Alot of people don’t like Microsoft, but they’re pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.
This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.
Passkeys are interesting and potentially quite strong but they’re going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.
I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.
I don’t know about windows specifically, but for outlook they’re pushing their authenticator app (you can use any) and SMS or email one time links. I think it works really well, and almost all attempts to access my account have stopped tbh, they can’t phish for my password if I don’t have a password.
Alot of people don’t like Microsoft, but they’re pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.
This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.
Passkeys are interesting and potentially quite strong but they’re going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.
Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.
Have they given up on their “Passwords are insecure, use this 4 digit pin instead” push?
I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.
How does Microsoft’s implementation work?
Is it possible to log into windows without a Microsoft account using that method?
I don’t know about windows specifically, but for outlook they’re pushing their authenticator app (you can use any) and SMS or email one time links. I think it works really well, and almost all attempts to access my account have stopped tbh, they can’t phish for my password if I don’t have a password.
Yeah this is being standardized at the mobile hardware level now with
https://fidoalliance.org/passkeys/
https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
That reverse-code thing is super annoying. The next vector is through the shitty app itself.