Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft IT Technology

Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password (cnet.com) 60

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

This discussion has been archived. No new comments can be posted.

Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password

Comments Filter:
  • by Anonymous Coward

    Guaranteed

    • by ichthus ( 72442 ) on Tuesday November 20, 2018 @02:38PM (#57675562) Homepage
      Comeon! If anyone can pull this off, it's Microsoft -- MASTERS OF SECURITY!
      </sarcasm>
    • by Anonymous Coward

      What is so wrong with the FIDO spec? Passwordless, asymmetric authentication is absolutely the future and the right thing to do. Are you so blinded by Microsoft hate that you are unable to see this?

      • Looks like FIDOnet [fidonet.org] is still a thing after all these years.
      • What is so wrong with the FIDO spec?

        It's redundant, client certificates have been widely deployed for decades, achieve the same result, are standardized and cheaper (both in terms of software and hardware solutions).

        What is most wrong with it is that USB is used instead of a dedicated interface such as a smartcard reader. USB is a massive attack vector. For it to be required for basic authentication in my view is irresponsible at best. Someone replaces your USB key when you are not looking and when you plug it in next it's a HID that execu

    • But we do this all the time with SSH preshared keys.
      This isn't anything really new. The only thing that I don't expect Microsoft to realize is that still in 2018 There is still hardware that we share with other people.

      There is still often the Family PC, while the individuals may have a tablet or phone, for their small time computing.

      • I haven't looked into it but you should be able to register multiple keys. I have three yubikeys linked to LastPass, my google account and anything else that I can link them to. My wife keeps one, I keep one and my safety deposit box keeps one. Of coarse, these aren't meant to replace a password, just augment it.

  • >> hardware authentication keys...Microsoft accounts used for Outlook, Office 365

    That smells like an "Office dongle" to me. Thank God the world is moving on to Google Docs as their default office suite.
    • Re:Office Dongles (Score:5, Interesting)

      by Anonymous Coward on Tuesday November 20, 2018 @02:48PM (#57675628)

      The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

      As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

      This is what everyone should support. And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

      (AC because of moderation)

      • A small, easily loseable device that is $50 isn't cheap.
        • by Darkk ( 1296127 )

          If you are referring to Yubikey then yes. There are plenty of FIDO2 keys that are under $20.

      • As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

        No it doesn't. Smart cards have been widely used for approaching two decades.

        The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

        Which ones are cheaper than a smart card?

        Hell I'll make it even easier. Which ones are cheaper than the cost of a smart card reader AND a smart card?

        This is what everyone should support.

        Can you support your position? Why should I support this system when I already support smart cards / client certs? What's the benefit?

        And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

        There is already a standard. You have failed to offer a compelling reason why a new one is necessary or beneficial.

  • by PingSpike ( 947548 ) on Tuesday November 20, 2018 @02:47PM (#57675620)

    It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

    Now that they've finally sorted all the garbage into one convenient bag, all that is left to do is haul it out.

  • by BringsApples ( 3418089 ) on Tuesday November 20, 2018 @02:59PM (#57675688)

    Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app.

    So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better? Hell, they could have simply require any pair of the 3 other requirements and leave the hardware key out.

    • by Anonymous Coward

      The key bit would be the hardware key itself; you can spoof the password, fingerprints, or a pin, but without the hardware key it's not terribly useful. In theory it's also easier to detect if you loose a piece of hardware then it is if someone's gotten a password from you.

      There's plenty of other problems with the approach (what happens if you loose or damage the key?) but it has it's upsides.

      • If simply 'adding security items to login requirements' is the way to increase security, then maybe better bank security can be gotten from simply putting the bank's vault inside a slightly bigger vault. Ooo, better yet, put THAT vault inside a slightly bigger vault, too! Wait, I have a better idea, put THAT vault in a slightly....
        • Re: (Score:2, Informative)

          by Anonymous Coward

          I think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

          1) The person uses a weak password, either something like 'password' or their birthday.

          2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

          3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised.

          FIDO2 and ha

          • think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

            1) The person uses a weak password, either something like 'password' or their birthday.

            2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

            This is only possible because the Internet is addicted to insecure authentication protocols. Universally PLAINTEXT passwords transmitted via TLS. This is a ridiculous and insane practice that puts millions of users at unnecessary risk.

            If you use secure authentication protocols (e.g. PAKE) it doesn't matter who is on the other end. Not only will the attacker not get anything when you try and login to their system you will get an immediate indication they are not who they claim to be.

            3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised

            It doesn't have to be

    • by bdh ( 96224 )

      So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better?

      For the typical slashdotter, who already knows about 2FA, PGP, an IPSec, and has a password wallet, it won't be.

      For a more typical mundane user, whose current password for the phone, the PC, the bank, and every web site is her dog's name/his favourite sports bar and maybe his/her birth year after ("to make it secure"), having a piece of hardware and using a biometric or PIN is a lot more secure. It's not better because the hardware key and a 4-digit pin are more secure than a 64 character password. It's

  • Until the devices are free. I am not paying $50 for a device that only exists because people are complete fucking morons about their passwords.
    • by MrL0G1C ( 867445 )

      WTH? $50!! A USB key that does this shouldn't cost much more than a dollar, it does f*** all.

      But yes, this is not for people who don't know how to keep anything secure, this is security theatre for the morons who can't cope / are too lazy to set up good password management.

  • You and 800 million other people now can use hardware authentication keys .. Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon

    Yet more bleeding edge innovation from the worlds most smartest and respectable software company. I wonder who nobody else thought of this sooner.

An adequate bootstrap is a contradiction in terms.

Working...