Slashdot Mirror
Microsoft Hops On Two-Factor Authentication Bandwagon
itwbennett writes "Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products. Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on."
Will I not be able to pirate Win8.1?
This isn't really two-factor auth. If someone steal your phone, you are screwed.
Something you Know (password).
Something you Have (phone).
Something you Are (doesn't do this yet).
Sounds like it's meeting 2 different factors of authentication to me.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
windows live (PC gaming). Xbox gaming. Hotmail.
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
This meets 2 of those factors, a password (know), and your phone (have).
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Unless the user doesn't store their password on the phone. Then it IS 2 factor. The user doing something by their choice doesn't negate the fact that this is 2 factor authentication if used "correctly".
The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
Yes. Microsoft, who hires thousands of the best developers including elite Ph.D researchers and pays them large sums of money doesn't know what two factor authentication is.
You cracked the case, Murder She Wrote.
I have one for downloading apps onto my Windows Phone.
I don't respond to AC's.
If MS really cared that much about security they would offer the use of client certificates. Much more secure than SMS.
Judging by what passes for acceptable practice today my guess this is all likely all effectivly a moot point as convenience password recovery measures effectivly curtail actual security gains.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
Skype, Hotmail, Live properties, Xbox Live, Messenger, Windows 8 users with linked accounts, Skydrive ...
Microsoft has more individuals with accounts than anyone else, by far.
You may not have one (although, even if you were 100% Linux, unless you've never used Skype, you do have one), but virtually every other person with a computer does.
The article refers to it as "two-step" not two factor. The title and summary says it is two factor.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Microsoft Accounts have supported two factor authentication for "sensitive" actions for quite a while -- adding trusted PCs, changing billing methods, resetting passwords, etc ...
Two things new with this:
- The ability to set the account to require it at login for normal authentications
- The ability to use 3rd party token applications (like Google Authenticator) for the tokens, instead of SMS.
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
And a fanatical devotion to the Pope- Four! Four authentication factors!
systemd is Roko's Basilisk.
I suspect they understand what two-factor authentication is quite well, and that is the reason that their label for what they are doing is "two-step authentication", which is only confusingly similar to "two-factor authentication". They very carefully do not actually call it "two-factor authentication".
I certainly didn't expect a spanish inquisition joke.
You're thinking of Google.
Microsoft is surprisingly good about privacy. I'm not sure if it's part of MS's culture, or a side-effect of their loss of market leadership. Either way, I find MS to be quite trustworthy with regards to privacy.
MS can be fairly competent when they aren't a monopoly and can't bully others around.
"The chief form of secondary authentication will be a short code sent to the user's mobile phone"
Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?
So? If you don't have something, you can't use it. This is simple. You constantly seem to think that because something costs money, it's useless because there exists somewhere a person who can't afford it.
How does that make any sense? What product in the world lives up to that criticism?
Why constantly feel the need to knock things down that add value to the world? If you don't have a cell phone, you can't use this, but that it exists means that the billions of people that do have a cell phone can. The cell-less lose nothing, and those with cells gain. What is wrong with that?
Such negativity, how horribly unnecessary and pointless!
Maybe in your world but not in mine. Reception where I live sucks. Bandwidth is barely acceptable and a mobile is practically useless. I do not own one and while telcos continue to screw us and the governments charge exhorbitant fees for what is essentially nothing (go on - define spectrum) I'm waiting for something that provides me with ACTUAL value.
Yes, and the Amish don't watch porn on the internet.
There are always exceptions to any rule when it comes to human beings.
To have a right to do a thing is not at all the same as to be right in doing it