back to article Microsoft 'kills' passwords, throws up threat manager, APIs Graph Security

Microsoft is beefing up the security in its cloud services lineup with a handful of unveilings today at this year's Ignite conference. The Redmond giant says the offerings are part of an aim to secure both its own web services and the partner ecosystems that have popped up around them. Passwords out to pasture Among the big …

  1. Adrian 4

    Phones ? really ?

    I applaud the move away from passwords. Or I would, if I didn't think something relying on phones wasn't outright stupid.

    1. usbac Silver badge

      Re: Phones ? really ?

      What if you don't have a cell phone? I guess you just don't exist anymore if you don't?

      What a fucked up world we live in now...

      1. JohnFen

        Re: Phones ? really ?

        That might be a blessing in disguise -- it would be a wonderful reason to personally avoid Microsoft's offerings. If a workplace requires it, then it's up the employer to provide any equipment necessary to perform your duties.

      2. Sith Vicious
        Facepalm

        Re: Phones ? really ?

        "Any network that uses AD to authenticate people will now be able to give those users the option"

        Dont worry champ, I got this.

    2. Throatwarbler Mangrove Silver badge

      Re: Phones ? really ?

      I use the RSA Token app every time I log into work systems remotely. Works great!

    3. gnarlymarley

      Re: Phones ? really ?

      I applaud the move away from passwords. Or I would, if I didn't think something relying on phones wasn't outright stupid.

      This is not really a move away from passwords since you still have to remember a pin along side having the phone. So, what happens if you phone dies? You might as well keep a password as a backup for when the hardware dies.

  2. usbac Silver badge

    "give users the option of using Authenticator to sign in via a PIN, fingerprint, or face scan on their iOS or Android device."

    So instead of a secure password, now we are using a numeric only password (a PIN - that will surely be easier to brute force than a password) or fingerprint (a password you leave a few thousand copies of laying around everywhere you go every day)?

    This sounds like something Microsoft would think is progress!!

    1. MacroRodent

      Exactly. It is not multi-factor authentication unless you ALSO HAVE a secret password.

    2. Arctic fox
      Headmaster

      Re: "...a PIN - that will surely be easier to brute force than a password"

      Ahem. Did you forget the three strikes and you are out rule in this context? You get three bites of the cherry and then you are locked out if you did not guess correctly. The odds concerned are 1:333,33 recurring. I.e. Unless the person concerned is very fucking lucky trying to brute-force a PIN-code suggests that our would-be perp's IQ is lower than his shoe size.

  3. Griffo

    It would be great

    It would be great if MS actually enabled this technology on all their partner portals as well. You know, the ones that let us modify customers products and subscriptions and get into their tenancies.

    There's been a few cases of partners credentials being hacked - to date mostly so people can spin up Azure for free crypto, however the fact that most of these portals still cannot enable 2FA is criminal.

    1. Sith Vicious

      Re: It would be great

      Cant speak for all portals, but you can on azure ....

  4. John Doe 6

    What's the backup plan ?

    Our CEO came back from the weekend with a crushed phone, he would be quite happy about this solution not being able to log in...

  5. Anonymous Coward
    Anonymous Coward

    Ahhhh

    NO

    - No phone

    - Not giving anyone (except for Passport purposes) my biometrics

    Back to the drawing board.

    1. Andy The Hat Silver badge

      Re: Ahhhh

      Now Mr Smith, as US Customs and self-appointed Police Force (World) we require access to all your data ... Forgotten your password you say? No problem, where's your phone Sir? Now look into the phone not around the phone ...

  6. Anonymous Coward
    Anonymous Coward

    Other than picky sys admins (you lot!) :) this would work great for most of the clients I can think of. Most corporates issue phones like they're free (then make employees spent hours going through the bills line by line to eliminate all personal use, on company time, idiots). I can imagine this being rolled out for more sensitive applications or elevated access rights first.

    Physical possession of the device counts as a Factor, hence it's MFA in my opinion. I can't think of any security issues I've come across that have involved physical theft of passcards or the like. (Maybe in the world of truly serious security and espionage? But not in your average corporate environment.)

    Assuming this is aimed at generic public sector and enterprise customers, looks like a winner to me.

    1. TonyJ

      "...Physical possession of the device counts as a Factor, hence it's MFA in my opinion. .."

      Yup. Something you know combined with something you have.

      You're also right about the audience here at El Reg. I think sometimes (quite often) people forget that outside of places such as this forum, the vast majority of users are less technical, less cynical and just want a) and easier life and b) to be able to do their jobs

      All the new laptops being rolled out here have fingerprint login (to the domain) enabled. Most users quite like that. These are the same users who are used to unlocking their phones with a fingerprint, a PIN etc. so it's not a stretch for them to adopt this to log onto their work network.

      1. Adrian 4

        And what is the 'something you know' if the password is gone ?

        Perhaps there's a password on the phone. But if you enable another device with both factors, is that still 2FA ? or does the phone become a single factor to the security system, since once it's unlocked it can be used alone ?

      2. Wade Burchette

        "All the new laptops being rolled out here have fingerprint login (to the domain) enabled. Most users quite like that. These are the same users who are used to unlocking their phones with a fingerprint, a PIN etc. so it's not a stretch for them to adopt this to log onto their work network."

        Fingerprint login is a very very bad idea. For some reason, none of my fingers work with a fingerprint reader. And I've used them all - the one you swipe on a laptop, the ones your keep your finger over on a laptop and phone, the ones you mash down with - and none of them work with all 10 of my fingers. I can't be the only one.

        But assuming my fingers did work, how hard is it to copy my fingerprint considering of all the things I touch every day? For a professional or a government, it is not very secure.

        1. JohnFen

          "Fingerprint login is a very very bad idea."

          This. Fingerprint login is not very secure. It's benefit is that it's convenient. It should not be used for situations where security is actually very important.

        2. Nick Ryan Silver badge

          Fingerprint readers used like that are not MFA at all. A fingerprint is not a suitable replacement for a password. It's a rather good part of authentication when used either as the user ID, with a password as well, or in addition to a user ID and a password, but not in place of a password.

          1. TonyJ

            I hold my hands up and accept that it was my mistake and I should have been clearer in what I was saying.

            To clarify I wasn't suggesting that fingerprints are secure - though for most people I suggest that lifting a fingerprint and making a working copy isn't trivial. It's usually simpler to use other means anyway such as threats of violence - I suspect most people would give up a password under that kind of duress.

            On top of this, we all know the problem with enforcing silly password policies and what happens to them and how they get written on a post it. Or it becomes the same password + an incrementing number/Shift+number (not to mention how convenient it is to have 12 such keys across the top of the keyboard, below the Fn keys).

            All of my elevated accounts have an out-of-band secondary authentication method enabled, be that an RSA token or Google/Microsoft type authenticator. That being MFA.

            However, it's also worth pointing out that in the roles I do these days, it's less and less of a requirement to require any kind of elevated access on a day-to-day basis if at all. I generally request such accounts are disabled until and unless I specifically require use of them.

            What I was saying is that for most people doing everyday work, fingerprint authentication is sufficient and it's convenient and yes, I am aware that it's not multi factor authentication since it only fulfils the category of something you have not combined with something you know.

            I should also have pointed out that even here with the use of fingerprints, we have other layers of security such as BitLocker enabled.

            All of which is summarily undone by the culture here of many people walking away and leaving their machines both unguarded (no one else around, necessarily) and unlocked.

      3. usbac Silver badge

        @TonyJ

        You want to see how fast I can lift one of your fingerprints off of any surface and be logged into your AD account?

        There should be no problem finding a copy of your "password" laying around everywhere you have been today...

  7. Anonymous Coward
    Anonymous Coward

    Sounds completely reasonable

    Especially from a company whose model in part has shifted to the data mining of its customers/users.

  8. OssianScotland

    AD != AD

    I am impressed with Micro$oft's creeping changes:

    2FA works with AD.

    Domain Admins the world over assume this means their existing ACTIVE Directory

    Oops, silly me, it is AZURE Directory (premium at that) so "just a few <currency of choice>"

    "Just a few" per user per month suddenly becomes yet another budget drain, plus of course, your internal security directory is in the cloud "for your convenience"

    What could possibly go wrong?

    1. TonyJ

      Re: AD != AD

      You used to be able to just buy Azure MFA as a standalone product and integrate an on-premise server.

      And then from this: https://azure.microsoft.com/en-gb/pricing/details/multi-factor-authentication/

      "...From 1 September 2018, new customers will no longer be able to purchase the stand-alone Azure Multi-Factor Authentication (MFA) services. Multi-Factor Authentication (MFA) is an important security mechanism and will continue to be available in Azure Active Directory. ..."

      Nice one, Microsoft. Not.

    2. -v(o.o)v-

      Re: AD != AD

      Indeed, since when has Azure Active Directory been called AD? AD = Active Directory.

      Very confusing and I hope it is only the clueless writer and not MS muddying the waters further.

      1. Trixr

        Re: AD != AD

        Indeed. It should be "AAD" for the Azure version.

  9. Richard 12 Silver badge

    Seems very similar to current practice

    People just save the password in (the cloud of) their phone, and so whenever it's unlocked, the entire farm is unlocked.

    Given that most company phones have reasonably sensible forced auto-lock policies, the benefit I see is that Google and Apple no longer get to see the passwords.

    In the other hand, if you don't trust Google and Apple not to look at stuff they shouldn't, there's no way to have a smartphone at all.

  10. Pascal Monett Silver badge
    Mushroom

    "This will let analysts save thousands of hours as they automate the more mundane security tasks,"

    You mean those hours that they need because managing security is done in a shitty and stupid way ?

    So you're congratulating yourself on having corrected a problem you created ? Well done.

  11. Chris Hills

    Personal Data

    Right now the only options for MFA are OTP-SMS or TOTP with the Microsoft app, so either you hand over your phone number, or you install a Microsoft app on your phone. I would much prefer using FIDO U2F keys where the key is generated and stored on the key, and cannot be copied. It is as good as a physical key, without which the lock is nigh on impossible to pick. Unlike FIDO2/WebAuth the key is write-once and in my view more secure. For instance, if I generate a key on my computer and install it on the phone, it is possible for the key to be copied, which is "not possible" with a FIDO U2F key.

    1. DropBear

      Re: Personal Data

      TOTP should work using any of a range of authenticator apps you may choose from. Did MS do something to lock access to their own app...?

  12. Anonymous Coward
    Anonymous Coward

    Who Owns Data in the Cloud?

    I would say whoever has the key. And they can share it with whoever they please. Including, government agencies, other non-user persons or ....just about anyone.

    And so, assuming the private key is in the cloud, any fancy authentication schemes only protect the owner of the cloud server. Especially when the upgraded security means coughing up even more personal data from the user, including various body parts.(More data for the key owner to share.)

    We are all being herded into the Cloud because that's where the money/profits are these days. .I would think that's OK, because there are some benefits. However, we all understand what goes in the Cloud, doesn't necessarily stay there.

    Frankly, if I had a business I wouldn't leave mission critical data or high liability information in the Cloud at all. That's what reliable, home brewed servers and backups are for.

    On a personal level, my collection of 4 million cat pictures would be an ideal data set to store in the cloud. But, after that.......?

    Meanwhile, why would I care who sees pictures of my....cats? And so, why would I need to provide triple-whammy authentication to store them?

  13. Mahhn

    One device to rule them all!

    Since it is reliant on ONE device, I call it SFA.

    When a criminal gets your unlocked phone - They own "everything" you have access to.

    No doubt hardcore crims are very, very happy with this.

  14. Jin

    Logic and rationale defied

    The PIN is the weakest form of numbers-only password. If it can kill the password, a small sedan should be able to kill the automobile.

    They allege that a PIN is stronger because it is linked to a device while the password is not made linked to the device. Then we have to ask "What if you made the password linked to the device?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like