The fact that my case exists at all and counts as 2 factor authentication means than microsoft has ACTUALLY created 2 factor authentication. How many people do you know who have microsoft email addresses? I'm betting that my type of usage isn't all that uncommon.
You may have a point about the SMS code being intercepted, but It doesn't make sense at all that it's static. My understanding is that once you log in with your password you will be prompted along the lines of "We will now send a [random] code to your phone, please enter that code to continue." Other than the unlikely ability for this code to get intercepted it is the same as the pseudo random code displayed on an RSA device. It would only give access for that once use and would in all likelihood be time limited. The next time you want to log in a new code is generated on Microsoft's end and sent to your phone for that one instance.
I do not understand how you can say this is not 2-factor authentication when used properly.
I have a microsoft account. The password for this account is only in my head, it is not stored on my phone anywhere. I don't use the account for email so it isn't stored for later. If I want to log in to MSDN from my desktop under this new system I need to use my password from my head, and I need to have access to the phone to receive the code sent to it via SMS. If someone swipes my phone they can not get in to my account because the password is not stored on it. If someone finds my password they can't get in without my phone. That sure sounds like 2 factor authentication to me.
"YOU CHOOSE to store your password on the same device as your token"
Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
I see the problem now. You are assuming that everyone who has a microsoft account uses for email and checks it from their phone. I only use my microsoft account to access MSDN and MSN Messenger from my desktop, it isn't linked to any email or on my phone at all. In my case their solution works perfectly as 2 factor authentication as the phone is completely separate from the password.
If you store your password on your phone then you aren't using this correctly. You say your use RSA tokens, and you consider that 2-factor. If some user choose to write their user name and password on the back of the RSA token then THAT USER is using it incorrectly, NOT you. The same situation applies here for microsoft, if you choose to store your password on the same token generating device then you broke it, not microsoft.
#5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
No it isn't. I don't store my microsoft password on my phone. My microsoft password exists only in my head, as properly used password should. Just because YOU CHOOSE to store your password on the same device as your token does not mean that it isn't 2-factor authentication. It sounds like you are using 2 factor authentication wrong, not microsoft.
Your post has nothing to do with the actual conversation.
Ok, please tell me which of the following statements are wrong and why.
1. This system requires the user to enter a password. 2.This system can be configured to require the user to enter a code sent via SMS to the user's phone. 3. A password is an authentication factor. 4. Physical access to an object is an authentication factor. 5. 1 + 1 = 2
First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
The first rule of good password use is that you don't write it down or store it anywhere. If you store your password on your phone then YOU are sacrificing some security in exchange for convenience. The exact same things happens if a user writes their password on the back of a physical SecuID token, yet those tokens are considered part of a 2 factor system. In any security system the users are the weakest part. Even 2-factor systems can be broken by the bad practices of the users.
Once again, it DOES use 2 factors. Your password, which should only be in your head, and and physical access to the the phone to receive the text message containing an access code. I don't understand why this is so hard for people to grasp.
Just because the user doesn't opt to use the true 2 factor for authentication doesn't mean Microsoft doesn't allow it. In the past 2 factor authentication was not available, after this change it is. I'm not trying to address end user usability, just the fact the the post I originally responded to tried to claim that this solution doesn't really offer 2 factor authentication when it clearly does.
The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
According to the article the message is sent to your phone via Text Message, NOT email. This means you have to physically have access to the phone to receive the message. Combine this with your password and that sure seems like 2 factors to me.
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Unless the user doesn't store their password on the phone. Then it IS 2 factor. The user doing something by their choice doesn't negate the fact that this is 2 factor authentication if used "correctly".
Can't the choir director accommodate your disability by counting down the beginning of the song? Forcing you both to adapt some cumbersome technology seems silly.
The baton is used for more than just starting the a song.
I think it's more for detecting genocide before it has official been discovered. My guess is that it will key in on "Help, some guys just killed everyone in my village" posts from twitter.
This is your worst April Fools joke ever. Not only isn't it funny, it has made Slashdot entirely unusable. In the past at least once you saw the joke there was a way to "turn it off" and get the normal site. I hope you enjoy all the reduced ad revenue and lost page views today. Was it worth it? This is almost enough to make me consider not returning.
They seriously need to an an "OK, haha, nice joke, I get it. Now let me use Slashdot like normal now please" button. As it stands now I just won't be using the site at all today.
These storage buckets are presumably meant to be private, not public. So the private houses analogy is much better than the public restaurant analogy here.
By default every bucket and file is marked as private. If something is marked as public then it has been explicitly marked that way by the user.
Slashdot Mirror
AmEx cards don't have a pre-set limit.
My AmEx card begs to differ.
Isn't this was the entire point of XHMTL is? "X" as in extensible.
Amazon should pick up Futurama, now that Comedy Central has dropped it.
Let it die with what dignity it has left. The last season shows that the magic it once had is dead or dying.
Amazon's is on the internet.
The fact that my case exists at all and counts as 2 factor authentication means than microsoft has ACTUALLY created 2 factor authentication. How many people do you know who have microsoft email addresses? I'm betting that my type of usage isn't all that uncommon.
You may have a point about the SMS code being intercepted, but It doesn't make sense at all that it's static. My understanding is that once you log in with your password you will be prompted along the lines of "We will now send a [random] code to your phone, please enter that code to continue." Other than the unlikely ability for this code to get intercepted it is the same as the pseudo random code displayed on an RSA device. It would only give access for that once use and would in all likelihood be time limited. The next time you want to log in a new code is generated on Microsoft's end and sent to your phone for that one instance.
I do not understand how you can say this is not 2-factor authentication when used properly.
I have a microsoft account. The password for this account is only in my head, it is not stored on my phone anywhere. I don't use the account for email so it isn't stored for later. If I want to log in to MSDN from my desktop under this new system I need to use my password from my head, and I need to have access to the phone to receive the code sent to it via SMS. If someone swipes my phone they can not get in to my account because the password is not stored on it. If someone finds my password they can't get in without my phone. That sure sounds like 2 factor authentication to me.
Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
I see the problem now. You are assuming that everyone who has a microsoft account uses for email and checks it from their phone. I only use my microsoft account to access MSDN and MSN Messenger from my desktop, it isn't linked to any email or on my phone at all. In my case their solution works perfectly as 2 factor authentication as the phone is completely separate from the password.
As a man, I don't get why this is so treatening or unfair to some of you guys. Seriously.
I don't find it threatening or unfair... I find it to be not logical and dishonest. Don't call it "fair" if it isn't fair.
If you store your password on your phone then you aren't using this correctly. You say your use RSA tokens, and you consider that 2-factor. If some user choose to write their user name and password on the back of the RSA token then THAT USER is using it incorrectly, NOT you. The same situation applies here for microsoft, if you choose to store your password on the same token generating device then you broke it, not microsoft.
#5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
No it isn't. I don't store my microsoft password on my phone. My microsoft password exists only in my head, as properly used password should. Just because YOU CHOOSE to store your password on the same device as your token does not mean that it isn't 2-factor authentication. It sounds like you are using 2 factor authentication wrong, not microsoft.
Your post has nothing to do with the actual conversation.
Ok, please tell me which of the following statements are wrong and why.
1. This system requires the user to enter a password. .This system can be configured to require the user to enter a code sent via SMS to the user's phone.
2
3. A password is an authentication factor.
4. Physical access to an object is an authentication factor.
5. 1 + 1 = 2
First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
The first rule of good password use is that you don't write it down or store it anywhere. If you store your password on your phone then YOU are sacrificing some security in exchange for convenience. The exact same things happens if a user writes their password on the back of a physical SecuID token, yet those tokens are considered part of a 2 factor system. In any security system the users are the weakest part. Even 2-factor systems can be broken by the bad practices of the users.
Once again, it DOES use 2 factors. Your password, which should only be in your head, and and physical access to the the phone to receive the text message containing an access code. I don't understand why this is so hard for people to grasp.
Just because the user doesn't opt to use the true 2 factor for authentication doesn't mean Microsoft doesn't allow it.
In the past 2 factor authentication was not available, after this change it is. I'm not trying to address end user usability, just the fact the the post I originally responded to tried to claim that this solution doesn't really offer 2 factor authentication when it clearly does.
The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
According to the article the message is sent to your phone via Text Message, NOT email. This means you have to physically have access to the phone to receive the message. Combine this with your password and that sure seems like 2 factors to me.
when i can have Bills, Balmers, Larry, Sergei and the rest of the executives
maybe someone should start a website with this information, if you have nothing to hide..........
Go get a free Google Voice number that you only use to receive the text messages on.
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Unless the user doesn't store their password on the phone. Then it IS 2 factor. The user doing something by their choice doesn't negate the fact that this is 2 factor authentication if used "correctly".
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
This meets 2 of those factors, a password (know), and your phone (have).
This isn't really two-factor auth. If someone steal your phone, you are screwed.
Something you Know (password).
Something you Have (phone).
Something you Are (doesn't do this yet).
Sounds like it's meeting 2 different factors of authentication to me.
Can't the choir director accommodate your disability by counting down the beginning of the song? Forcing you both to adapt some cumbersome technology seems silly.
The baton is used for more than just starting the a song.
Precrime!
I think it's more for detecting genocide before it has official been discovered.
My guess is that it will key in on "Help, some guys just killed everyone in my village" posts from twitter.
This is your worst April Fools joke ever. Not only isn't it funny, it has made Slashdot entirely unusable. In the past at least once you saw the joke there was a way to "turn it off" and get the normal site. I hope you enjoy all the reduced ad revenue and lost page views today. Was it worth it? This is almost enough to make me consider not returning.
They seriously need to an an "OK, haha, nice joke, I get it. Now let me use Slashdot like normal now please" button. As it stands now I just won't be using the site at all today.
These storage buckets are presumably meant to be private, not public. So the private houses analogy is much better than the public restaurant analogy here.
By default every bucket and file is marked as private. If something is marked as public then it has been explicitly marked that way by the user.