Sophos Cloud Optix
We’ve written recently about Apple and Automattic starting to offer two-factor authentication (2FA) for online accounts.
Word on the street says that Microsoft will soon be doing the two-step, too.
The rumours all seem to stem from one source, Microsoft technogoss site liveside.net, whose allegedly-leaked screenshots of not-yet-public interface pages seem to bear out the story.
So, with appropriate caution given that all roads seem to emanate from the same place, here are some screenshots of liveside’s screenshots.
This one shows what purports to be a new option in the Security info tab of the Microsoft account configuration interface:
And here’s what is supposed to be the initialisation step for the newly-activated 2FA feature:
It’s not clear exactly what the “Don’t ask me for a code” tickbox is for, but it looks as though you will be able to exempt your most commonly-used device (say, your day-to-day laptop) from needing 2FA-protected logins.
I hope that’s not the case, because 2FA adds real value if you use it as a matter of routine, not if you use it only in special cases.
Sure, you can argue that an oft-used and cherished laptop is less likely to get you into trouble with a keylogger than, say, a PC in an internet cafe or a kiosk at the airport.
But if you care about security, you won’t read your email, personal or business, on kiosks or in internet cafes at all.
And if you genuinely cherish that oft-used laptop, and your oft-used accounts, you’ll want only the best levels of security every time you use them.
Adding further veracity to the liveside claims is the quietly recent appearance of the Windows Phone Authenticator app in the Windows Phone Store:
Incidentally, Microsoft’s own Phone Store summary reassures you that the app “implements industry-standard security code generation,” and one of the screenshots from liveside’s stash advises you:
If you have an iOS, Android or BlackBerry device, search your app store for an authenticator app.
So it looks as though you’ll be able to buy into Microsoft’s 2FA without buying a Windows Phone on which to run Microsoft’s app.
Furthermore, a commenter on liveside claims that the “Use a different verification option” in the second screenshot above leads to a configuration page on which you can choose SMS-based verification codes if that’s what you prefer.
Are you convinced?
I must say that the word-on-the-street sounds pretty believable, and if it’s true, then it’s great news.
(On the other hand, the selfsame street blithely assured us that Microsoft’s most recent Patch Tuesday update for Internet Explorer would fix the vulnerabilities exposed at the 2013 PWN2OWN competition, but that turned out to be untrue.)
Anyway, even if everything here is spot-on, you can’t force horses to drink, albeit that you have led them to water.
So if (or when) this feature does go live, it will be interesting to see how quickly and widely Microsoft cloud users will adopt it…
So it uses an app.
What about those of us who don’t have smart phones? I realize that this is in the minority, but still…..
As suggested in the article, it sounds as though SMS-based 2FA will be supported.
So you can buy an $10 non-smart-phone (a *telephone* phone ๐ and $1 of airtime and have your very own portable 2FA token. (My non-smart-phone has about 2 weeks of battery life, too. I use it as a token that can make emergency calls in, well, an emergency.)
So if I'm understanding all of this (and there's a good possibility I'm not) I'd have to have another device tethered around my neck to receive another authentication code before I can log into an account.
Gee, why not make things even more secure by having 4FA or even 6FA in place?
I could use a laptop to make the initial login attempt, enter my traditional password, and then wait for the first authentication code to go to my non-smart-phone. I could input that code and wait for a second code to go to my mandated Android device. Then a third code to my non-Android tablet, a 4th code back to my non-smart-phone, etc.
I'm reminded of a quote: "Those who would sacrifice freedom for security deserve neither." – Ben Franklin
Ben, you are completely missing the point. This has nothing to do with personal liberties or civil rights. It can be simply broken down in to this one simple question.
Why do you have a dead-bolt on your front door? Isn't the one lock in the handle good enough?
This is simply an added layer of security to protect your digital information.
It isn't compulsory. And you don't have to have the device round your neck…I carry my phone, which weighs about 60g [2oz] in my pocket, from where I use it as a clock, a 2FA token for various online services, and, when needs must, as a phone ๐
I get your point about 4FA or even 6FA, but I usually carry around those 60 grams of non-smart-phone *anyway*, so being able to use it as a 2FA token as well is, if you like, a "free bonus."
Not sure that the B. Franklin quote really fits in here, because [a] you don't have to use the 2FA feature and [b] there isn't really any loss of *freedom* here (at least in the sense in which I think Franklin used the word) here even if you do use the 2FA.
With Windows 8, the setup process encourages you to use your Microsoft Account as the login account to your computer.
So if I did this, and enabled 2FA , and took my laptop somewhere where I have no phone signal, would 2FA lock me out of my computer?
While I agree with the concept of "use 2-factor all the time, it is better that way" from a pure "stop others from hacking into my account" perspective, the remember my device feature is nice as well. Being able to ensure that anyone who tries to compromise my account at least has my phone/etc, will greatly reduce the "remote attacker" angle and thus has significant value on its own, IMO.
Agreed !
I only access my email from a home desktop (Windows 7 Pro), so I’m hoping that, in the name of avoiding a bit of inconvenience, their 2FA set-up includes being able to make my computer a “trusted pc” for the purpose (as it already is for their password/account recovery feature). ๐
Are they trying to say it works with Google Authenticator without actually mentioning Google by name? I would certainly rather use Google Authenticator than need to download another authenticator, juggling between them and remembering what goes to what account would be a tremendous nuisance.
I think they are suggesting that it ought to work with various other authenticators that follow the same standards…and Google's might very well be one of those ๐
There are plenty of authenticator apps to choose from. I guess you have to try your favourite one and see.
Perhaps if/when this actually launches a list of known-to-work apps will be provided?
I would not assume as much. They recently (last year) acquired Phone Factor, a 2FA company. I would expect them to be pushing their own technology.
They're going to be doing i tin the Enterprise, as they attempted to show at the MMS 2013 event – http://channel9.msdn.com/Events/MMS/2013/WS-B338
Though if you accept the screenshots, and the wording on the already-public Windows Phone app page, it looks as though MS is not "going proprietary" here.
Finally! Took their time.
I've always been worried about my account since the maximum pass length is 16 characters, and this will help me sleep better at nights knowing I have another layer of protection.
This is two-step authentication, not two-factor !
There is fundamental difference between them.
It is faux pas for security-related site to mix different types of authentication.
We hear you. Indeed. we've already discussed the differences and similarities between (amongst?) two step verification, two step authnentication, and two-factor authentication in a number of previous articles, such as :
http://nakedsecurity.sophos.com/sscc-106
http://nakedsecurity.sophos.com/wordpress-boosts-…
http://nakedsecurity.sophos.com/apple-introduces-…
If you use two separate devices (e.g. a laptop to read webmail plus Windows Phone with the authenticator app, or an Android tablet to read webmail plus a non-smart-phone with SMS-based authentication), which is how I think most people will do it, then I think 2FA is unquestionably the right thing to call it.
If you end up logging in on the same device that receives or generates the one-time code, then you might want to avoid calling it 2FA.
But both approaches have two steps, and (if the truth be told) both involve two factors, albeit that the factors are a bit close for comfort in the second case.
So I think we can live with 2FA, 2SV and 2SA being considered synonyms in everyday speech, just as we manage fine using the specific term "virus" for the more generic concept of "malware".
(If you want to be fundamentally correct, you need to call it two-step verification, not authentication, because that's what Microsoft seems to call it. See the screen shots above.)
If I understand it correctly, the Windows Phone app means I can use two factor authentication on a GMail account and use the phone app to sign in without receiving an SMS or whatever?
Since Google themselves provide apps for Android, iOS and Blackberry but don't supply a Windows Phone app, this is a useful step forward for people with GMail accounts and Windows Phone, regardless of what happens with Microsoft accounts.
I too don’t own a smart phone as I work from home and there is no cell signal in the area where I live. I like the way my local bank solved it. They offer three options for the 2nd step that I can choose from after completing the first step: send me the code by email, by text message to my cell, or by voice message to my cell or land line. The email address (not the one tied to the account,) mobile phone# and land line used have been set up beforehand in my account. This works great. But when providers only offer app or txt options as a 2nd step it simply doesn’t work for me.
Hmmm. Authentication codes via email don't sound great to me. Too little security. I'd rather use no 2FA, but that's just me.
(And choosing a different second step after you've done the first step – but before you've authenticated – is *definitely* a bad idea. An unauthenticated, or partly authenticated, attacker shouldn't really be able to vary your security procedure to suit himself.)
The authenticator apps, by the way, work offline, so you don't need a cellular signal, or even a WiFi connection. You do need a device that can run Android apps (or, if you hunt around a bit for a Java Mobile Edition authenticator, any Java-enabled non-smart phone, with or without a working SIM).
If your bank were serious about security, of course, it would have issued you with a standalone authentication token, for example one of those that displays a new 6-digit secret code every 30 or 60 seconds.
Microsoft can be excused for not offering a physical token to every freebie user…
They have started pushing it to different devices. The problem folks have told me about is the way in which they do it. All of a sudden it just shows up on whatever device you're using but it doesn't explain the situation. An end result is someone performing the process wrong, or folks ignoring it… They need to say "This is a new mandated process and this is how it will be!" Don't just drop it here and there.