You might like

19 Responses to Microsoft looks like being next with two-factor authentication

  1. Josh · 373 days ago

    So it uses an app.

    What about those of us who don't have smart phones? I realize that this is in the minority, but still.....

    • Paul Ducklin · 373 days ago

      As suggested in the article, it sounds as though SMS-based 2FA will be supported.

      So you can buy an $10 non-smart-phone (a *telephone* phone :-) and $1 of airtime and have your very own portable 2FA token. (My non-smart-phone has about 2 weeks of battery life, too. I use it as a token that can make emergency calls in, well, an emergency.)

      • Ben · 372 days ago

        So if I'm understanding all of this (and there's a good possibility I'm not) I'd have to have another device tethered around my neck to receive another authentication code before I can log into an account.

        Gee, why not make things even more secure by having 4FA or even 6FA in place?

        I could use a laptop to make the initial login attempt, enter my traditional password, and then wait for the first authentication code to go to my non-smart-phone. I could input that code and wait for a second code to go to my mandated Android device. Then a third code to my non-Android tablet, a 4th code back to my non-smart-phone, etc.

        I'm reminded of a quote: "Those who would sacrifice freedom for security deserve neither." - Ben Franklin

        • Ben, you are completely missing the point. This has nothing to do with personal liberties or civil rights. It can be simply broken down in to this one simple question.

          Why do you have a dead-bolt on your front door? Isn't the one lock in the handle good enough?

          This is simply an added layer of security to protect your digital information.

        • Paul Ducklin · 371 days ago

          It isn't compulsory. And you don't have to have the device round your neck...I carry my phone, which weighs about 60g [2oz] in my pocket, from where I use it as a clock, a 2FA token for various online services, and, when needs must, as a phone :-)

          I get your point about 4FA or even 6FA, but I usually carry around those 60 grams of non-smart-phone *anyway*, so being able to use it as a 2FA token as well is, if you like, a "free bonus."

          Not sure that the B. Franklin quote really fits in here, because [a] you don't have to use the 2FA feature and [b] there isn't really any loss of *freedom* here (at least in the sense in which I think Franklin used the word) here even if you do use the 2FA.

  2. David · 373 days ago

    With Windows 8, the setup process encourages you to use your Microsoft Account as the login account to your computer.

    So if I did this, and enabled 2FA , and took my laptop somewhere where I have no phone signal, would 2FA lock me out of my computer?

  3. While I agree with the concept of "use 2-factor all the time, it is better that way" from a pure "stop others from hacking into my account" perspective, the remember my device feature is nice as well. Being able to ensure that anyone who tries to compromise my account at least has my phone/etc, will greatly reduce the "remote attacker" angle and thus has significant value on its own, IMO.

    • Scott · 372 days ago

      Agreed !

      I only access my email from a home desktop (Windows 7 Pro), so I'm hoping that, in the name of avoiding a bit of inconvenience, their 2FA set-up includes being able to make my computer a "trusted pc" for the purpose (as it already is for their password/account recovery feature). :-)

  4. Are they trying to say it works with Google Authenticator without actually mentioning Google by name? I would certainly rather use Google Authenticator than need to download another authenticator, juggling between them and remembering what goes to what account would be a tremendous nuisance.

    • Paul Ducklin · 373 days ago

      I think they are suggesting that it ought to work with various other authenticators that follow the same standards...and Google's might very well be one of those :-)

      There are plenty of authenticator apps to choose from. I guess you have to try your favourite one and see.

      Perhaps if/when this actually launches a list of known-to-work apps will be provided?

    • I would not assume as much. They recently (last year) acquired Phone Factor, a 2FA company. I would expect them to be pushing their own technology.

      They're going to be doing i tin the Enterprise, as they attempted to show at the MMS 2013 event - http://channel9.msdn.com/Events/MMS/2013/WS-B338

      • Paul Ducklin · 371 days ago

        Though if you accept the screenshots, and the wording on the already-public Windows Phone app page, it looks as though MS is not "going proprietary" here.

  5. daniellynet · 372 days ago

    Finally! Took their time.
    I've always been worried about my account since the maximum pass length is 16 characters, and this will help me sleep better at nights knowing I have another layer of protection.

  6. random guest · 372 days ago

    This is two-step authentication, not two-factor !

    There is fundamental difference between them.
    It is faux pas for security-related site to mix different types of authentication.

    • Paul Ducklin · 371 days ago

      We hear you. Indeed. we've already discussed the differences and similarities between (amongst?) two step verification, two step authnentication, and two-factor authentication in a number of previous articles, such as :
      http://nakedsecurity.sophos.com/sscc-106
      http://nakedsecurity.sophos.com/wordpress-boosts-...
      http://nakedsecurity.sophos.com/apple-introduces-...

      If you use two separate devices (e.g. a laptop to read webmail plus Windows Phone with the authenticator app, or an Android tablet to read webmail plus a non-smart-phone with SMS-based authentication), which is how I think most people will do it, then I think 2FA is unquestionably the right thing to call it.

      If you end up logging in on the same device that receives or generates the one-time code, then you might want to avoid calling it 2FA.

      But both approaches have two steps, and (if the truth be told) both involve two factors, albeit that the factors are a bit close for comfort in the second case.

      So I think we can live with 2FA, 2SV and 2SA being considered synonyms in everyday speech, just as we manage fine using the specific term "virus" for the more generic concept of "malware".

      (If you want to be fundamentally correct, you need to call it two-step verification, not authentication, because that's what Microsoft seems to call it. See the screen shots above.)

  7. David · 372 days ago

    If I understand it correctly, the Windows Phone app means I can use two factor authentication on a GMail account and use the phone app to sign in without receiving an SMS or whatever?

    Since Google themselves provide apps for Android, iOS and Blackberry but don't supply a Windows Phone app, this is a useful step forward for people with GMail accounts and Windows Phone, regardless of what happens with Microsoft accounts.

  8. Joep · 371 days ago

    I too don't own a smart phone as I work from home and there is no cell signal in the area where I live. I like the way my local bank solved it. They offer three options for the 2nd step that I can choose from after completing the first step: send me the code by email, by text message to my cell, or by voice message to my cell or land line. The email address (not the one tied to the account,) mobile phone# and land line used have been set up beforehand in my account. This works great. But when providers only offer app or txt options as a 2nd step it simply doesn't work for me.

    • Paul Ducklin · 371 days ago

      Hmmm. Authentication codes via email don't sound great to me. Too little security. I'd rather use no 2FA, but that's just me.

      (And choosing a different second step after you've done the first step - but before you've authenticated - is *definitely* a bad idea. An unauthenticated, or partly authenticated, attacker shouldn't really be able to vary your security procedure to suit himself.)

      The authenticator apps, by the way, work offline, so you don't need a cellular signal, or even a WiFi connection. You do need a device that can run Android apps (or, if you hunt around a bit for a Java Mobile Edition authenticator, any Java-enabled non-smart phone, with or without a working SIM).

      If your bank were serious about security, of course, it would have issued you with a standalone authentication token, for example one of those that displays a new 6-digit secret code every 30 or 60 seconds.

      Microsoft can be excused for not offering a physical token to every freebie user...

  9. roy jones jr · 371 days ago

    They have started pushing it to different devices. The problem folks have told me about is the way in which they do it. All of a sudden it just shows up on whatever device you're using but it doesn't explain the situation. An end result is someone performing the process wrong, or folks ignoring it... They need to say "This is a new mandated process and this is how it will be!" Don't just drop it here and there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog