Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

This will end badly

Guaranteed

Re:This will end badly

[ichthus]

Comeon! If anyone can pull this off, it's Microsoft -- MASTERS OF SECURITY!
</sarcasm>

Re: This will end badly

What is so wrong with the FIDO spec? Passwordless, asymmetric authentication is absolutely the future and the right thing to do. Are you so blinded by Microsoft hate that you are unable to see this?

Re: This will end badly

Lul

Re:This will end badly

[jellomizer]

But we do this all the time with SSH preshared keys.
This isn't anything really new. The only thing that I don't expect Microsoft to realize is that still in 2018 There is still hardware that we share with other people.

There is still often the Family PC, while the individuals may have a tablet or phone, for their small time computing.

Re: This will end badly

Are you some kind of moron-savant? Microsoft could fuck up toast.

Re: This will end badly

[Crash+Dummy+Redux]

Looks like FIDOnet is still a thing after all these years.

Re: This will end badly

Mod this MOTHERFUCKING SHITMOTH

DOWN!!!!

It's just Chris Reimer with another sock pocket...

Re: This will end badly

[Aighearach]

No, Idiots who can't say something comprehensible should probably shut up, instead of adding notations.

Stop asking reasonable people to add unreasonable notations so that they can impersonate the babbling of morons.

Re:This will end badly

[AlanBDee]

I haven't looked into it but you should be able to register multiple keys. I have three yubikeys linked to LastPass, my google account and anything else that I can link them to. My wife keeps one, I keep one and my safety deposit box keeps one. Of coarse, these aren't meant to replace a password, just augment it.

Re:This will end badly

[JMJimmy]

I'll keep my password thanks Microsoft

Re: This will end badly

[WaffleMonster]

What is so wrong with the FIDO spec?

It's redundant, client certificates have been widely deployed for decades, achieve the same result, are standardized and cheaper (both in terms of software and hardware solutions).

What is most wrong with it is that USB is used instead of a dedicated interface such as a smartcard reader. USB is a massive attack vector. For it to be required for basic authentication in my view is irresponsible at best. Someone replaces your USB key when you are not looking and when you plug it in next it's a HID that executes shell commands to install a RAT or it's a class device that takes advantage of driver vulnerability to root your system. Attack surface of USB is gargantuan.

Security sensitive environments explicitly restrict USB for a reason. Turning around and requiring it for access is brain-dead stupid.

Passwordless, asymmetric authentication is absolutely the future and the right thing to do Are you so blinded by Microsoft hate that you are unable to see this?

I don't view your assertions as valid on their face.

The selection of any single factor (know, have, are) or chaining of one or more for authentication each have their strengths and weaknesses. It's generally a good thing that more methods are made available so people and organizations can chose options that best fits their needs based on careful consideration of requirements and tradeoffs.

There is no panacea. There is no one solution. The idea the "future" is necessarily dominated by what you have or considered "the right thing to do" is not apparent to me at all.

Office Dongles

[xxxJonBoyxxx]

>> hardware authentication keys...Microsoft accounts used for Outlook, Office 365

That smells like an "Office dongle" to me. Thank God the world is moving on to Google Docs as their default office suite.

Re:Office Dongles

The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

This is what everyone should support. And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

(AC because of moderation)

Re:Office Dongles

That's not what this is. It finds EXISTING keys in your EXISTING H/W. There's no removable dongle, it's hard baked - which is a problem once attackers snarf up your keys, you can't easily change them like dongles.

Re: Office Dongles

What the fuck is wrong with you? This is FIDO2, there is no existing key until you generate one.

Re:Office Dongles

[DarkRookie2]

A small, easily loseable device that is $50 isn't cheap.

Re:Office Dongles

[Darkk]

If you are referring to Yubikey then yes. There are plenty of FIDO2 keys that are under $20.

Re:Office Dongles

[DarkRookie2]

If they want to replace the passwords with this, they really should be free.
M$ and the rest can certainly afford it.

Re:Office Dongles

Then shut up and type your password you cheap ass

Re:Office Dongles

[WaffleMonster]

As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

No it doesn't. Smart cards have been widely used for approaching two decades.

The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

Which ones are cheaper than a smart card?

Hell I'll make it even easier. Which ones are cheaper than the cost of a smart card reader AND a smart card?

This is what everyone should support.

Can you support your position? Why should I support this system when I already support smart cards / client certs? What's the benefit?

And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

There is already a standard. You have failed to offer a compelling reason why a new one is necessary or beneficial.

Re:Office Dongles

I'm just going to say it:

"Here FIDO, Here FIDO! Ohhhhh, you brought me someone else's bank account? Who's a good boy, Who's a good boy? You are, yes you are." *Snuggles*

Re:Office Dongles

Yep. MS will surely make this a service with monthly fee, yet user must watch a advertisement while performing a login. And they still copy and sell the keys devices contain and eventually of course delete the keys on some broken Windows 10 update. This is a new MS after all; greedier than ever and now without any QA department.

And it turns out...

...that it only works with the Official Microsoft Authentication Key, which is a flash drive with a text file that says "ok i'm real now log me in plz kthx".

Is This Why...

Is this wonderful new feature the reason why the global MFA system was down yesterday?

It's a bit ironic that on one day, no one can login and on the next day, you can login without a password. w00t!!!

I'd be pretty happy is they held off on the new features and just improved the uptime/availability.

Synergies of shit

[PingSpike]

It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

Now that they've finally sorted all the garbage into one convenient bag, all that is left to do is haul it out.

Oh Nice

So here's where Chrome did that - https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html

Here is each actual commit - https://chromium.googlesource.com/chromium/src/+log/66.0.3359.181..67.0.3396.62?pretty=fuller&n=10000

And if you have a bug or problem, you just submit it here - https://bugs.chromium.org/p/chromium/issues/list

So fantastic that these things are working because of people and processes like this. It's great that people who ARE PAID TO WORK THIS WAY can build companies like Google and Amazon and Microsoft.

No password, but...

[BringsApples]

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app.

So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better? Hell, they could have simply require any pair of the 3 other requirements and leave the hardware key out.

Re:No password, but...

The key bit would be the hardware key itself; you can spoof the password, fingerprints, or a pin, but without the hardware key it's not terribly useful. In theory it's also easier to detect if you loose a piece of hardware then it is if someone's gotten a password from you.

There's plenty of other problems with the approach (what happens if you loose or damage the key?) but it has it's upsides.

Re:No password, but...

[BringsApples]

If simply 'adding security items to login requirements' is the way to increase security, then maybe better bank security can be gotten from simply putting the bank's vault inside a slightly bigger vault. Ooo, better yet, put THAT vault inside a slightly bigger vault, too! Wait, I have a better idea, put THAT vault in a slightly....

Re:No password, but...

It's better because of how U2F works there's no way to grab the key from the hardware which makes it a lot harder to spoof authentication--you'd have to find a weakness in the challenge response system. Now if we could get rid of security questions and tech support password resets which are a massive backdoor for attack, we'd be in a much better situation. I honestly massively congratulate Microsoft for pushing this. I'd argue the "no password" variation is not great, but anything that moves towards U2F becoming more common is a massive improvement.

Re:No password, but...

[BringsApples]

there's no way to grab the key

Yes there is. Simply grab it while they're in the bathroom. Or, while. they're. doing. anything. else? The physical key is literally the EASIEST thing to grab.

Re:No password, but...

Even better, I can't wait to drop my hardware device, break it, and then be locked out of everything until I get a replacement.

Hard pass on this.

Re:No password, but...

I think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

1) The person uses a weak password, either something like 'password' or their birthday.

2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised.

FIDO2 and hardware keys get around the issue by not using passwords but instead by using public key infrastructure. In a PKI setup, there are two halves to the security, the public key and the private key. The public key you give out freely and it can live in the website's database you want to login to as plain text. It doesn't matter if it gets compromised, anyone can see it and it doesn't matter.

The beauty of it is something called asymmetrical encryption; you can encrypt a message with the public key but only the private key can decrypt it. So to authenticate a user:

1) The client says, "I'm user 'john'" to the server

2) The server looks up john public key, and encrypts a nonsense random message with the john's public key, and transmits that back to the client.

3) The client gets the encrypted message, but it can only decrypt it with the private hardware key. The client then sends back the decrypted message to the server.

4) The server looks at the response and if it's the message that it sent as encrypted, it can be reasonably certain that the client talking to it has the private key.

This setup is a lot more secure because no passwords are stored on the server's database, meaning that a breach in the server side leaks considerably less. It also eliminates weak passwords as a potential breaching point.

This doesn't negate the possibility of a Man in the Middle attack (you need mutual authentication, the server to the client and the client to the server, which gets really complicated for key distribution), but it does eliminate the major sources of lost credentials. Like I said though, it introduces problems of it's own though.

Re:No password, but...

[bdh]

So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better?

For the typical slashdotter, who already knows about 2FA, PGP, an IPSec, and has a password wallet, it won't be.

For a more typical mundane user, whose current password for the phone, the PC, the bank, and every web site is her dog's name/his favourite sports bar and maybe his/her birth year after ("to make it secure"), having a piece of hardware and using a biometric or PIN is a lot more secure. It's not better because the hardware key and a 4-digit pin are more secure than a 64 character password. It's better because because it's more secure than the painfully poor security practices that most mundanes use in real life.

There are more secure options out there for security. But the key for most end users is getting them to actually use the damned thing. Most people simply don't follow good security practices. This allows them to, without requiring them to make much effort, and they don't have to memorize anything.

Re:No password, but...

[WaffleMonster]

think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

1) The person uses a weak password, either something like 'password' or their birthday.

2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

This is only possible because the Internet is addicted to insecure authentication protocols. Universally PLAINTEXT passwords transmitted via TLS. This is a ridiculous and insane practice that puts millions of users at unnecessary risk.

If you use secure authentication protocols (e.g. PAKE) it doesn't matter who is on the other end. Not only will the attacker not get anything when you try and login to their system you will get an immediate indication they are not who they claim to be.

3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised

It doesn't have to be this way if secure authentication protocols and associated interfaces are adopted. Stored augmented verifiers can be made site specific even if the user themselves use same ones everywhere.

FIDO2 and hardware keys get around the issue by not using passwords but instead by using public key infrastructure. In a PKI setup, there are two halves to the security, the public key and the private key. The public key you give out freely and it can live in the website's database you want to login to as plain text. It doesn't matter if it gets compromised, anyone can see it and it doesn't matter.

This setup is a lot more secure because no passwords are stored on the server's database, meaning that a breach in the server side leaks considerably less. It also eliminates weak passwords as a potential breaching point.

So much of security is a shell game. People are constantly punting responsibility to this or that and come to believe the issue no longer exists. Most of the time the issue is still there it's just hidden, changed or the problem is defined away by scope or framing of competing system.

In this case the server is still guarding it's private key for server authentication and compromising it is game over same as compromising password database.

It is fundamentally misguided to treat public keys as just another field in a database that doesn't matter if it gets compromised. It's critically important for authenticating the user. If an attacker can replace it then the attacker gains access as that user.

In the end backend security isn't appreciably changed. Servers still guard secrets and the penalty for failure to keep them secure is mission failure.

The security of end users WRT "know" vs "have" should not be compared to worst possible current practices involving plaintext passwords transmitted via adhoc TLS protected web forms when new alternatives are discussed. It is context dependent.

Some people may benefit from a hardware key because they are forgetful and live with low risk of physical attack.

Others may have excellent memory, live with people they don't trust or in an environment with higher physical risks. There may be legal concerns WRT government ability to compel production of physical things.

Re:No password, but...

That is essentially what a bank vault is. Even though there is a vault, boxes in the vault also have locks, and the building has a doors that can also be locked.

Re:No password, but...

I meant by software, but yes it's possible to steal the physical key and then try to duplicate it that way, but it's made to be very non-trivial to actually retrieve the actual key on the hardware. If you take really long bathroom breaks, you should take the key with you (and it's one reason some models use NF communication so you never have to take it off your person). The real risk is what the other AC stated, a DoS attack. So unless that's the aim, duplicating the key is useless without also knowing the password. Although at that point, I think the risk is really that someone has physical access to your machine and can do nefarious things after you log in.

Btw, most (all?) services allow you to revert U2F through special passwords if necessary, so that mitigates the DoS risk. Clearly, that's not perfect if DoS was caused by theft/destruction by someone who has physical access to your system, but again it's nearly impossible to protect against physical attack. At least in principle for most sorts of physical attacks against the key itself, you'll become aware of the attack. If it's at the point that you're worried about physical attacks, I don't think there's any real solution.

Re: No password, but...

FYI, most bank vaults are already triple nested.
There is a bank with doors that lock.
In that bank there is a gated area.
In that area, there is a vault.
The vault room is usually made of multiple layers of steel reinforced concrete, and the vault is multiple layers of steel.

Re:IMPERSONATING ME AGAIN? apk

I tried installing, and Microsoft warns me that it is bad and unsafe software. I don't think I want bad software on my computer, do I?

Also Microsoft technical support called, told me I have a virus and charged me money to remove it. Is this because I tried to install this bad file? Is my computer broken now? I would be lost without my AOL.

Not using FIDO2 until

[DarkRookie2]

Until the devices are free. I am not paying $50 for a device that only exists because people are complete fucking morons about their passwords.

Re:Not using FIDO2 until

I am not paying $50 for a device that only exists because people are complete fucking morons about their passwords.

One, you can find U2F keys for $10. Two, the actual reason for the devices is because the "people [who] are complete fucking morons" are the various companies that hold your password and authenticate it. User/password breaches are incredibly common. Having a U2F makes those breaches a lot less damaging, at least as far as taking over that account or other accounts even if they use the exact same user/password. Until security breaches of companies are not a thing, U2F is a rather important element to increasing security.

Re:Not using FIDO2 until

[MrL0G1C]

WTH? $50!! A USB key that does this shouldn't cost much more than a dollar, it does f*** all.

But yes, this is not for people who don't know how to keep anything secure, this is security theatre for the morons who can't cope / are too lazy to set up good password management.

Also: FIDO2 = NSA backdoor

I remember when, during the NSA leaks and OpenSSL debacle, when it came out which encryption schemes and security standards were insecure, that "FIDO" repeatedly topped the list, above RC4. anything RSA, and of course ye ancient MD5/SHA1 et al.

Basically, FIDO can be taken as a synonym for "limit security to only things that we can break".

I'm not using FIDO anything. Ever.

Until FIDO2 BSODs

Didn't read the TOS did you?

One fingered salute

I suspect the boys from Bangalore have been playing with the authentication code and have broken it multiple ways. My windows 10 boxes will let me get a signon screen with 'press any key'... the three fingered salute is gone. One of my machines decided I should use a PIN and wont let me change it to the domain logon. And my main workstation STORE and FEEDBACK keeps losing my MS login so multiple signons just looking for something. But not to worry... STORE stopped downloading anything. Might almost be a nice OS if they stopped screwing with things and just made it work consistently. Windows 7 was the last version that just did its job. So I suspect that some PHB is trying to feature some problems they introduced by being more clever than their actual understanding. Another broken bit in an overly complicated mess.

So Outlook.com, xbox & Skype just became insec

Nice... i'll be closing my accounts. pronto

Thank you Microsoft ..

[najajomo]

“You and 800 million other people now can use hardware authentication keys .. Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon”

Yet more bleeding edge innovation from the worlds most smartest and respectable software company. I wonder who nobody else thought of this sooner.

IMPERSONATING ME AGAIN? apk

I've no version 11.0++ & gweihir KNOWS u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... he forgot to SUBMIT as AC & using his registered 'lusrname' instead (because he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

& NO WAY I'd "cry" like you "ne'er-do-wells" on /. (TROLL /.ers, not all) OR post on hosts offtopic.

YOU HELPED ME https://science.slashdot.org/c... (& you quit trying to make me look bad trying to "tell lies" on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... as regards Intel speculative execution attack? Hosts PREVENT 'EM)

APK

P.S.=> I KNOW the 2nd to last link above's KILLING YOU - YOU ACTUALLY HELPED ME getting me to see if hosts stop more than portsmash (& Meltdown + Spectre too) & "lo & behold" - hosts WORK on 'em - U LOSE (& U STOPPED TRYING IT in your impersonations of me) .... apk

No Password Required

as long as you have
your face,
your fingerprint
or
your phone,
ready to prove you are who you say you are.

You're F'd allright.

Because most people are too stupid...

... to remember a passphrase. (I won't use the word 'password' because it encourages people to think of using short and insecure 'passwords'.)
Most people are literally so stupid that they can't even remember a simple phrase like "Nominate andeating snails" or something like that. And they can't even write down passwords in a password book and keep it on their desk at home - too much to ask for most people. Hence we have these stupid workarounds because the majority of the human population are unfeasibly stupid.

FidoNet?

Oh, so the FidoNet is back now...