Microsoft Authenticator Will Stop Supporting Passwords (cnet.com) 55
Avantare writes: Microsoft Authenticator houses your passwords and lets you sign into all of your Microsoft accounts using a PIN, facial recognition such as Windows Hello, or other biometric data, like a fingerprint. Authenticator can be used in other ways, such as verifying you're logging in if you forgot your password, or using two-factor authentication as an extra layer of security for your Microsoft accounts.
In June, Microsoft stopped letting users add passwords to Authenticator, but here's a timeline of other changes you can expect, according to Microsoft:
July 2025: You won't be able to use the autofill password function.
August 2025: You'll no longer be able to use saved passwords.
In June, Microsoft stopped letting users add passwords to Authenticator, but here's a timeline of other changes you can expect, according to Microsoft:
July 2025: You won't be able to use the autofill password function.
August 2025: You'll no longer be able to use saved passwords.
This is why (Score:1, Informative)
I always tell people when setting up their 2FA not to use Authenticator. First, it does not reliably work. Second, it's from Microsoft which means they can stop it working or make changes to it at will.
Instead, I tell people to select the Text or Phone option. Text is preferred as it will always go through unless they're in a cave.
Re: (Score:2)
As my company requires it, I use it only for work-related things.
Re:This is why (Score:5, Interesting)
I recently started a contract for a company that provides their own windows machines that they manage. This is relatively new for me as I have always used my own hardware, however in this case I use the laptop they provide to access their system.
Every time I would log into Outlook and other bits of Microsoft software with an authenticator (I'm using Google's) it would take me to a website pushing Microsoft Authenticator. It literally said "upsell" in the URL, and I could find no way to disable it. After a couple weeks and dozens of uses it finally seems to have gone away.
Re:This is why (Score:5, Informative)
2FA over SMS is not the smart way to go here, it's less secure and subject to a number of attacks. Use an authenticator app, any of them, even Microsoft's would be worlds better than SMS.
Re: (Score:3)
The argument against SMS is way overblown. For it to work an attacker would not only have to gain access to your account details but also spoof your phone on the phone network. Possible? Yes, likely? Unless a nation state is after you - no.
And many people still don't use a smartphone - good luck getting an auth app running on a nokia 6310 and having one running on the same machine as you're logging in to you account on isn't smart.
Re:This is why (Score:5, Informative)
The argument against SMS is way overblown. For it to work an attacker would not only have to gain access to your account details but also spoof your phone on the phone network. Possible? Yes, likely? Unless a nation state is after you - no.
Actually, it's a pretty common strategy for breaking into the accounts of celebrities. It usually involves convincing someone who works for one of the phone companies that you've gotten a new phone, i.e. they already have enough personal info from you to impersonate you to the phone company. And then after that, all your accounts fall like a house of cards.
Re: This is why (Score:4, Interesting)
Or someone just walks into a carrier shop and snatches the manager's tablet, with enough access to do a SIM swap. Then they quickly pass it to a hacker who is already on the line to the thief, with instructions what to do.
Happens all the time.
Re: (Score:2)
The argument against SMS is way overblown. For it to work an attacker would not only have to gain access to your account details but also spoof your phone on the phone network. Possible? Yes, likely? Unless a nation state is after you - no.
Dude this has happened multiple times, and it is super trivial. This isn't some theoretical attack. This is actively exploited by common criminals. Shit man Veritas on Youtube did it to Linus Tech Tips only a few weeks ago to demonstrate how absolutely trivial this is. It's a very simple social engineering hack.
Re: (Score:2)
Re:This is why (Score:4, Interesting)
Use an authenticator app, any of them, even Microsoft's would be worlds better than SMS.
Until your phone dies and then you find that you don't have a backup, or if you did backup the authenticator app, it requires the same login, gated by the authenticator app that you just lost access to in order to recover from the backup.
Yes, if you plan things carefully, you can work around these issues, but most people don't have the knowledge and skills to do this.
While SMS may not be the most secure method, unless you think you are likely to be specifically targeted, it's probably secure enough.
Re: (Score:2)
Until your phone dies and then you find that you don't have a backup, or if you did backup the authenticator app, it requires the same login, gated by the authenticator app that you just lost access to in order to recover from the backup.
Yes, if you plan things carefully, you can work around these issues, but most people don't have the knowledge and skills to do this.
I had thought about this and was why I initially used Authy as they had a Windows app I could use as my backup/alternate - "had" being the operative word. I've since switched to 2FAS where I can export the data to JSON and manually copy the TOTP seeds into KeePassXC, which runs on Windows, Linux, ... I can also keep encrypted copies (via 2FAS directly or something like AxCrypt) of the 2FAS data where ever I want as well in the Google online backup. Another route would be to stand up a virtual phone/tabl
Re: (Score:2)
Bitwarden, done. No need for or reliance on your phone. I have OTP in my browser, phone, laptop, all from Bitwarden. Let's make this more simple for those that don't understand security.
SMS should never be used for 2FA.
Re: (Score:2)
Re: This is why (Score:2)
"the problem (with Android) is that browser based password managers barely work for anything outside of the browser due to how poorly Android is designed to allow this to function."
This is one of the few parts of Firefox on Android that has been reliable for me...
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
SS7.
Out of text messages for the month (Score:2)
Text is preferred as it will always go through unless they're in a cave.
Or unless they live in a country where carriers charge their prepaid customers for incoming text messages (such as Slashdot's home country) and they're out of texts for the month.
Re: Out of text messages for the month (Score:2)
I'm a VZ prepaid customer in the US and I get unlimited text.
Re: (Score:2)
True, higher-priced prepaid mobile phone plans have unlimited text. Lower-priced plans do not. SMS-based 2-factor authentication is not cost effective for a subscriber making do with a lower-priced plan.
Re: (Score:2)
I'm a VZ prepaid customer in the US
Why not postpaid? I used prepaid for years just for fun trying out new phones but the text messaging fees were too much to keep doing it for serious things in life.
Re: (Score:2)
At the time I had no credit due to being a victim of identity theft.
Now my credit is fixed but I just like not having a contract, and it's $35/mo. I only get I think about a dozen GB of internet, but that is fine for my purposes since I don't stream video.
Re: (Score:2)
I would prefer to have a Yubikey or other token.
Physical item with a PIN code that can work even in a net not connected to the internet.
Re: (Score:1)
First, it does not reliably work.
That sounds like a skill issue, and you a sign that you shouldn't be giving people security advice
Instead, I tell people to select the Text or Phone option.
You tell people to use the methodology that can be attacked? [wikipedia.org]
Yeah, you DEFINITELY shouldn't be giving people security advice.
Re: (Score:2)
Re: (Score:3)
On one of our major cloud apps at work, I have been trying for many YEARS to get them to support TOTP. They have only SMS or Email (and I don't allow Email for this particular one because of several factors that are out of the scope of this posting, but Email is fine for many other less-important 2FA applications). And it isn't just the security issues, it is just too unreliable and slow. Most of the time it is fast and fine, but sometimes it takes a minute or more to get the code. Other times it never
Re: (Score:2)
unless they're in a cave.
So if I fear being abducted, taken to a cave, and want to keep all my oglers and nose-pickers?
Best option ? (Score:2, Offtopic)
Don't use Microsoft at all. Let go of the heroin drip. The best option is to just use Linux. It's becoming mainstream and with win 10 support gone , loaded on more computers than you can count. Leave em to die. Anyways their prices have gone insane and your data is not even your's anymore. If you're serious about computing just ditch MS. You will thank me later.
Re: (Score:2)
Heroin? Last I heard heroin was meant to feel good.
It's more like that asshole friend you keep hanging out with who is a massive dick but always and I mean always up for a point or 5 but you don't want to drink alone and you've got all this history and you feel it'll be effort to get other friends for a drink (they're further away and/or have kids and got boring) and you can just about stomach his company after the second beer hits.
But you never really exactly enjoy hanging out.
Re: Best option ? (Score:2)
Luckily little requires it so far. Unfortunately GNOME is going all in which means GTK is going to become a problem. So now if you want to avoid the fuckery you have to find Qt based replacements for that stuff. Sigh.
Re: (Score:2)
GTK began as the GIMP toolkit (hence the name). What's the Qt based replacement for GIMP, including editing pixel art in indexed mode? Last I checked, Krita didn't support indexed mode, instead expecting all images to be in RGBA.
Re: Best option ? (Score:2)
IDGAF, I scarcely use gimp any more due to the interface still being shit even after they allegedly improved it.
Not an issue (Score:3)
Google has all my passwords.
I swear I only saw that as an option after... (Score:2)
I swear I only saw that as an option after the announcement that they were discontinuing it. I think they added it as a feature and immediately announced the cancelation to see if people actually wanted it.
Re: (Score:3)
There's a reason you never saw it. There was never a password manager user interface. You had to manage your passwords in Edge's password manager.
Re: (Score:2)
can i use my middle finger to authenticate ?
Can I still use AC's middle finger to authenticate?
I think I'm ok... (Score:3)
I don't house any password in any utility owned by Microsoft or use Microsoft --- anything --- for autofill. (And no, I don't use Edge at all.) Unless I'm not understanding something, this should pass me by.
However, I strongly suspect that Fred and Ethyl Enduser may give up computers over this.
If you need some side work, advertising helping regular users straighten out their credentials after this change might be profitable.
Re: (Score:3)
It appears Microsoft Authenticator allows people to export their data. Color me shocked!
https://support.microsoft.com/... [microsoft.com]
Bitwarden can be used for free, and it can import data (note that their paid plans are very reasonably priced - and they're definitely worth supporting).
https://bitwarden.com/ [bitwarden.com]
Obviously people need to be very careful with the process, since the exported data will be unencrypted and potentially right there for anyone to see / grab.
This time... (Score:2)
I'll trust the herd.
Ordinarily in not interested in following the herd to the cliffs, but having multiple password/authentication tools is not as critical for me as it used to be.
Then again, I'll be puking up the VPN/reverse proxy crap so I can host more of this at home behind CGNAT. No ftth or fttn for the foreseeable future, the original vendor STB and can't afford to do it and will never relinquish the easements for a reasonable fee. My local government knows they made the mistake, the next 2 vendors had
Online Passwords are a SPOF (Score:4, Interesting)
Re: Online Passwords are a SPOF (Score:2)
Absolutely. The whole idea of multi-factor authentication evolved around the assumption that the factors are independent, need to be presented separately.
With the push to unify anything auth-related these days in the name of convenience, with OTP secrets being stored in your password manager, the whole MFA concept is about go up in flames.
Re: (Score:2)
Not quite. The idea is still something you have vs something you know. Passwords even if they are stored on your authenticator device as secured and not automatically transmitted over the network, unlike passkeys / MFA.
Even if both are stored on your device it still presents two very different attack surfaces that must be compromised.
Re: (Score:2)
Except that the passwords aren't "online". Authenticator runs locally on the device and is secured by whatever hardware security system is in place. There may be a sync function between devices, and an encrypted backup stored online, but what is being discussed is actively not "online only".
In addition to that Microsoft Authenticator supports multiple fallback systems, including typing in an offline stored single use code.
My work uses MS Authenticator (Score:2)
But I don't have a fingerprints or a recognizable face. Guess I'm not going to be able to work remotely anymore.
Re: My work uses MS Authenticator (Score:2)
I always refuse to register my biometrics at any company-owned devices.
Obviously, this didn't align well with the company security policies which started enforcing biometrics.
Luckily, they found a workaround for me - YubiKey. Now, while everyone else is getting annoyed to death by repeated auth requests and having to scan their face several times every day, all I need is a dongle in USB port.
Why PINs? (Score:2)
I never understood PINs being part of Windows Hello.
First of all, PINs are often shorter than an average password.
Second, the PIN length is fixed, making it even easier for an attacker.
Third, the PIN address space is often fixed to digits, making it easier for an attacker.
I know if I was an attacker, I'd prefer an 8 digit PIN to a variable length password, that may (not must) include uppercase, lower case, numerical, or special characters.
Re: Why PINs? (Score:2)
Discord to the rescue (Score:2)
Passkeys are a problem (Score:2)
In the short term, Microsoft isn't ending auto-fill, they're disabling it for every browser except their own Edge. It forces Mr & Mrs Average onto Microsoft's browser.
Microsoft is forcing everyone onto passkeys: At the moment, they do not o