back to article Microsoft: You looking at me funny? Oh, you just want to sign in

It's taken a while, but it has finally arrived. You can sign into your Microsoft account with a suitable dongle or Windows Hello, with passwords consigned to history. Well, that's the theory. There are, as ever, some caveats. Microsoft's corporate veep of all things identity, Alex Simons, trumpeted that the 800 million people …

  1. Roopee Bronze badge
    Paris Hilton

    I Don't Get It...

    I get that they know it's your device you're using to log on from, but if you aren't providing a password or biometric key then how do they know it's you, and not just the person who's stolen your device?

    1. Semtex451
      Joke

      Re: I Don't Get It...

      Simple, it's nonce-sense

    2. Pascal Monett Silver badge

      @ Roopee

      Apparently, someone finds your lack of faith disturbing.

      Personally, I'd also like an answer to that question, because a PIN can beaten from you, and your fingers aren't all that solidly attached when a bolt cutter is lying around, or even just a cleaver.

    3. vtcodger Silver badge

      Re: I Don't Get It...

      then how do they know it's you

      They don't? The FIDO device is analogous to a door key that opens the door for whoever has it, not to a rent-a-guard who checks your face against the photo on your badge?

    4. Persona Silver badge

      Re: I Don't Get It...

      They need to access the "secure enclave" on your device to sign the nonce, and to unlock that enclave they will need your PIN or biometric etc. so be careful that when a person steals your phone they don't also take your finger.

      1. tim 13

        Re: I Don't Get It...

        I gather nonces like accessing secure enclaves

      2. JohnFen

        Re: I Don't Get It...

        "so be careful that when a person steals your phone they don't also take your finger."

        No need to take your finger. Anyone's fingerprints are easy to obtain (they're probably on the case of that stolen phone), and once you have them then it's pretty simple to fool the fingerprint reader and unlock the phone.

      3. really_adf

        Re: I Don't Get It...

        They need to access the "secure enclave" on your device to sign the nonce, and to unlock that enclave they will need your PIN or biometric etc.

        Based on how similar things work, I think it is much better than that: the nonce is passed to the device to be signed, so the private key never goes anywhere outside the device.

        So the PIN or whatever is used locally to authenticate requests to sign.

        Hopefully the nonce issuer is also authenticated, eg by signing it and having this verified by a public key added to the device.

    5. hellwig

      Re: I Don't Get It...

      how do they know it's you, and not just the person who's stolen your device?

      Easy, you obviously secure the private key with a password you enter each time Microsoft sends you a nonce.

      They've replaced passwords (plural) with a password. How novel.

      Now hackers only have to figure out one secret instead of many to control your whole life. Or, rather, the few sites that care to use Microsoft's new feature.

    6. DropBear

      Re: I Don't Get It...

      I find the apparently incredibly popular "auth sticks don't make you perfectly secure so they're worthless" argument rather disingenuous. Yes, it's obviously true - nothing can possibly authenticate you absolutely perfectly, duh. Anything can be either stolen, faked, divulged or guessed. And yes, depending on what local authentication (if any) a stick/token requires to work they can be worse at that job, locally, than a strong password would be.

      But they offer something no passphrase can - protection against remote attackers; yes your token may be vulnerable to people who are physically right next to you, but it should protect against anyone who isn't - and that may well be all that some of us need. Outside high-value targeted ops, almost all identity theft occurs remotely, via phished or stolen and decrypted credentials. Tokens do stop that, leaving you only having to secure a physical artefact - a task most of us have quite a bit of experience with.

      No, it's not perfect - it can be stolen or lost, and then you're down to PIN / fingerprint / whatever it uses for local auth to protect you hopefully just long enough until you notice it missing and invalidate it; yes, that _is_ a window of opportunity. And make no mistake, absolutely nothing, _nothing_ can protect you against duress. But auth tokens are a formidable protection against the type of threats 99.99% of people can expect to face day to day and it's still a heck of a lot better than any password alone...

      1. streaky
        WTF?

        Re: I Don't Get It...

        They're *supposed* to be a *second* factor. I don't know what it is Microsoft have implemented but it better be something more secure than plug it in and away you go.

      2. Paul 129

        Re: I Don't Get It...

        Having used a KEY-ID U2F device in linux for a few week now. I can say they are the way to go. You can have more than one key linked to an account, so do this. Thus you have spare keys, or a master key if your the admin for a host of services.

        The protection that these offer is protection from remote theft of credentials. Someone has to press the button on the device. MITM is greatly mitigated too. I would suggest that a password would be better protection than a pin. That way if your unfortunate enough to loose your machine and key, you still have some protection. Each service that requests auth should also have some certificate chain to verify who they are the port and service or namespace (forgive my manglement of the correct jargon).

        Just be aware that if you want them to authorise against google services, that you set your browser to forget cookies on close, or it will forever keep you logged in.

        These aren't perfect, but they sure raise the bar for stealing remote accounts.

        1. Ben Tasker

          Re: I Don't Get It...

          > . You can have more than one key linked to an account, so do this

          Unless you're using some tiny, idiotic service no-ones heard of like.... Twitter.... who've decided you can have just one registered at any time.

          Most services are a bit more sane though, I've been using a set of KEY-ID devices for a little while too. My only complaint with them is how bright they decided to make the LED, so when you shift slightly you end up with a bright spot in your vision for a little while.

    7. CrazyOldCatMan Silver badge

      Re: I Don't Get It...

      how do they know it's you, and not just the person who's stolen your device

      They are relying on you keeping your PC and authtication device in separate places.

      In other words - they don't and will happily inform you that "it's your problem" if someone steals both devices.

  2. Jimmy2Cows Silver badge
    Facepalm

    Solution looking for a problem. Again.

    I can't change my face (cheaply and/or painlessly) and a PIN is essentially a weak password. Stupidity for the sake of a tiny convenience improvement, which locks you out the second the auth server goes down.

    But that could never happen, right...?

    1. Excused Boots Bronze badge

      A Microsoft cloud-based authentication system going down? Don't be ridiculous, although such a thing might theoretically happen, in practice such an event hasn't occurred within living memory.

      Well living memory of a Mayfly but still......

      1. streaky
        Facepalm

        in practice such an event hasn't occurred within living memory.

        Well, except for that one time two days ago when all their second factor stuff died for a very extended period... But other than that! Oh yeah and that one time a few days before where the entirety of office365's outlook email service died for 4 hours.. But other than that!

        To be fair though presumably one can authenticate the old fashioned way still..

    2. phuzz Silver badge

      "locks you out the second the auth server goes down."

      That's a problem with every authentication server.

      It doesn't matter if you're using a password, some kind of two-factor dongle, a fingerprint scanner, or magical quantum entanglement, you still have to rely on something to authenticate your credentials.

      Of course, you could have your authentication on your local machine, but then you have bigger problems than not being able to authenticate, when it goes down.

  3. DJV Silver badge

    Fantastic!

    I can't wait to start using this!

    Hold on, you mean I have to use MS Edge? And a Microsoft account? And W10 AWOL 1809?

    Bye...

    1. Paul 129

      Re: Fantastic!

      No. Linux, (use the yubi-key mods to /etc/pam.d/common-auth). Chome or firefox (after about:config security.webauth.u2f=True) and tell them do dump cookies on exit.

      Yubi key seems to have support for windows logins pre the lates 10. I haven't yet dared to try the latest 10.

      It's good stuff!

  4. Pen-y-gors

    I'm confused

    I'm going to have to re-read the article. I didn't understand any of it apart from the nonce-signing, which I assume is what the "tough" lads in H.M.Privatised Prisons do with a sharp implement to any sex-offenders they manage to get alone in the shower block.

  5. JohnFen

    It effectively doesn't exist

    "Microsoft's implementation obviously requires Edge"

    In that case, the feature effectively doesn't exist, then.

  6. Wiltshire
    Joke

    FIDO2 dongles.

    It's the dog's bollocks.

    1. DontFeedTheTrolls
      Boffin

      Slightly less NSFW...

      Mutz Nutz

      Poodles Doodles

      And taking normal Rhyming slang dropping the rhyming word, you just say "It's the Poodles!"

  7. Voland's right hand Silver badge

    Excuse me for being thick

    Enterprises can expect to start dealing with employees losing their FIDO2 dongles in preview form from early next year.

    So why not TPM? It serves the same function and it is mandatory in order for the PC to be able to run Win10.

    1. DJV Silver badge

      TPM mandatory to run Win10?

      No, it isn't. My PC can* run W10 but doesn't have TPM. I think you are getting confused with the MS requirement for NEW devices to have TPM as stated here:

      "As of July 28, 2016, all new device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default from this effective date."

      The above is taken from: https://docs.microsoft.com/en-us/windows-hardware/design/minimum/minimum-hardware-requirements-overview

      Older devices can run W10 (if they must) even if they don't have TPM.

      *It doesn't actually have W10 on it at the moment - I am not that stupid! However, I do have an SSD in my desk drawer that has W10 installed (upgraded for free about 2 years ago from a clone of my W7 install) for when W7 goes end of life. Once every so often I put that SSD into my PC just so it can update itself to the latest horror-filled TITSUP version. Then I put it back in the drawer and carry on using W7.

    2. JohnFen

      Re: Excuse me for being thick

      This is a great point. TPM is not required for server deployments, though. Perhaps that's why?

    3. CrazyOldCatMan Silver badge

      Re: Excuse me for being thick

      So why not TPM? It serves the same function

      No - TPM is a secure enclave (mostly) on the PC itself. It can be used to store the certificates/credentials needed to validate an authentication but an external input (password/PIN et. al.) is still needed.

  8. Nolveys
    Windows

    Nifty!

    I've got Edge fired up and my FIDO2 dongle. Let's give this a try...

    (Azure Europe overloads)

    (Azure Europe goes down)

    (Azure Europe fails over to Azure North America)

    (Azure North America overloads)

    (Azure North America goes down)

    (Azure North America fails over to Azure Asia)

    (Azure Asia overloads)...

    Uh-oh.

  9. The Oncoming Scorn Silver badge
    Facepalm

    Tea Through The Nose

    Relatively speaking that's not too bad, it's the laughing hysterically (The Sunderland Car Factory Executive & Automated Mail Unit story) coughing up a mix of beer & recently eaten bit of strawberry cheesecake & snorting that out of your nostrils that really smarts (While still laughing) alot.

    Icon - Holding a clean hanky to the affected area .

  10. J. Cook Silver badge
    FAIL

    That's going to fly well with corporates...

    ... who probably turned off Hello first thing during their rollout when they discovered that Batman (tm) was trying to log into to a laptop using it, because it locked onto the person's shirt instead of their face.

    Facial recognition is till in it's infancy; And despite biometrics having been around for the better part of 30 years, it's still not in widespread use except as a second (or additional) authentication factor, and even then it's not infallible.

    and requiring internet access to unlock the machine locally? what happens if I'm trying to troubleshoot why the internet has gone down and I need to unlock the workstation? how does it fall back? what's the action if it fails?

    1. Anonymous Coward
      Anonymous Coward

      Re: That's going to fly well with corporates...

      Microsoft use it, so that's pretty widespread. Password change at least once a year or whenever you have to type it and realise you've no idea what your password is. Hello doesn't use the camera so not really what's been around for 30 years since laptops have not had the tech for 30 years. It falls back just fine; the device does know the credentials even when the user forgets. The difference here is that credentials aren't constantly being typed in front of strangers or sent over the Internet so the barrier to Pwning someone is higher than 8 year old kids with a script.

    2. phuzz Silver badge

      Re: That's going to fly well with corporates...

      Microsoft Hello doesn't just use face recognition, it can use fingerprint or iris scan instead (and is presumably extendable so if next years laptops come with a built in fart-smeller it can use that).

  11. Roq D. Kasba

    Disappointed

    Far too few NONCE gags here in the comments.

  12. Nick Ryan Silver badge

    /sigh. Face ID is not a suitable replacement for a password. It's a suitable replacement for a username.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like