Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password (cnet.com)

Posted by msmash on from the interesting-updates dept.

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

24 of 60 comments (clear)

  1. This will end badly by Anonymous Coward · · Score: 1

    Guaranteed

    1. Re:This will end badly by ichthus · · Score: 3, Funny

      Comeon! If anyone can pull this off, it's Microsoft -- MASTERS OF SECURITY!
      </sarcasm>

      --
      sig: sauer
    2. Re: This will end badly by Anonymous Coward · · Score: 1

      What is so wrong with the FIDO spec? Passwordless, asymmetric authentication is absolutely the future and the right thing to do. Are you so blinded by Microsoft hate that you are unable to see this?

    3. Re:This will end badly by jellomizer · · Score: 2

      But we do this all the time with SSH preshared keys.
      This isn't anything really new. The only thing that I don't expect Microsoft to realize is that still in 2018 There is still hardware that we share with other people.

      There is still often the Family PC, while the individuals may have a tablet or phone, for their small time computing.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re: This will end badly by Crash+Dummy+Redux · · Score: 2

      Looks like FIDOnet is still a thing after all these years.

    5. Re: This will end badly by Aighearach · · Score: 2

      No, Idiots who can't say something comprehensible should probably shut up, instead of adding notations.

      Stop asking reasonable people to add unreasonable notations so that they can impersonate the babbling of morons.

    6. Re:This will end badly by AlanBDee · · Score: 1

      I haven't looked into it but you should be able to register multiple keys. I have three yubikeys linked to LastPass, my google account and anything else that I can link them to. My wife keeps one, I keep one and my safety deposit box keeps one. Of coarse, these aren't meant to replace a password, just augment it.

    7. Re:This will end badly by JMJimmy · · Score: 2

      I'll keep my password thanks Microsoft

    8. Re: This will end badly by WaffleMonster · · Score: 2

      What is so wrong with the FIDO spec?

      It's redundant, client certificates have been widely deployed for decades, achieve the same result, are standardized and cheaper (both in terms of software and hardware solutions).

      What is most wrong with it is that USB is used instead of a dedicated interface such as a smartcard reader. USB is a massive attack vector. For it to be required for basic authentication in my view is irresponsible at best. Someone replaces your USB key when you are not looking and when you plug it in next it's a HID that executes shell commands to install a RAT or it's a class device that takes advantage of driver vulnerability to root your system. Attack surface of USB is gargantuan.

      Security sensitive environments explicitly restrict USB for a reason. Turning around and requiring it for access is brain-dead stupid.

      Passwordless, asymmetric authentication is absolutely the future and the right thing to do Are you so blinded by Microsoft hate that you are unable to see this?

      I don't view your assertions as valid on their face.

      The selection of any single factor (know, have, are) or chaining of one or more for authentication each have their strengths and weaknesses. It's generally a good thing that more methods are made available so people and organizations can chose options that best fits their needs based on careful consideration of requirements and tradeoffs.

      There is no panacea. There is no one solution. The idea the "future" is necessarily dominated by what you have or considered "the right thing to do" is not apparent to me at all.

  2. Synergies of shit by PingSpike · · Score: 5, Funny

    It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

    Now that they've finally sorted all the garbage into one convenient bag, all that is left to do is haul it out.

  3. Re:Office Dongles by Anonymous Coward · · Score: 5, Interesting

    The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

    As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

    This is what everyone should support. And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

    (AC because of moderation)

  4. No password, but... by BringsApples · · Score: 3, Insightful

    Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app.

    So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better? Hell, they could have simply require any pair of the 3 other requirements and leave the hardware key out.

    --
    Politics; n. : A religion whereby man is god.
    1. Re:No password, but... by Anonymous Coward · · Score: 1

      The key bit would be the hardware key itself; you can spoof the password, fingerprints, or a pin, but without the hardware key it's not terribly useful. In theory it's also easier to detect if you loose a piece of hardware then it is if someone's gotten a password from you.

      There's plenty of other problems with the approach (what happens if you loose or damage the key?) but it has it's upsides.

    2. Re:No password, but... by BringsApples · · Score: 1

      there's no way to grab the key

      Yes there is. Simply grab it while they're in the bathroom. Or, while. they're. doing. anything. else? The physical key is literally the EASIEST thing to grab.

      --
      Politics; n. : A religion whereby man is god.
    3. Re:No password, but... by Anonymous Coward · · Score: 1

      Even better, I can't wait to drop my hardware device, break it, and then be locked out of everything until I get a replacement.

      Hard pass on this.

    4. Re:No password, but... by Anonymous Coward · · Score: 2, Informative

      I think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

      1) The person uses a weak password, either something like 'password' or their birthday.

      2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

      3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised.

      FIDO2 and hardware keys get around the issue by not using passwords but instead by using public key infrastructure. In a PKI setup, there are two halves to the security, the public key and the private key. The public key you give out freely and it can live in the website's database you want to login to as plain text. It doesn't matter if it gets compromised, anyone can see it and it doesn't matter.

      The beauty of it is something called asymmetrical encryption; you can encrypt a message with the public key but only the private key can decrypt it. So to authenticate a user:

      1) The client says, "I'm user 'john'" to the server

      2) The server looks up john public key, and encrypts a nonsense random message with the john's public key, and transmits that back to the client.

      3) The client gets the encrypted message, but it can only decrypt it with the private hardware key. The client then sends back the decrypted message to the server.

      4) The server looks at the response and if it's the message that it sent as encrypted, it can be reasonably certain that the client talking to it has the private key.

      This setup is a lot more secure because no passwords are stored on the server's database, meaning that a breach in the server side leaks considerably less. It also eliminates weak passwords as a potential breaching point.

      This doesn't negate the possibility of a Man in the Middle attack (you need mutual authentication, the server to the client and the client to the server, which gets really complicated for key distribution), but it does eliminate the major sources of lost credentials. Like I said though, it introduces problems of it's own though.

    5. Re:No password, but... by bdh · · Score: 1

      So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better?

      For the typical slashdotter, who already knows about 2FA, PGP, an IPSec, and has a password wallet, it won't be.

      For a more typical mundane user, whose current password for the phone, the PC, the bank, and every web site is her dog's name/his favourite sports bar and maybe his/her birth year after ("to make it secure"), having a piece of hardware and using a biometric or PIN is a lot more secure. It's not better because the hardware key and a 4-digit pin are more secure than a 64 character password. It's better because because it's more secure than the painfully poor security practices that most mundanes use in real life.

      There are more secure options out there for security. But the key for most end users is getting them to actually use the damned thing. Most people simply don't follow good security practices. This allows them to, without requiring them to make much effort, and they don't have to memorize anything.

    6. Re:No password, but... by WaffleMonster · · Score: 1

      think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

      1) The person uses a weak password, either something like 'password' or their birthday.

      2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

      This is only possible because the Internet is addicted to insecure authentication protocols. Universally PLAINTEXT passwords transmitted via TLS. This is a ridiculous and insane practice that puts millions of users at unnecessary risk.

      If you use secure authentication protocols (e.g. PAKE) it doesn't matter who is on the other end. Not only will the attacker not get anything when you try and login to their system you will get an immediate indication they are not who they claim to be.

      3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised

      It doesn't have to be this way if secure authentication protocols and associated interfaces are adopted. Stored augmented verifiers can be made site specific even if the user themselves use same ones everywhere.

      FIDO2 and hardware keys get around the issue by not using passwords but instead by using public key infrastructure. In a PKI setup, there are two halves to the security, the public key and the private key. The public key you give out freely and it can live in the website's database you want to login to as plain text. It doesn't matter if it gets compromised, anyone can see it and it doesn't matter.

      This setup is a lot more secure because no passwords are stored on the server's database, meaning that a breach in the server side leaks considerably less. It also eliminates weak passwords as a potential breaching point.

      So much of security is a shell game. People are constantly punting responsibility to this or that and come to believe the issue no longer exists. Most of the time the issue is still there it's just hidden, changed or the problem is defined away by scope or framing of competing system.

      In this case the server is still guarding it's private key for server authentication and compromising it is game over same as compromising password database.

      It is fundamentally misguided to treat public keys as just another field in a database that doesn't matter if it gets compromised. It's critically important for authenticating the user. If an attacker can replace it then the attacker gains access as that user.

      In the end backend security isn't appreciably changed. Servers still guard secrets and the penalty for failure to keep them secure is mission failure.

      The security of end users WRT "know" vs "have" should not be compared to worst possible current practices involving plaintext passwords transmitted via adhoc TLS protected web forms when new alternatives are discussed. It is context dependent.

      Some people may benefit from a hardware key because they are forgetful and live with low risk of physical attack.

      Others may have excellent memory, live with people they don't trust or in an environment with higher physical risks. There may be legal concerns WRT government ability to compel production of physical things.

  5. Re:Office Dongles by DarkRookie2 · · Score: 2

    A small, easily loseable device that is $50 isn't cheap.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
  6. Not using FIDO2 until by DarkRookie2 · · Score: 2

    Until the devices are free. I am not paying $50 for a device that only exists because people are complete fucking morons about their passwords.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:Not using FIDO2 until by MrL0G1C · · Score: 1

      WTH? $50!! A USB key that does this shouldn't cost much more than a dollar, it does f*** all.

      But yes, this is not for people who don't know how to keep anything secure, this is security theatre for the morons who can't cope / are too lazy to set up good password management.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  7. Re:Office Dongles by Darkk · · Score: 2

    If you are referring to Yubikey then yes. There are plenty of FIDO2 keys that are under $20.

  8. Re:Office Dongles by WaffleMonster · · Score: 1

    As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

    No it doesn't. Smart cards have been widely used for approaching two decades.

    The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

    Which ones are cheaper than a smart card?

    Hell I'll make it even easier. Which ones are cheaper than the cost of a smart card reader AND a smart card?

    This is what everyone should support.

    Can you support your position? Why should I support this system when I already support smart cards / client certs? What's the benefit?

    And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

    There is already a standard. You have failed to offer a compelling reason why a new one is necessary or beneficial.

  9. Thank you Microsoft .. by najajomo · · Score: 1

    You and 800 million other people now can use hardware authentication keys .. Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon

    Yet more bleeding edge innovation from the worlds most smartest and respectable software company. I wonder who nobody else thought of this sooner.