in TFA on which TFA is based note that users have the option of using either a secondary email address (to which email is sent) instead of a mobile phone number (to which SMS is sent) for the "second step".

        [1]: "Microsoft is using additional verification methods such as a short code sent to the user's mobile phone, which

        • Just because the user doesn't opt to use the true 2 factor for authentication doesn't mean Microsoft doesn't allow it.
          In the past 2 factor authentication was not available, after this change it is. I'm not trying to address end user usability, just the fact the the post I originally responded to tried to claim that this solution doesn't really offer 2 factor authentication when it clearly does.

          • Just because the user doesn't opt to use the true 2 factor for authentication doesn't mean Microsoft doesn't allow it.

            Sure, but the fact that Microsoft calls it something confusingly similar and enables modes of operation for its "two step" system that aren't 2 factor auth, and doesn't do anything to draw attention to the security differences between the options that are two-factor auth and those that aren't, means that lots of people are going to be misled into bad choices.

            Its good for those who already un

          • by thoromyr (673646)

            two factor authentication requires two factors to authenticate. From the MS piece this reads like Apple's recent enhancement and it is *not* adding two factor authentication to your MS (or Apple) account. Rather it revises the account recovery process to, in principle, better protect an account from being "stolen" via social engineering. Great, that has some utility. But two factor authentication it is not.

            To be clear: two factor authentication for the account would be if two separate factors were required

            • Once again, it DOES use 2 factors. Your password, which should only be in your head, and and physical access to the the phone to receive the text message containing an access code. I don't understand why this is so hard for people to grasp.

        • by thoromyr (673646)

          its fairly similar to Apple's new option which isn't two factor (and apple doesn't call it that), but is widely *reported* as being "two factor". In the case of Apple, you can secure your account against normal password recovery attacks (e.g., a social engineering call to Apple support with a bit of personal information gleaned from facebook). And while that may have some utility for some people it is definitely /not/ two factor authentication.

    • by tgd (2822)

      Two step and two factor are two terms used for the same thing. Virtually all two-factor authentication mechanisms work via two steps -- that includes hardware token, software token, biometric, etc ... In fact, its *extremely* rare for a two factor authentication to be single-step.

      The differences you're talking about are not even being pedantic, they're also irrelevant to the fact that its two factor/step.

      • Virtually all two-factor authentication mechanisms work via two steps

        Sure, two-factor necessarily is two-step (since providing each factor is a step), but not all things that use two steps are also two-factor (just as all humans are mammals, but not all mammals are humans.) And, while if you choose the authenticator option (and, with some substantial caveats, arguably also the SMS option), the Microsoft two-step process can be a two-factor system, it also includes one option (the email option) which is unm

  • "The chief form of secondary authentication will be a short code sent to the user's mobile phone"

    Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?

    • I just set it up. You can also receive the code via a phone call.
    • 30 buck Nokia with pre-paid SIM? Where do you live that you can't afford a basic cell phone?

      Besides, you can generate the required codes:

      http://en.wikipedia.org/wiki/Google_Authenticator [wikipedia.org] - available for nearly every modern computing device.

      • pre-paid SIM

        Each U.S. carrier that I've looked at will expire the balance on a prepaid mobile phone account if the user doesn't top up regularly. And in the United States, the receiver pays 20 cents to receive a text message unless the receiver is on a monthly unlimited texting plan. Having to pay the carrier a dollar every five times I log in to anything that uses a Microsoft account could add up quickly.

    • by node 3 (115640)

      "The chief form of secondary authentication will be a short code sent to the user's mobile phone"

      Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?

      So? If you don't have something, you can't use it. This is simple. You constantly seem to think that because something costs money, it's useless because there exists somewhere a person who can't afford it.

      How does that make any sense? What product in the world lives up to that criticism?

      Why constantly feel the need to knock things down that add value to the world? If you don't have a cell phone, you can't use this, but that it exists means that the billions of people that do have a cell phone can. The cell-

      • If you don't have a cell phone, you can't use this

        As of right now, "this" means the 2-factor authentication for a Microsoft account. Perhaps my paranoia comes from a fear that Microsoft might make 2-factor authentication mandatory.

        • by node 3 (115640)

          If you don't have a cell phone, you can't use this

          As of right now, "this" means the 2-factor authentication for a Microsoft account. Perhaps my paranoia comes from a fear that Microsoft might make 2-factor authentication mandatory.

          But they haven't. Quit hanging people for things they *can* do, but *haven't* done.

          Why live in fear of the infinite possible bad things that can happen? Very few of them ever actually come to pass. You're letting things that don't exist, and never will exist, limit your life. And what's worse, you constantly advocate against others using those things as well, asking them to make their lives worse too.

          For what? The non-existent? How dreadful!

  • by WaffleMonster (969671) on Wednesday April 17, 2013 @05:34PM (#43477129)

    If MS really cared that much about security they would offer the use of client certificates. Much more secure than SMS.

    Judging by what passes for acceptable practice today my guess this is all likely all effectivly a moot point as convenience password recovery measures effectivly curtail actual security gains.

    • by sfm (195458)

      What if "security" is not the main goal of the change? Knowing your phone number goes a long way to identifying who you really are. It is unlikely that you have an alias associated with your cellphone account.

  • by tgd (2822) on Wednesday April 17, 2013 @05:38PM (#43477179)

    Microsoft Accounts have supported two factor authentication for "sensitive" actions for quite a while -- adding trusted PCs, changing billing methods, resetting passwords, etc ...

    Two things new with this:
    - The ability to set the account to require it at login for normal authentications
    - The ability to use 3rd party token applications (like Google Authenticator) for the tokens, instead of SMS.

  • Microsoft is constantly hopping on bandwagons. It gets them free advertising. They don't care that a good chunk of the population points out that they do things poorly, mislabel things, intentionally name things wrong, break standards, break other products, etc... They care that you are talking about them.

    Every other week we read about MS hyping some other bullshit they think they invented. Most laugh at them, a few fanbois run out and buy what ever they are hawking, but most importantly we all see their

  • All of these authentication measures seem to want my cell phone.

    I don't have onr, and you can phone me when Hades freezes over.

    • by lpq (583377)

      Ditto on the above. It's bothersome enough that they have the presumption that I have one BUT worse, once they have it, they can add automatic tracking of my location to their database if I have location services enabled on the phone. AFAIK, that's open all the time the phone is on -- unlike, 'theoretically', the emergency location transponder that is enabled when you use emergency services.

      Isn't such such tracking considered a feature for those using the phone to take location-labeled pictures?

  • It's a trade-off between either the extra security of two-factor authentication, or the convenience of linking more than one account to be able to switch between them with ease. Why can't Microsoft follow Google's lead and give us the ability to both log in securely and stay logged in to multiple accounts at the same time? It's irritating enough to have to log out and then log back in with the other username/password, and the "stay logged in" check box is fucking useless when you have to log out every god

Byte your tongue.

Working...