bit-tech.net

Microsoft enables passwordless logins

Microsoft enables passwordless logins

Microsoft is aiming to do away with passwords, enabling its Authenticator software to act as a single-factor verification for login intent.

Microsoft has announced that it is attempting to do away with passwords, turning its existing smartphone-based two-factor authentication (2FA) into a single-factor system and allowing users to sign in to their accounts directly from their phones.

Passwords are, to be fair, a pretty poor means of security. Passwords that are easy to remember are rarely secure, and the ones that are secure are difficult to remember. Even using passphrases, as in the infamous xkdc comic 'Correct Horse Battery Staple' example, the requirement that every site you use gets its own unique passphrase makes for mental clutter, and that's before you raise the thorny issue of sites which have their own unique requirements for length, character set, and so forth. The most common way of dealing with this issue is to use a password manager package which stores your passwords in an encrypted format and fills them in as and when you need them; Microsoft's approach, however, is to do away with passwords altogether.

'We’ve been hard at work creating a modern way to sign in that doesn’t require upper and lowercase letters, numbers, a special character, and your favourite emoji,' explained Microsoft's Alex Simons of his company's work in a blog post. 'And after a soft launch last month, we’re excited to announce the GA [general availability of] our newest sign-in feature: phone sign-in for Microsoft accounts! With phone sign-in, we’re shifting the security burden from your memory to your device. Just add your account to the Android or iOS Microsoft Authenticator app, then enter your username as usual when signing in somewhere new. Instead of entering your password, you’ll get a notification on your phone. Unlock your phone, tap “Approve”, and you’re in.'

Where previously Microsoft's Authenticator software would act as a second authentication factor after the password, the new system does away with the password altogether. When a user tries to log in, the system will send a notification to the Authenticator software and request approval: hit the button and the login request is approved, while if someone else is trying to sign in without your permission another tap will deny the request.

The system is live now for all Microsoft accounts which have a linked Microsoft Authenticator installation, on either Android or iOS. For times when your Authenticator device isn't available, Simons explains, a link is also provided to log in using your password instead.

9 Comments

Discuss in the forums Reply
proxess 20th April 2017, 12:41 Quote
I hope there's an option to "force sign out everywhere (and lock screen)" otherwise one little mistake and boom.
Corky42 20th April 2017, 12:44 Quote
So they've taken 2FA and made it 1FA, lets hope you don't lose your phone.
dstarr3 20th April 2017, 20:16 Quote
The problem is that computers still need to be accessed, even if not connected to the internet. So, how exactly do you log in when not connected? Probably with a password. So, until we come up with a password alternative that relies on nothing other than the user and their computer, we're probably never going to have a password alternative.
Xlog 20th April 2017, 20:32 Quote
Quote:
Originally Posted by dstarr3
The problem is that computers still need to be accessed, even if not connected to the internet. So, how exactly do you log in when not connected? Probably with a password. So, until we come up with a password alternative that relies on nothing other than the user and their computer, we're probably never going to have a password alternative.

<sarcasmon>With everything being in the "cloud" (files, software, music, etc) why would you need access to your computer if it does not have access to the internet?<sarcasmoff>
Gareth Halfacree 20th April 2017, 21:02 Quote
Quote:
Originally Posted by dstarr3
The problem is that computers still need to be accessed, even if not connected to the internet. So, how exactly do you log in when not connected? Probably with a password. So, until we come up with a password alternative that relies on nothing other than the user and their computer, we're probably never going to have a password alternative.
Let's swap that for cars: The problem is that I still need to get about while inside a building, even if not connected to a road. So, how exactly do I get about when not connected? Probably with my feet. So, until we come up with a feet alternative that relies on nothing more than the user and their destination, we're probably never going to have a feet alternative.

If you're wanting to log on to an offline computer, you'll still need a password; this is not an alternative to that, and considering it's only compatible with Microsoft Accounts - which are, by definition, online rather than offline - it's not being positioned as such. Having keyless entry and start on your car is not a replacement for your house keys, either, but that hasn't stopped it being a popular option for the last few years, has it?

TL;DR: "This system cannot be used for every possible scenario, ergo is useless" does not a cogent argument make.
dstarr3 21st April 2017, 17:19 Quote
"If you're wanting to log on to an offline computer, you'll still need a password; this is not an alternative to that."

"Microsoft has announced that it is attempting to do away with passwords"

Article sure reads like that's what they're trying to do. That's what I'm responding to.
Corky42 21st April 2017, 17:23 Quote
Wait, What? How dare a company be deliberately misleading like that. ;)
Gareth Halfacree 21st April 2017, 20:08 Quote
Quote:
Originally Posted by dstarr3
"If you're wanting to log on to an offline computer, you'll still need a password; this is not an alternative to that."
"Microsoft has announced that it is attempting to do away with passwords"
Article sure reads like that's what they're trying to do. That's what I'm responding to.
As the bit of the lede you didn't bother to quote should hopefully make clear, it's talking about Microsoft Accounts ("their accounts," "their" being Microsoft) which are online accounts - and about a 2FA system that doesn't work offline either. This is an alternative to passwords for online accounts.

Even if I failed to make that clear, you're still being either dashedly shortsighted or deliberately disingenuous.
Wwhat 25th April 2017, 18:15 Quote
I'm working of doing away with bankcards and money, simply transfer all your earnings to me and I'll get you some basic nourishment to keep you going. Free from all those pesky choices and decisions you will feel like you are in paradise(/North Korea).

Or in other words,: Piss off big ugly US corporation that wants control of every human and all their privacy.
(Now they will probably just install a keylogger and sneak into their EULA that you are OK with them capturing typed passwords.. sigh.)
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums