
Pin Bypass in Passwordless WebAuthn on Microsoft.com and Nextcloud - sufficient
https://hwsecurity.dev/2020/08/webauthn-pin-bypass/
======
leif2
Looks like Microsoft doesn't understand the specification that they wrote down
themselves: It is a bug if an attacker can take over my entire Microsoft
account via NFC. I wonder if Microsoft can make amends for any damage it
causes. Credit card companies can do this and that's why some NFC payments are
only 1FA.

------
serjd
> We reported the issue to Microsoft. They did not consider it a
> vulnerability, but fixed it

Seems like Microsoft doesn't like to pay for a bug bounty

~~~
sufficient
I agree that it's weird that they fixed it and didn't consider it a security
issue.

For the user it looked like it would provide two-factor authentication since
the PIN is requested, while in reality it's not verified. Thus, they only
provided one-factor security.

