Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password (cnet.com)

Posted by msmash on from the interesting-updates dept.

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

13 of 60 comments (clear)

  1. Re:This will end badly by ichthus · · Score: 3, Funny

    Comeon! If anyone can pull this off, it's Microsoft -- MASTERS OF SECURITY!
    </sarcasm>

    --
    sig: sauer
  2. Synergies of shit by PingSpike · · Score: 5, Funny

    It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

    Now that they've finally sorted all the garbage into one convenient bag, all that is left to do is haul it out.

  3. Re:Office Dongles by Anonymous Coward · · Score: 5, Interesting

    The FIDO2 standard is managed by the FIDO Alliance, and it has a number of cheap and popular dongles (including Yubikey).

    As far as 2FA goes, FIDO has more universal support than Smart Cards---no kludgy 3rd-party middleware required for it to work.

    This is what everyone should support. And as an added bonuses, wider adoption will make it very difficult for Microsoft to hijack the standard. Not likely to happen at present anyway though.

    (AC because of moderation)

  4. Re:This will end badly by jellomizer · · Score: 2

    But we do this all the time with SSH preshared keys.
    This isn't anything really new. The only thing that I don't expect Microsoft to realize is that still in 2018 There is still hardware that we share with other people.

    There is still often the Family PC, while the individuals may have a tablet or phone, for their small time computing.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. No password, but... by BringsApples · · Score: 3, Insightful

    Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app.

    So if I understand this, they've replaced the need for a password, with the need for a piece of hardware mixed with 1 of 3 other requirements. How is this better? Hell, they could have simply require any pair of the 3 other requirements and leave the hardware key out.

    --
    Politics; n. : A religion whereby man is god.
    1. Re:No password, but... by Anonymous Coward · · Score: 2, Informative

      I think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

      1) The person uses a weak password, either something like 'password' or their birthday.

      2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

      3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised.

      FIDO2 and hardware keys get around the issue by not using passwords but instead by using public key infrastructure. In a PKI setup, there are two halves to the security, the public key and the private key. The public key you give out freely and it can live in the website's database you want to login to as plain text. It doesn't matter if it gets compromised, anyone can see it and it doesn't matter.

      The beauty of it is something called asymmetrical encryption; you can encrypt a message with the public key but only the private key can decrypt it. So to authenticate a user:

      1) The client says, "I'm user 'john'" to the server

      2) The server looks up john public key, and encrypts a nonsense random message with the john's public key, and transmits that back to the client.

      3) The client gets the encrypted message, but it can only decrypt it with the private hardware key. The client then sends back the decrypted message to the server.

      4) The server looks at the response and if it's the message that it sent as encrypted, it can be reasonably certain that the client talking to it has the private key.

      This setup is a lot more secure because no passwords are stored on the server's database, meaning that a breach in the server side leaks considerably less. It also eliminates weak passwords as a potential breaching point.

      This doesn't negate the possibility of a Man in the Middle attack (you need mutual authentication, the server to the client and the client to the server, which gets really complicated for key distribution), but it does eliminate the major sources of lost credentials. Like I said though, it introduces problems of it's own though.

  6. Re: This will end badly by Crash+Dummy+Redux · · Score: 2

    Looks like FIDOnet is still a thing after all these years.

  7. Re:Office Dongles by DarkRookie2 · · Score: 2

    A small, easily loseable device that is $50 isn't cheap.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
  8. Not using FIDO2 until by DarkRookie2 · · Score: 2

    Until the devices are free. I am not paying $50 for a device that only exists because people are complete fucking morons about their passwords.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
  9. Re:Office Dongles by Darkk · · Score: 2

    If you are referring to Yubikey then yes. There are plenty of FIDO2 keys that are under $20.

  10. Re: This will end badly by Aighearach · · Score: 2

    No, Idiots who can't say something comprehensible should probably shut up, instead of adding notations.

    Stop asking reasonable people to add unreasonable notations so that they can impersonate the babbling of morons.

  11. Re:This will end badly by JMJimmy · · Score: 2

    I'll keep my password thanks Microsoft

  12. Re: This will end badly by WaffleMonster · · Score: 2

    What is so wrong with the FIDO spec?

    It's redundant, client certificates have been widely deployed for decades, achieve the same result, are standardized and cheaper (both in terms of software and hardware solutions).

    What is most wrong with it is that USB is used instead of a dedicated interface such as a smartcard reader. USB is a massive attack vector. For it to be required for basic authentication in my view is irresponsible at best. Someone replaces your USB key when you are not looking and when you plug it in next it's a HID that executes shell commands to install a RAT or it's a class device that takes advantage of driver vulnerability to root your system. Attack surface of USB is gargantuan.

    Security sensitive environments explicitly restrict USB for a reason. Turning around and requiring it for access is brain-dead stupid.

    Passwordless, asymmetric authentication is absolutely the future and the right thing to do Are you so blinded by Microsoft hate that you are unable to see this?

    I don't view your assertions as valid on their face.

    The selection of any single factor (know, have, are) or chaining of one or more for authentication each have their strengths and weaknesses. It's generally a good thing that more methods are made available so people and organizations can chose options that best fits their needs based on careful consideration of requirements and tradeoffs.

    There is no panacea. There is no one solution. The idea the "future" is necessarily dominated by what you have or considered "the right thing to do" is not apparent to me at all.