Slashdot Mirror
Microsoft Hops On Two-Factor Authentication Bandwagon
itwbennett writes "Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products. Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on."
Will I not be able to pirate Win8.1?
I'm not sure Microsoft actually understands two factor authentication. The description (could be wrong, didn't read the article) doesn't sound like two factor authentication to me.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Given that cell phones are as much a part of your everyday carry as a wallet and keys, you would be screwed anyway if someone stole your phone.
This isn't really two-factor auth. If someone steal your phone, you are screwed.
Something you Know (password).
Something you Have (phone).
Something you Are (doesn't do this yet).
Sounds like it's meeting 2 different factors of authentication to me.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
windows live (PC gaming). Xbox gaming. Hotmail.
when i can have Bills, Balmers, Larry, Sergei and the rest of the executives
maybe someone should start a website with this information, if you have nothing to hide..........
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Unless the user doesn't store their password on the phone. Then it IS 2 factor. The user doing something by their choice doesn't negate the fact that this is 2 factor authentication if used "correctly".
I'm not sure that I want to give Microsoft my phone number. I switched to outlook.com from Google because of privacy concerns (If you know a better free solution then feel free to share the info btw) and it's not to give away an information like a real phone number.
This isn't really two-factor auth.
Leaving aside that people often aren't clear on what "authentication" is, there isn't any good, hard definition of what constitutes a factor. Invariably the standard waffle is trotted out: "something you know", "something you have", or "something you are". It's very deceptive when you're trying to evaluate an authentication scheme as it handwaves away all the messy details.
If someone steal your phone, you are screwed.
Most of these schemes (at least Apple and Google) have you print out some recovery codes in case you lose your phone.
The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
I have one for downloading apps onto my Windows Phone.
I don't respond to AC's.
"The chief form of secondary authentication will be a short code sent to the user's mobile phone"
Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?
Steam, Battle.net, Gmail.
No Microsoft in sight!
Get free satoshi (Bitcoin) and Dogecoins
Unless you're a [insert company name] developer, what would anyone want a "[insert company name] account" for?
I still wouldn't mind so much here - the number of people that can access the account is restricted to exactly 1 since only one person can possess the phone at any given time. Unless someone wants to sit there and field passcodes to everyone that wants to hack the account, but this would be painfully slow.
Besides the carrier would reissue the phone and disconnect the old one with good ID and it's fairly easy to prove that you're paying the phone bill anyway.
Maybe in your world but not in mine. Reception where I live sucks. Bandwidth is barely acceptable and a mobile is practically useless. I do not own one and while telcos continue to screw us and the governments charge exhorbitant fees for what is essentially nothing (go on - define spectrum) I'm waiting for something that provides me with ACTUAL value.
If MS really cared that much about security they would offer the use of client certificates. Much more secure than SMS.
Judging by what passes for acceptable practice today my guess this is all likely all effectivly a moot point as convenience password recovery measures effectivly curtail actual security gains.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
Skype, Hotmail, Live properties, Xbox Live, Messenger, Windows 8 users with linked accounts, Skydrive ...
Microsoft has more individuals with accounts than anyone else, by far.
You may not have one (although, even if you were 100% Linux, unless you've never used Skype, you do have one), but virtually every other person with a computer does.
Authorized computers don't need extra verification and they'll probably have the printable one-time-code pads, like google. Nothing keeps you from using any RFC 6238 passcode generator, like those on this list, on a second device (as you can see there's plenty to choose from) - it's just a matter of inserting the same code in all your generators.
Microsoft Accounts have supported two factor authentication for "sensitive" actions for quite a while -- adding trusted PCs, changing billing methods, resetting passwords, etc ...
Two things new with this:
- The ability to set the account to require it at login for normal authentications
- The ability to use 3rd party token applications (like Google Authenticator) for the tokens, instead of SMS.
windows live (PC gaming). Xbox gaming. Hotmail.
Steam, Battle.net, Gmail.
Both Steam (for Valve and those who publish through Valve) and Battle.net (for Blizzard) are primarily for games in mouse and keyboard genres, as I understand it. Other than Xbox Live, what service caters to gamepad gamers?
Hotmail/Outlook webmail, Xbox Live, Windows 8 sync features, SkyDrive, Office 365, Messenger/Skype, MSDN/Technet, online Microsoft store, and I'm sure there's a few more obscure things.
Two-Factor has been free for ages. You can get an NPS module that does text message, google auth, and loads of stuff at www.wrightccs.com and have been able for a long time.
I desperately want Microsoft to have my phone number. They would never sell that.
Is this some sort of scam to get marketing data because Bing sucks?
Good for you.
windows live (PC gaming). Xbox gaming. Hotmail.
Steam, Battle.net, Gmail.
Both Steam (for Valve and those who publish through Valve) and Battle.net (for Blizzard) are primarily for games in mouse and keyboard genres, as I understand it. Other than Xbox Live, what service caters to gamepad gamers?
Time to upgrade to a real control scheme then.
Microsoft is using additional verification methods such as a short code sent to the user's mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.
Let's keep reading:
As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.
So, either you didn't read the article, or have the reading comprehension of a 5 year old.
Microsoft is constantly hopping on bandwagons. It gets them free advertising. They don't care that a good chunk of the population points out that they do things poorly, mislabel things, intentionally name things wrong, break standards, break other products, etc... They care that you are talking about them.
Every other week we read about MS hyping some other bullshit they think they invented. Most laugh at them, a few fanbois run out and buy what ever they are hawking, but most importantly we all see their name enough where it's impossible to ignore it.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I wouldn't want to play Mega Man or Metroid with a keyboard and a mouse.
Get free satoshi (Bitcoin) and Dogecoins
All of these authentication measures seem to want my cell phone.
I don't have onr, and you can phone me when Hades freezes over.
-- Tigger warning: This post may contain tiggers! --
Mostly everything on the PC has controller support these days. Steam even lists "Full controller support" (when applicable) in a sidebar on the store page of every game along with things like "Single-Player, Multi-Player, Steam Achievements" etc.
I don't think very many genres benefit from having controller support but if the game supports a controller on the xbox/ps3 then it probably does on the PC as well.
but nobody does this
Time to upgrade to a real control scheme then.
Or, you know, not limit yourself out of silly fanboyism.
I don't think you understand the question. He means, why would anyone want to use a product that he doesn't use?
He doesn't use those things, ergo no one else should either. It's the Slashdot way.
2 -- something new,
3 -- something borrowed,
4 -- something blue,
Wait, isn't that what we were talking about?
Maybe in your world but not in mine. Reception where I live sucks. Bandwidth is barely acceptable and a mobile is practically useless. I do not own one and while telcos continue to screw us and the governments charge exhorbitant fees for what is essentially nothing (go on - define spectrum) I'm waiting for something that provides me with ACTUAL value.
Yes, and the Amish don't watch porn on the internet.
There are always exceptions to any rule when it comes to human beings.
To have a right to do a thing is not at all the same as to be right in doing it
Yes, I think we know that there are alternatives to Microsoft. The original question was why would you want to use a Microsoft account. It's self evident that it would be for Microsoft services.
To have a right to do a thing is not at all the same as to be right in doing it
I have one for downloading apps onto my Windows Phone.
I'm pretty sure that's illegal in slashdot-world.
To have a right to do a thing is not at all the same as to be right in doing it
First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
True, the 8- and 16-bit titles in the Mega Man and Metroid series are probably better played with a gamepad than with a pointing device. But pointing device advocates would claim that the play style of these older games is a relic of the past, and series need to evolve to keep up with changing play styles implied by higher-resolution input devices. For example, a pointing device would have helped third-person shooters like Mega Man Legends and first-person shooters like Metroid Prime series. In fact, Nintendo made Metroid Prime 3 for its Wii Remote pointing device and remade several games for the Wii Remote for its "New Play Control" line, including a 3-pack of the Metroid Prime series. You can help keep your argument relevant by explaining how controller-friendly play styles aren't a relic.
I don't think very many genres benefit from having controller support
In light of someone's recent post about what he perceives to be the reality of the video game market, I've been doing a bit of research into what makes a game better with a controller than with a pointing device. Any game where the player controls one character on the screen that moves and jumps would benefit from a gamepad. Platformers and fighting games are the big ones, and I'm not sure how well the Zelda games for DS worked with pointing-device-only control.
if the game supports a controller on the xbox/ps3 then it probably does on the PC as well.
Mortal Kombat (2011) doesn't support a controller on the PC because it isn't made for PC. If a game is on Xbox 360 but the publisher has declined to port it to the PC, you need a Microsoft account and an Xbox Live Gold subscription to play online.
If you don't have a cell phone, you can't use this
As of right now, "this" means the 2-factor authentication for a Microsoft account. Perhaps my paranoia comes from a fear that Microsoft might make 2-factor authentication mandatory.
pre-paid SIM
Each U.S. carrier that I've looked at will expire the balance on a prepaid mobile phone account if the user doesn't top up regularly. And in the United States, the receiver pays 20 cents to receive a text message unless the receiver is on a monthly unlimited texting plan. Having to pay the carrier a dollar every five times I log in to anything that uses a Microsoft account could add up quickly.
wait, so only 100% linux users who never use skype don't have windows accounts? Are you sure about that? That would come as a shock to my wife... could you be so kind as to tell us what the account is? And the only reason *I* have a MS account is due to work (and there are still folks here who don't, I'm just in an unfortunate minority). And we are predominately windows here. Just no reason to have MS accounts. No need for skype. No need for hotmail (why? corporate email not good enough?), live properties (never heard that one, or is this a new name for passport, or hotmail, or whatever?), no need for xbox live without xbox (there aren't as many of these as you seem to think), or messenger, Win8 "linked accounts" tacitly admits that even Win8 isn't a microsoft account by itself without a serious stretch, and skydrive is another wannabe to a google service.
I would be surprised if MS has more individual accounts by far than anyone else... say Google. More? Maybe. By far? That seems quite a stretch. Google has far more reach than MS as they don't limit themselves to windows users (yeah, after MS bought skype you can include those, but the rest of what you list is effectively "for windows users only" -- hotmail is a sad, sad joke.) But you can run Windows without ever creating a "microsoft" account.
OTOH, Apple has a pretty clear share (albeit smaller) due to the relative necessity for an apple account to use an ipad/iphone. And of course google owns those with an android device -- and that /is/ a large number of folks.
Why not? How is the Wii-mote any different than a mouse? And the keys on the Wii-mote are pretty much like a keyboard. The newer editions of Metroid have you aiming by pointing the Wii-mote, this is not much different than any other FPS on the computer. It would be much easier to use a keyboard/mouse than the Wii controllers.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Unless you don't have a phone lock password, in which case you are explicitly stating that you don't give a shit about security at all...
I guess you didn't read the GP post or the article summary. He wasn't talking about M$ providing one of the two factors and a third party offering the other, in which case it isn't Microsoft offering two factor auth now, is it? It is more like Microsoft relies on Google/Apple for second factor.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I was obviously referring to Metroid and Super Metroid. Trying to play Metroid Prime with a gamepad like the ones on the PS3 or the Xbox360 would be a nightmare.
Get free satoshi (Bitcoin) and Dogecoins
Anyone who considers 2-D games "relic"
It's not that games with 2D graphics are "relics". It's that gamepads are allegedly "relics". The most popular mobile gaming platforms today are iOS and Android, and those ship with a capacitive multitouch screen. A lot of popular touch-oriented games, such as Angry Birds series, use 2D graphics. So do plenty of mouse-driven Flash games on Newgrounds. Other than 2D platformers and fighting games, whose popularity compared to other genres has waned, what genres really need a gamepad?
isn't worth arguing with.
Yet pointing device advocates keep arguing for pointing devices, and they occasionally get moderated up. So it's best to have a counterargument ready instead of just an ad hominem.
First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
The first rule of good password use is that you don't write it down or store it anywhere. If you store your password on your phone then YOU are sacrificing some security in exchange for convenience. The exact same things happens if a user writes their password on the back of a physical SecuID token, yet those tokens are considered part of a 2 factor system. In any security system the users are the weakest part. Even 2-factor systems can be broken by the bad practices of the users.
It's a trade-off between either the extra security of two-factor authentication, or the convenience of linking more than one account to be able to switch between them with ease. Why can't Microsoft follow Google's lead and give us the ability to both log in securely and stay logged in to multiple accounts at the same time? It's irritating enough to have to log out and then log back in with the other username/password, and the "stay logged in" check box is fucking useless when you have to log out every god damn day anyway to check something on your other account.
Your post has nothing to do with the actual conversation.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Your post has nothing to do with the actual conversation.
Ok, please tell me which of the following statements are wrong and why.
1. This system requires the user to enter a password. .This system can be configured to require the user to enter a code sent via SMS to the user's phone.
2
3. A password is an authentication factor.
4. Physical access to an object is an authentication factor.
5. 1 + 1 = 2
#5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
#5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
No it isn't. I don't store my microsoft password on my phone. My microsoft password exists only in my head, as properly used password should. Just because YOU CHOOSE to store your password on the same device as your token does not mean that it isn't 2-factor authentication. It sounds like you are using 2 factor authentication wrong, not microsoft.
Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
I see the problem now. You are assuming that everyone who has a microsoft account uses for email and checks it from their phone. I only use my microsoft account to access MSDN and MSN Messenger from my desktop, it isn't linked to any email or on my phone at all. In my case their solution works perfectly as 2 factor authentication as the phone is completely separate from the password.
You have the issue inverted. The fact that people use their phone for email means Microsoft has to address that (most common) use case. Your corner case is exactly that. Most people use their smartphone for email. A solution that breaks functionality, especially functionality used by the majority, is not a solution.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The fact that my case exists at all and counts as 2 factor authentication means than microsoft has ACTUALLY created 2 factor authentication. How many people do you know who have microsoft email addresses? I'm betting that my type of usage isn't all that uncommon.
""With this release you can choose to protect your entire account with two-step verification, regardless of what service, or device, you are using with your Microsoft account," says Eric Doerr, a Microsoft group program manager. "It's your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we've worked hard to make set-up really easy." "
;-)
...
I didn't say they didn't implement it. It is merely that they have broken functionality. You get to choose between using it, and not having a partially broken system. It is a typical Microsoft "solution" in that regard, of course
Now off you go
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun