Slashdot Mirror
Microsoft Hops On Two-Factor Authentication Bandwagon
itwbennett writes "Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products. Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on."
Will I not be able to pirate Win8.1?
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
windows live (PC gaming). Xbox gaming. Hotmail.
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
This meets 2 of those factors, a password (know), and your phone (have).
The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
Yes. Microsoft, who hires thousands of the best developers including elite Ph.D researchers and pays them large sums of money doesn't know what two factor authentication is.
You cracked the case, Murder She Wrote.
If MS really cared that much about security they would offer the use of client certificates. Much more secure than SMS.
Judging by what passes for acceptable practice today my guess this is all likely all effectivly a moot point as convenience password recovery measures effectivly curtail actual security gains.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
Skype, Hotmail, Live properties, Xbox Live, Messenger, Windows 8 users with linked accounts, Skydrive ...
Microsoft has more individuals with accounts than anyone else, by far.
You may not have one (although, even if you were 100% Linux, unless you've never used Skype, you do have one), but virtually every other person with a computer does.
The article refers to it as "two-step" not two factor. The title and summary says it is two factor.
Well, there's spam egg sausage and spam, that's not got much spam in it.
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
And a fanatical devotion to the Pope- Four! Four authentication factors!
systemd is Roko's Basilisk.
I certainly didn't expect a spanish inquisition joke.
You're thinking of Google.
Microsoft is surprisingly good about privacy. I'm not sure if it's part of MS's culture, or a side-effect of their loss of market leadership. Either way, I find MS to be quite trustworthy with regards to privacy.
MS can be fairly competent when they aren't a monopoly and can't bully others around.