Microsoft doesn't require passwords anymore

Originally published at: Microsoft doesn't require passwords anymore | Boing Boing

…

microsoft’s main problem is identity. they feel responsible for identity and authorization, they’re even responsible for administering services and servers that deal with identity. Their problem is their identity is bastardized. Moving a way from passwords is good, but moving away from identity in general would be better. Security by obscurity, if there were less endpoints, it is so much harder to get hacked. MSFT should remove all “user account requirements” for noncommcerical accounts, instead of just going passwordless. No login at all. Just provide damn software you fools, you don’t have to control the software for personal noncommercial accounts. Let gramma, and other personal users, compute in peace. Give people options, not instructions.

So you are suggesting we go back to a default single-user model? Like in the 90’s?

I haven’t had a yahoo password for years. It has been a dream.

Microsoft on the other hand always seems to find some reason to lock me out of my account with overly strict security security policies. I am not looking forward to this.

I think I get what you’re saying: local programs that don’t use services don’t need identity. But that horse left the barn long ago and will never return. People really like being able to access their photos, music, documents, calendars, menus, recipes, news feeds, email, health insurance, social media, paystubs, home automation, streaming media, bank accounts, contacts, expense reports, fitbits, etc., etc., etc., from their mobile devices as well as their laptops. It’s a 100% done deal, you don’t get to choose how other people enjoy their tech. And each of those requires identity, meaning identity is important, whether or not you wish it wasn’t.

This is 100% not true. Attackers long ago moved away from hoodied teens in their mothers’ basements. Attackers are now a multi billion dollar industry, with salaried employees, quotas, sales people, customer support, everything. You can hire a service to spam a million people for a few dollars. Any who click on your phish end up handing you their compromised computer on a platter. From there they can abuse your computer to send more phish, harvest your contacts, steal identity info (such as the phone number you use for 2FA), log in to your bank and transfer your money, log in to your employer’s network, etc.

The people who create these exploits get paid big money to do so. There’s a huge profit motive in finding ways to poke holes in systems remotely. And that profit motive means that there’s a never ending supply of hackers trying to cash in on that bonanza.

And why not? Selling identity services is profitable. It also improves security. Whether you believe it or not, Microsoft knows far more about computer security than just about anyone in the industry. I would trust a Microsoft login prompt 100 times more than I would trust one from a random bank, or department store, or web blog devoted to happy mutants. Microsoft has invested billions in security; they have a cyber defense team second to none; and they are constantly improving. Can you say the same for another identity provider? The world used to trust RSA for this; that is until they were caught taking bribes from the NSA to install weak algorithms. Yahoo! was a huge identity provider until they got hacked, and their poor practices came to light. Microsoft’s identity services, on the other hand, have suffered no such breaches. Whatever they’re doing has stood up to constant attack from every nation state on the planet, even if not all of their clients are so smart.

I’m not trying to shill for Microsoft, but your arguments against them haven’t been valid for over a decade. It’s probably time to abandon them and pick up more current information.

I would agree with this. Only Google has the experience of trying to secure over a Billion active endpoints, and they have a couple decades less experience.

I will grudgingly admit that most of the phishing and spam that I see from Office 365 tenants came from compromised endpoints, which is the one thing that Microsoft can’t really lock down easily.

I don’t feel many of your arguments to be valid, but some of them are simple facts and you can’t be wrong about those. Don’t get me wrong, I am a customer of theirs at the highest level because there’s simply no better option - they are the best - and yet I see room for improvement. Their security policy lumps grandma together with me, and I feel a growing divide between the commercial identity (identity with purpose) and noncommercial identity (identity for profit), such that the profiteering method is wrong and/or bad. Identity is localized and decentralized whether the top security team in the world likes it or not. Identity, at it’s core, is nowhere near a computer. I moved grandma to a passwordless system ages ago with the yubikey, but if I could move her to one with no login whatsoever, she would be a happier user. It is overpresumptuous to assume that a majority of people really liking their photos, music, documents, calendars, etc. on the cloud, means that the product maker gets to choose how every user’s workflow goes and where data is stored and who owns it. Once you have so many users, you aren’t just a product manager anymore, ethics and error messages matter. Once you have so many users, it gets harder and harder to positively identify a person, let alone a user. Better not to for situations where it’s wholly unnecessary, or make disabled the default option for all nonessential, adver-torial settings. Putting profit before privacy has always been my problem with microsoft. If you want to sway that opinion, try harder.

I’m saying choice > no choice when it comes to software.

Windows is not as infinitely configurable as Linux, but more than you would think. If you want to set up grandma with a 0 login Windows box, Microsoft themselves provide a way.

I’ve been locked out of the Apple store for two years because I made one too many attempts to recall my password on a laptop. The account can’t be reset because my iPhone is still logged in – not that I ever used it to access the account, but I had “Find my phone” enabled. I can’t log the phone out because – ha! that would require a password. A very competent rep told me in all seriousness that the only option remaining was to stop using my phone for six weeks. Who cares, I never buy software from Apple anyway. But it does convince me that passwords can mess you up bigtime.

This seems like the logical conclusion for the uptick in multi-factor support across websites. I still remember those awful RSA SecurID dongles with the little keypads where you had to manually enter a code back before they had the newer rolling TOTP codes. We’ve come a long way.

great rec! Been using sysinternals tools since before russinovich was microsoft.

In this case, the Sysinternals tool just provides an easy way to configure autologon. The underlying feature has been around for ages. I have written scripts to configure it, as have many, many others. Weirdly, sysinternals was behind the times on this one.

There’s a lot of overlap with the built in msconfig but autoruns is much more comprehensive. My biggest problem with autoruns is it doesn’t handle shell extensions so I still need to use NirSoft’s shellexview to disable crap like OneDrive’s irritating sync status icon overlays.

think of the grandmas out there, with no clue how to turn off these (annoying to you–) disturbing/alarming/confusing notifications.

WE KNOW WHO YOU ARE REGARDLESS.

Yes, bot, that is a complete sentence.

Now imagine if, instead of a password, that was your fingerprint or other biometric thing that you can’t change.

Despite tech companies’ and most of the public’s love of biometrics, they are actually a pretty terrible security idea. However that’s another horse that has left the barn now, so no point in belaboring it too much at this point, I guess.

Back to the OP, for what it’s worth, what MSFT did here is actually common now. The big tech company that I work for also did this, and we use a hundred different 3rd party products in our work. All were unified under a single identity system called Okta (one brand, but there are others you can choose). Basically you sign in to Okta once a week (or day or whatever the security policy is) with the fingerprint reader on your laptop, and you’re automatically logged into all the tools you use as well. Everything from email to VPNs to marketing analysis tools.

Is it better than passwords? I honestly don’t know. We the employees all sorta hate the Okta system because it’s really intrusive and blocks a lot of basic functionality like clicking on a link to a ticket in a slack message, that sort of thing. But the security team assures us it is better so

Edit to clarify: the “can’t click on links” thing is not a security feature of Okta, but rather a side effect of the way it authenticates every session in a given tool by doing a double-bounce off a browser window in a way that doesn’t preserve the contents of the original link. It’s an annoying limitation of doing this stuff all web-based, instead of with local applications. I hate web applications, for the record, and this is one example of why.

“Microsoft doesn’t require passwords anymore”

Instead they require a few hundred dollar device to use their authenticator too bypass this “hassle”.

This is right up there with Apple’s inability to add a silent, 5¢ LED notification light, but rather sell you a several hundred dollar “smartwatch” that has a light to let you know a notification comes in. The camera flash notification is the ess than subtle alternative which is also very limited in its configuration options.

Like most technology related shortcomings, there are always alternatives, and KeePass handles all of my devices logins with aplomb.

You don’t have to use Authenticator on an expensive smartphone. You can use a $25 YubiKey, or various other alternative methods.