So few use Windows Phone, Microsoft can't be bothered: Security app is iOS, Android only Microsoft has introduced a new authentication method for logging into its online accounts: rather than remember and type in a complex password, use an app on your smartphone to confirm it's really you logging in and not some miscreant. That's great news because it should thwart the vast majority of attempts by hackers to …
This post has been deleted by its author
My WP authenticator got updated very recently and does have the 'accept' button in the sample images. I only use the authenticator to log into Lastpass usually because the PC never logs me out of the MS system.
I couldn't get a login attempt to prompt me to use the mobile Accept thing though although, since it is on the samples I presume it is an active feature.
As I said, I use it so never that it is kinda meaningless for me and typing the six digits is almost as fast anyway.
Now if Only I could easily buy one... MS really screwed the pooch on this... They made a decision to base the OS UI/UX on a platform with little share and few choices...
And they doubled down with Modern UI continuing though EVERYONE hated it and EVERY Adreno could do limited AERO, not to mention the latest Intel/AMD/nVidia GPUs for tablets and 2 in 1s...
I just got the Crapators Update on my laptop and the UI STILL looks like Win3.1... I RDP into and the side by side with my Win7 desktop is JUST UGLY...
With the WM version you still need to log in with your password before confirming with your phone. The iOS and Android versions just let you confirm with your phone without any need for a password.
The WM version is more secure... logging in requires something you have and know, versus the other two versions that just use something you have (don't get it stolen).
There's a lot of two factor authentication that isn't that, what they mean is they've just shifted authentication to your phone.
But the fact that MS couldn't be arsed to update the app means WM is still dead.
Please be specific, as every phone I have ever seen, HTC, Samsung, Nexus, Sony, until you unlock the bootloader (which doing so turns it into a untrusted device that will fail dmverify and prevent you using most banking apps, Android Pay and stuff like that), until you unlock the bootloader, you can't just root using adb... If you can, it's using some exploit and again, dmverify will have detected the chain of trust is broken.
This isn't even remotely similar to your claims. On Windows, you can swap out a hacked DLL, and Windows is oblivious to it unless you invoke a scan to check things. Read up and dmverify and you will seen it's not even remotely similar.
https://source.android.com/security/verifiedboot/
"Because the hash values are stored in a tree of pages, only the top-level "root" hash must be trusted to verify the rest of the tree. The ability to modify any of the blocks would be equivalent to breaking the cryptographic hash. "
Reflash recovery and then rooting a Xperia Z3 using Flashtool.
The latest Android and iOS versions don't require a password. From the Microsoft blog post:
'Here in the identity division at Microsoft, we don’t like passwords any more than you do! So we’ve been hard at work creating a modern way to sign in that doesn’t require upper and lowercase letters, numbers, a special character, and your favorite emoji. And after a soft launch last month, we’re excited to announce the GA our newest sign-in feature: phone sign-in for Microsoft accounts!
With phone sign-in, we’re shifting the security burden from your memory to your device. Just add your account to the Android or iOS Microsoft Authenticator app, then enter your username as usual when signing in somewhere new. Instead of entering your password, you’ll get a notification on your phone. Unlock your phone, tap “Approve”, and you’re in.'
C.
hmmm. Personally, I'd rather have 2FA actually consist of two factors. The way it sounds now, someone could steal my phone and login to my account without issue (assuming I don't have the phone protected with a pin/password). If I do have my phone protected with a pin or password, how is that different from entering the password to sign into my Microsoft account? It's not like I need my Microsoft account password to be 20 characters long if I have 2FA enabled.
This sounds like a solution without a problem.
Keep telling yourself it doesn't matter... The real news is new and shiney Microsoft apps aren't being released not even in development for Microsoft mobile platforms.
It that's not the tell tale sign , then nothing is. Do you want to buy some magic beans? I have some for sale....
This sounds like a solution without a problem.
Actually, it sounds more like a solution destined to become a problem.
I have about admin 15 accounts on systems which are 2FA enabled because that is so simple and cheap to do it is hard to argue not to, and all of these are IN ADDITION to a username/password combo. The logons for that are held in Google Authenticator, OTP Auth (a paid for and well worth app) as well as in a browser which gets used if I visit a site I set up using code from https://github.com/gbraad/gauth/ (that just processes the data, the secret is held in your browser).
Why? Well, that's why it is called TWO factor authentication. Just having a phone makes it ONE factor authentication again because most phones don't really have that great access control because typing in a proper passphrase for access is (a) tedious and (b) annoying like hell if you have to do that 20x in a day.
Granted, it is Microsoft so bad security is not exactly news. If there is one thing I have been consistently overwhelmed with when it comes to decades worth of Microsoft it's their approach to and knowledge of security. QED again, I'd say.
"If I do have my phone protected with a pin or password, how is that different from entering the password to sign into my Microsoft account?"
Most phones have fingerprint sensors. Few PCs do. This sounds like a way to leverage the phone's fingerprint sensor for PC logins.
Most phones have fingerprint sensors. Few PCs do. This sounds like a way to leverage the phone's fingerprint sensor for PC logins.
The problem is that approach is FAR weaker than a password because a PIN gives you a couple of tries and you're locked out for a bit (or you nuke the phone in the process), whereas you can probably find the fingerprint you need on the actual shiny phone itself. It means you're back to 1FA.
Or even ½ FA :)
So... the phone is a password or certificate vault.
Just how hard is it for MS' coders to develop a tiny app for Windows phone? This is a tiny ui to a cloud authentication service.
Forget revenue, this makes ms look fickle and incompetent. It is a disaster for MS, not just Windows phone.
"customer base" AKA those two guys that complained.
OUCH! Me very sorry. I actually use this app with my xbox365 [sic] and my not a windows phone device. TBH M$ forced me to during my futile attempt to use "Microsoft Brand X-Bucks (so much like real money you'd think we stole some from you)" as a form of payment to try Golden Live X-Live for one month for the low low price of $1. Somehow my "X-bucks" failed to meet their stringent currency requirements to test the goat herd feeder orifice for a month. Bah. I'll just do without their X-box Live Golden Shower. But the app does not seem to smell as bad as the Word for iOS one did. It looked like a crappy shell to O369 Word, the online only office orgy of business-like icons, featuring word, excel-123, and team, the ever-the-what-the-crap-do-we-do-with-this-thing app. Just don't try the desktop team app, or you will know the 4th circle of hell. (hint, at the 4th circle your computer has a team app, and that app keeps updating itself all day long, popping up to tell you how awesome a world we live in that you now have the latest updates to an app that is as useless as a the chat feature in skype. and it never stops!)
ATH+++
"At this rate, it could be cheaper to take out for dinner the customer base instead of the developer team."
Or perhaps gain some really good publicity by buying the remaining customers the Android or iPhone of their choice - like for like in spec terms obviously - and then closing down the operation. It might well work out cheaper.
There is no statement regarding Windows Phone because the Windows 10 Mobile version of the Authenticator app has had this, for like, forever.
Even when scanning QR codes and using it instead of Google Authenticator for things like Github, to authenticate it uses Windows Hello and scans my Iris with near infra-red.
Entering passwords? Since when *yawn*
You'll probably find this is more about pimping out the conveniences of using the Microsoft eco-system over app and Google services.
"the Windows 10 Mobile version of the Authenticator app has had this, for like, forever."
Hey mate - dunno if you noticed but this article is about Windows Phone and all the people who backed Microsoft by buying into WP and now getting their loyalty repaid by being screwed over.
To the apologists: you can argue that this is a minor feature but the message is loud and clear from Microsoft - thanks for believing in Windows Phone, we don't care about you. Don't expect any more support.
Why should anyone buy into Windows 10 Mobile after this shabby treatment.
C.
Why should anyone buy into Windows 10 Mobile after this shabby treatment.
To be fair, anyone who hasn't been pushed that way by golf course inspired manglement will not have even looked at Windows Mobile, but I wouldn't restrict the "shabby treatment" tag to just Windows Mobile.
It's a generic trait.
While disregarding the Windows Mobile market, remember
- 1% of the SmartPhone market is still ~ 10's of millions of users ~= the size of Apple's user base in the mid 1990's.
- The wealthier / corporate 1% end of the marketplace is more lucrative than the bottom (roughly) ~10% of the consumer marketplace.
- The SmartPhone market is really several different markets as users have different needs, so the best OS for one user is not necessarily the best for another.
- It's easier for an existing player in a market to re-invent itself than for a newcomer to overcome the barriers to entry and raised user expectations.
> - It's easier for an existing player in a market to re-invent itself
One of Microsoft's problem in mobile is because it _has_ continually re-invented itself and has dumped its previous products. Windows Mobile 6.x was completely dumped when MS re-invented itself as Windows Phone 7. This was dumped, including all the hardware and most of the software, when it re-invented itself as WP8. Most of the WP8 phones have now been dumped. But the real problem is that the complete development process has been re-invented at each stage so that developers have given up after having their development processes dumped several times
MS went as far as requiring you to switch to Windows 8 if you wanted to develop for Windows Phone 8 - you couldn't use 7 because the emulator wouldn't work (and IIRC there were stuff that you could install). It's quite silly when you have a platform in much need of applications to put more roadblocks to developers in a stupid attempt to push your other products that didn't sell well too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
