Alot of people don't like Microsoft, but they're pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.
This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.
Passkeys are interesting and potentially quite strong but they're going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.
Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.
Yeah, good luck with that. You can tell someone "if you lose this token, all data are unrecoverable", they'll reply with "ok, got it!" and about two and a half second later call you saying "Hey I lost my token can you recover my data?".
Hence the "hard lesson" part. A lot of us tech-focused people learned the same lesson with our document backup systems. You lose some important documents, then you realize you really should backup your stuff. All I hope is these people learn the lesson earlier in life before the consequences become more and more severe.
Have they given up on their “Passwords are insecure, use this 4 digit pin instead” push?
Not entirely, but now MS, and a lot of other companies, are pushing passkeys. I still prefer password + hardware 2fa but it's safer than people reusing the same password everywhere.
I am a fan of passkeys. Particularly because they essentially function as hardware 2fa, except they’re the only factor, which isn’t as big of a problem because it’s not something you can steal in a service breach like passwords. I’ve also noticed that even when using passkeys, most sites let you force a TOTP code as well anyway.
Very true, the big issue with them is a lot of popular hardware keys, including the yubikeys that I have, are limited to the number passkeys they can store (yubikey is 25 unique). Luckily password managers are starting to support them, but now you're back to having a strong password + hardware 2FA to store those passkeys anyway.
I do like TOTP or just hardware 2FA as a backup for my passkeys. What I really can't stand is sties that only offer SMS as 2FA, it makes me more angry than it probably should.
iPhones natively support passkeys, so at the very least the iOS user base can easily use them. Not sure about Android though.
I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.
How does Microsoft's implementation work?
Is it possible to log into windows without a Microsoft account using that method?
I don't know about windows specifically, but for outlook they're pushing their authenticator app (you can use any) and SMS or email one time links. I think it works really well, and almost all attempts to access my account have stopped tbh, they can't phish for my password if I don't have a password.
Yeah this is being standardized at the mobile hardware level now with
Alot of people don't like Microsoft, but they're pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.
This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.
Passkeys are interesting and potentially quite strong but they're going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.
Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.
Yeah, good luck with that. You can tell someone "if you lose this token, all data are unrecoverable", they'll reply with "ok, got it!" and about two and a half second later call you saying "Hey I lost my token can you recover my data?".
Hence the "hard lesson" part. A lot of us tech-focused people learned the same lesson with our document backup systems. You lose some important documents, then you realize you really should backup your stuff. All I hope is these people learn the lesson earlier in life before the consequences become more and more severe.
Have they given up on their “Passwords are insecure, use this 4 digit pin instead” push?
Not entirely, but now MS, and a lot of other companies, are pushing passkeys. I still prefer password + hardware 2fa but it's safer than people reusing the same password everywhere.
I am a fan of passkeys. Particularly because they essentially function as hardware 2fa, except they’re the only factor, which isn’t as big of a problem because it’s not something you can steal in a service breach like passwords. I’ve also noticed that even when using passkeys, most sites let you force a TOTP code as well anyway.
Very true, the big issue with them is a lot of popular hardware keys, including the yubikeys that I have, are limited to the number passkeys they can store (yubikey is 25 unique). Luckily password managers are starting to support them, but now you're back to having a strong password + hardware 2FA to store those passkeys anyway.
I do like TOTP or just hardware 2FA as a backup for my passkeys. What I really can't stand is sties that only offer SMS as 2FA, it makes me more angry than it probably should.
iPhones natively support passkeys, so at the very least the iOS user base can easily use them. Not sure about Android though.
I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.
How does Microsoft's implementation work?
Is it possible to log into windows without a Microsoft account using that method?
I don't know about windows specifically, but for outlook they're pushing their authenticator app (you can use any) and SMS or email one time links. I think it works really well, and almost all attempts to access my account have stopped tbh, they can't phish for my password if I don't have a password.
Yeah this is being standardized at the mobile hardware level now with
https://fidoalliance.org/passkeys/
https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
That reverse-code thing is super annoying. The next vector is through the shitty app itself.