
Microsoft turns two-factor authentication into one-factor by ditching password - sndean
https://arstechnica.com/information-technology/2017/04/microsoft-turns-two-factor-authentication-into-one-factor-by-ditching-password/
======
AdmiralAsshat
This is _less_ secure. You're down from requiring Something You Have and
Something You Know to just Something You Have. Meaning, anyone who has your
phone and opens your browser history can find and access your Outlook account.

~~~
mikehall314
Clearly, moving from two-factor to single-factor is going to be less secure,
but that's not really the question for me. I want to know if this more secure
than user-originated passwords?

User-originated passwords can be socially engineered, or just plain guessed.
They can be sniffed with a key-logger, or over a non-secure connection. You
can steal password databases and run them against rainbow tables, or brute-
force them GPU farms. Password re-use also means that you don't have to defeat
Microsoft's security to get at the password, you just need to defeat the
security of the weakest vendor where that password is used. Some people will
even just straight-up tell you their password if you ask them.

Using an authenticator app to generate one-time passwords means there is no
database of password hashes to be stolen and leaked, nothing for the user to
remember, no password to re-use with weaker vendor, and nothing for an
attacker to brute-force. Because the passwords are single-use, a key-logger is
of limited value too.

It also reduces the attack surface down from any script-kiddie who can break
the security of the weakest vendor, down to people who physically have access
to your phone (or can get malware on to it).

Yes, anyone with access to your phone has access to your Outlook, but chances
are anyone with access to your phone has that anyway, and your device is
probably locked with TouchID or similar.

So, I agree this is weaker than two-factor, but I don't think that's the
point.

~~~
tptacek
Empirically, it's more secure over the whole user population than user
passwords.

~~~
kej
Do you have a source for that? (not arguing, just want to read more about
this)

~~~
tptacek
No, just experience training organizations for this stuff. User passwords are
extremely bad.

~~~
derefr
How do you feel about reversed 2FA flows?

1\. Install a client cert/pairing token/SSH key/etc. onto each client device;

2\. ask the user to configure a password, with a recommendation that that
password be _short_ and _memorable_ rather than _long_ and _unwieldy_ ;

3\. either encrypt the device-credential with the user-password, or send the
server the password to hash and store;

4\. if the password challenge-response is on the server, have the server
validate the device credential "before" or "outside of" accepting password-
auth challenges (e.g. in the case of a client cert, validating the cert at the
TLS level before the auth request can even reach the backend.)

In other words, systems isomorphic to the financial chip-and-PIN system: the
chip is something you have, while the PIN—something you know—is _only_ there
to prevent robbers from using the chip, rather than to provide any
cryptographic security.

------
ghostly_s
>The Authenticator app is available for iOS, Android, and Windows 10 Mobile,
but regrettably, while the first two include the new feature, Microsoft has
not seen fit to add it to the version of the software that runs on its own
platform, citing low usage. The eternal chicken-and-egg situation of low usage
both causing weak app support and being caused by weak app support continues
to be something that Microsoft has little interest in fixing.

Is this really still surprising people? Hasn't the messaging that Windows
Phone is a dead platform been loud and clear for years now? The still haven't
released the current-gen Outlook client on it.

~~~
phalangion
I think that has been clear to most people for a long time. But one would
still hope that a software vendor would support their own software.

~~~
vezycash
Nadella inherited Windows Phone at 6-15% in most markets.

His actions, and inactions sent it's market share to 0.+%.

AFAIK this feels like intentional sabotage to please Wall Street and a few
vocal shareholders - the same people who wanted to kill/sell Bing, Xbox and
even Surface.

Outrightly canceling WP would have cause a massive protest but strangling it
and dropping it for "low usage?"...

------
benlower
Wow the comment thread on the original MSFT blog post (direct link:
[https://blogs.technet.microsoft.com/enterprisemobility/2017/...](https://blogs.technet.microsoft.com/enterprisemobility/2017/04/18/no-
password-phone-sign-in-for-microsoft-accounts/)) is just painful. It's mostly
a collection of people who use Windows on their phone crying out about the
lack of support for Windows.

Microsoft won't support their own platform (phone) with this. If that's the
case then why would any other developer write apps for Windows? Also, I
thought the big push was for Universal Windows Platform (UWP) apps that ran on
mobile, desktop/tablet, and Xbox. I can understand that you may not want to
write a custom app for a platform with tiny market share but "big" Windows
still has a lot of share.

This is a great example of how to erode trust.

~~~
enzanki_ars
"A few people have asked if this works with Windows Phone version Microsoft
Authenticator. Windows Phone makes up <5% of the active users of our
Authenticator Apps so we have prioritized getting this working with iOS and
Android for now. If/When it becomes a big success on those high scale
platforms, we will evaluate adding support for Windows Phone." [1] - Reasons
never to buy a Windows Phone #387.

[1]:
[https://blogs.technet.microsoft.com/enterprisemobility/2017/...](https://blogs.technet.microsoft.com/enterprisemobility/2017/04/18/no-
password-phone-sign-in-for-microsoft-accounts/)

------
GordonS
I wonder if this might have anything to do with pushing legal liability for
breaches onto the user and/or reducing fallout from future hacks.

If Microsoft stores passwords (salted and hashed, of course) which are later
stolen and cracked (for example due to something wrong with the way they
handled hashing), then Microsoft could perhaps be on the hook for damages (I'm
thinking in the US, at least). It could also potentially be a _lot_ of users
affected, which means bad press.

If Microsoft only uses a OTP app that runs on the user's device, then the
responsibility to secure that device is on the user - it's up to them whether
they use a PIN, password, PIN pattern, fingerprint or indeed nothing at all.
Also, if a bad actor needs to gain access to a user's device to access their
account, the bad press of hackers stealing thousands or millions of
credentials is avoided.

------
benwen
This seems to be _less_ secure. I noticed yesterday that my iPhone's Microsoft
Authenticator app emitted at least three notifications to "Approve sign-in
request...ABCDE".

I almost never log into my Microsoft LiveID account, the only identity that
uses that app for 2-factor. I thought it was a little screwy, so largely
ignored the first request. By the time the second and third notifications came
in I had read the news about MSFT's move to go to a simple "Approve/Deny"
single-factor. An attacker could just go through a list of LiveID's and try
and authenticate. With a large enough list, a few folks will just hit
"Approve", I'd wager. I doubt the app use any other factors like GPS or IP
address. NB: There does seem to be a timeout.

Or am I missing something here?

------
Zekio
"Microsoft Account passwords also appear to still be restricted to a mere 16
characters."

I've used 26+ character passwords for at least 2 years

~~~
tdb7893
Are they meaningfully more secure than 16 character ones?

~~~
hdhzy
16 char passwords provide around 30 bits of entropy while 30 char passwords
give you 46 bits of entropy according to old NIST pdf [0].

[0]: [http://csrc.nist.gov/archive/pki-
twg/y2003/presentations/twg...](http://csrc.nist.gov/archive/pki-
twg/y2003/presentations/twg-03-05.pdf)

------
6d6b73
Not only that.I recently caught MS lying - When I bought XBox One I had to
create Live Account. When I did that I was then asked to provide my cell phone
number because "Recent spam activity from your account" required me to verify
the account. The problem is that between creation of the account and that
supposed spam, there was only 3 minute difference.

~~~
ghostly_s
...and this has what to do with the posted article?

~~~
6d6b73
Yeah I probably could be little more clear on that .. Basically I think that
it shows that companies like Microsoft do stuff that makes us less secure and
violate our privacy and they are have no problem with lying to use to get the
information they think they need.

