Phones ? really ?
I applaud the move away from passwords. Or I would, if I didn't think something relying on phones wasn't outright stupid.
Microsoft is beefing up the security in its cloud services lineup with a handful of unveilings today at this year's Ignite conference. The Redmond giant says the offerings are part of an aim to secure both its own web services and the partner ecosystems that have popped up around them. Passwords out to pasture Among the big …
I applaud the move away from passwords. Or I would, if I didn't think something relying on phones wasn't outright stupid.
This is not really a move away from passwords since you still have to remember a pin along side having the phone. So, what happens if you phone dies? You might as well keep a password as a backup for when the hardware dies.
"give users the option of using Authenticator to sign in via a PIN, fingerprint, or face scan on their iOS or Android device."
So instead of a secure password, now we are using a numeric only password (a PIN - that will surely be easier to brute force than a password) or fingerprint (a password you leave a few thousand copies of laying around everywhere you go every day)?
This sounds like something Microsoft would think is progress!!
Ahem. Did you forget the three strikes and you are out rule in this context? You get three bites of the cherry and then you are locked out if you did not guess correctly. The odds concerned are 1:333,33 recurring. I.e. Unless the person concerned is very fucking lucky trying to brute-force a PIN-code suggests that our would-be perp's IQ is lower than his shoe size.
It would be great if MS actually enabled this technology on all their partner portals as well. You know, the ones that let us modify customers products and subscriptions and get into their tenancies.
There's been a few cases of partners credentials being hacked - to date mostly so people can spin up Azure for free crypto, however the fact that most of these portals still cannot enable 2FA is criminal.
Other than picky sys admins (you lot!) :) this would work great for most of the clients I can think of. Most corporates issue phones like they're free (then make employees spent hours going through the bills line by line to eliminate all personal use, on company time, idiots). I can imagine this being rolled out for more sensitive applications or elevated access rights first.
Physical possession of the device counts as a Factor, hence it's MFA in my opinion. I can't think of any security issues I've come across that have involved physical theft of passcards or the like. (Maybe in the world of truly serious security and espionage? But not in your average corporate environment.)
Assuming this is aimed at generic public sector and enterprise customers, looks like a winner to me.
"...Physical possession of the device counts as a Factor, hence it's MFA in my opinion. .."
Yup. Something you know combined with something you have.
You're also right about the audience here at El Reg. I think sometimes (quite often) people forget that outside of places such as this forum, the vast majority of users are less technical, less cynical and just want a) and easier life and b) to be able to do their jobs
All the new laptops being rolled out here have fingerprint login (to the domain) enabled. Most users quite like that. These are the same users who are used to unlocking their phones with a fingerprint, a PIN etc. so it's not a stretch for them to adopt this to log onto their work network.
"All the new laptops being rolled out here have fingerprint login (to the domain) enabled. Most users quite like that. These are the same users who are used to unlocking their phones with a fingerprint, a PIN etc. so it's not a stretch for them to adopt this to log onto their work network."
Fingerprint login is a very very bad idea. For some reason, none of my fingers work with a fingerprint reader. And I've used them all - the one you swipe on a laptop, the ones your keep your finger over on a laptop and phone, the ones you mash down with - and none of them work with all 10 of my fingers. I can't be the only one.
But assuming my fingers did work, how hard is it to copy my fingerprint considering of all the things I touch every day? For a professional or a government, it is not very secure.
Fingerprint readers used like that are not MFA at all. A fingerprint is not a suitable replacement for a password. It's a rather good part of authentication when used either as the user ID, with a password as well, or in addition to a user ID and a password, but not in place of a password.
I hold my hands up and accept that it was my mistake and I should have been clearer in what I was saying.
To clarify I wasn't suggesting that fingerprints are secure - though for most people I suggest that lifting a fingerprint and making a working copy isn't trivial. It's usually simpler to use other means anyway such as threats of violence - I suspect most people would give up a password under that kind of duress.
On top of this, we all know the problem with enforcing silly password policies and what happens to them and how they get written on a post it. Or it becomes the same password + an incrementing number/Shift+number (not to mention how convenient it is to have 12 such keys across the top of the keyboard, below the Fn keys).
All of my elevated accounts have an out-of-band secondary authentication method enabled, be that an RSA token or Google/Microsoft type authenticator. That being MFA.
However, it's also worth pointing out that in the roles I do these days, it's less and less of a requirement to require any kind of elevated access on a day-to-day basis if at all. I generally request such accounts are disabled until and unless I specifically require use of them.
What I was saying is that for most people doing everyday work, fingerprint authentication is sufficient and it's convenient and yes, I am aware that it's not multi factor authentication since it only fulfils the category of something you have not combined with something you know.
I should also have pointed out that even here with the use of fingerprints, we have other layers of security such as BitLocker enabled.
All of which is summarily undone by the culture here of many people walking away and leaving their machines both unguarded (no one else around, necessarily) and unlocked.
I am impressed with Micro$oft's creeping changes:
2FA works with AD.
Domain Admins the world over assume this means their existing ACTIVE Directory
Oops, silly me, it is AZURE Directory (premium at that) so "just a few <currency of choice>"
"Just a few" per user per month suddenly becomes yet another budget drain, plus of course, your internal security directory is in the cloud "for your convenience"
What could possibly go wrong?
You used to be able to just buy Azure MFA as a standalone product and integrate an on-premise server.
And then from this: https://azure.microsoft.com/en-gb/pricing/details/multi-factor-authentication/
"...From 1 September 2018, new customers will no longer be able to purchase the stand-alone Azure Multi-Factor Authentication (MFA) services. Multi-Factor Authentication (MFA) is an important security mechanism and will continue to be available in Azure Active Directory. ..."
Nice one, Microsoft. Not.
People just save the password in (the cloud of) their phone, and so whenever it's unlocked, the entire farm is unlocked.
Given that most company phones have reasonably sensible forced auto-lock policies, the benefit I see is that Google and Apple no longer get to see the passwords.
In the other hand, if you don't trust Google and Apple not to look at stuff they shouldn't, there's no way to have a smartphone at all.
Right now the only options for MFA are OTP-SMS or TOTP with the Microsoft app, so either you hand over your phone number, or you install a Microsoft app on your phone. I would much prefer using FIDO U2F keys where the key is generated and stored on the key, and cannot be copied. It is as good as a physical key, without which the lock is nigh on impossible to pick. Unlike FIDO2/WebAuth the key is write-once and in my view more secure. For instance, if I generate a key on my computer and install it on the phone, it is possible for the key to be copied, which is "not possible" with a FIDO U2F key.
I would say whoever has the key. And they can share it with whoever they please. Including, government agencies, other non-user persons or ....just about anyone.
And so, assuming the private key is in the cloud, any fancy authentication schemes only protect the owner of the cloud server. Especially when the upgraded security means coughing up even more personal data from the user, including various body parts.(More data for the key owner to share.)
We are all being herded into the Cloud because that's where the money/profits are these days. .I would think that's OK, because there are some benefits. However, we all understand what goes in the Cloud, doesn't necessarily stay there.
Frankly, if I had a business I wouldn't leave mission critical data or high liability information in the Cloud at all. That's what reliable, home brewed servers and backups are for.
On a personal level, my collection of 4 million cat pictures would be an ideal data set to store in the cloud. But, after that.......?
Meanwhile, why would I care who sees pictures of my....cats? And so, why would I need to provide triple-whammy authentication to store them?
The PIN is the weakest form of numbers-only password. If it can kill the password, a small sedan should be able to kill the automobile.
They allege that a PIN is stronger because it is linked to a device while the password is not made linked to the device. Then we have to ask "What if you made the password linked to the device?