Microsoft decides it will be the one to choose which secure login method you use Microsoft wants to take the decision of which multi-factor authentication (MFA) method to use out of the users' hands and into its own. The software maker this week is rolling out what it calls system-preferred authentication for MFA, which will present individuals signing in with the most secure method and then alternatives …
I can hear the conversation now. "Hello, Microsoft? Yes, my local city government has fallen victim to a ransomware attack and my personal information, including iris and fingerprints were exfiltrated. I need to change my biometrics because they were compromised. What is your procedure for this? Surgery? New eyes and hands? Are you that fucking stupid?"
With the NSA/CIA/FBI getting a look in first..... which then finds a match and then some suitable spam.
"Congratulations, as a valued m$ customer, we can give you a free trip to disney land florida from where ever you happen to be , with free limo from the airport to a hotel of our choosing, and then all cons accomedation, act now to claim your place"...
I see you don't understand how biometric login methods work. You can't even reset the PIN via 365 never mind biometric data. It's not just Microsoft 'telling us', it's a fundamental way about how the function works (See also: TPM).
I guess I (perhaps incorrectly) presume that people frequenting a tech news site may have a modicum of tech knowledge :-)
> it's a fundamental way about how the function works (See also: TPM)
On the subject of TPM, you may want to have a little read (and consider, for example, why there is any need to have anything other than version 1.0 of such a technology):
https://www.covertswarm.com/post/how-secure-are-tpm-chips
> You can't even reset the PIN via 365
What you can and can not do via a cloudy system like 365 really is not relevant to what could be done by an adversary, should they find a flaw in the implementation (and history shows us that anything complicated enough is going to have flaws).
> I guess I (perhaps incorrectly) presume that people frequenting a tech news site may have a modicum of tech knowledge
Which is why I worry that you are so completely trusting of the implementation as to ridicule even the idea that there may be flaws. You have been keeping up with all the news over the years where cryptographic mechanisms have been designed that are uncrackable but have been ruined by flaws in the implementation? Such as the use of unencrypted comms between the TPM and the CPU (see above URL)?
> On the subject of TPM, you may want to have a little read (and consider, for example, why there is any need to have anything other than version 1.0 of such a technology):
To expect a hardware-based piece of security technology first conceived in 2009 (The same year Windows 7 was first released, for perspective) to still be fit for purpose in 2023 is mind boggling. Would you expect people to be mooching around running Windows 7 with no security updates since 2009? There's only so many firmware updates that can attempt to un-fuck any shortcomings in the hardware itself, so of course there were evolutions in it's technology and later revisions were inevitable.
> What you can and can not do via a cloudy system like 365 really is not relevant to what could be done by an adversary, should they find a flaw in the implementation (and history shows us that anything complicated enough is going to have flaws).
It's extremely relevent. If the biometric data was being spoon-fed into Microsoft's platform, then it completely subverts the security on your local device and opens up a completely different attack vector. And yeah, TPM *has* had flaws (much like Intel/AMD had their woes with Meltdown/Spectre). Thus the newer revisions of the technology
> Which is why I worry that you are so completely trusting of the implementation as to ridicule even the idea that there may be flaws. You have been keeping up with all the news over the years where cryptographic mechanisms have been designed that are uncrackable but have been ruined by flaws in the implementation? Such as the use of unencrypted comms between the TPM and the CPU (see above URL)?
At no point did I say I'm completely trusting of the implementation. There have been several debacles and security problems with TPM's in the past (Weak RSA keys and very recently, AMD's faulTPM exploit).
I said you don't understand how biometric login methods work, in so much as they do not store the data 'in the cloud', but rather in the TPM locally on the device. (Including non-biometric data, such as a PIN if you've set one).
If you have to reenroll, what happens to the data you had on the original enrollment? Any time I've had to reenrillnin something, the original account is lost.
How would M$ prevent someone else from "reenrolling" as you and grabbing your data if M$ does not store that biometric data, if it was possible to grab the original account?
I don't see how what you suggest would be possible.
Normally, you're re-enrolling your biometrics not creating a new account.
To re-enroll biometrics, you need to prove your identity by some means first. So in principle its not that easy to overwrite someone's biometrics.
Of course, if your other auth methods are compromised then sure, someone can wipe your biometrics from the device and enroll new data.
Thats not unique to biometrics though. If your password is stolen, the perp could change your PIN, contact number for OTPs etc.
All Your Base Are Belong to Them...
On the topic of how biometric IDs work; the op is correct, the detailed information never leaves the device.
It is stored in a one-way hash on the device. That means that even if the device is stolen, the biometric info can't be extracted, only compared to.
Also, its not like on the TV, when they have an actual scan of your fingerprint. That's a very old, insecure tech. Nowadays a capacitative map is created which is then reduced to the key features, and encrypted via a one-way process. Imagine taking an aerial photo of London from an angle, and writing down the coordinates of London Bridge, Big Ben, Buckingham Palace and a few more places. A set of numbers which you encrypt and store as your enrollment data. Does that matter? Yes, because even if you could break the one-way hash, you still wouldn't have a photograph of london, just a bunch of coordinates which you can't feed into a scanner.
I started shopping at this one convenience store, the one down by the laundromat? I’d go walk the dog over there, then pop in for a slurpee & lotto ticket and then back home. Well, the guy had enough of that b/s, and said so. He said, “ you come around here and all you buy is slurpee and lotto, and it never fails, you pay all the time with credit card. Whatsa matter, you never heard of cash?” So I’m like, “that’s right, I don’t carry any cash whatsoever, in fact I never carry any cash.”
So he says, “well that’s not the way it works anymore, you can’t buy anything here with credit anymore, from now on it’s cash only. You have been warned and now you have been told.”
So that’s it! Now we have to swing by the circle k ever since, or, I guess I could go to the drugstore because they too have slurpee.
I’m not saying the guy is gonna go bankrupt imminently, but it’s never good for business when you deliberately drive your customers toward your competitors.
Ehhhh whatever, it’s not as if I’m any kind of Microsoft customer anyway. The only thing I bought off them in the last 10 years is flight sim 2020.
I hope that all cash is going through books…. and not buying a 108” TV or MacBook in Costco when you C-Store owner slaps down a massive wad of bills. For C-Store owner replace with Plumber, HVAC, car salesman, pool guy as appropriate.
Who needs crypto if you don’t ring it through the register or do a ‘price for cash’.
A plumber needs that 108”TV so they can watch the YouTube plumbing videos - legitimate business expense, provided they can put hand on heart and say primary purpose is for the business. Obviously, cash without paperwork generally means VAT fiddle.
You're being lied to about the cost of using cards. Check the PSR website for the facts. Interchange fee cap: 0.3% per transaction (credit cards), 0.2% per transaction (debit cards).
There is a misperception that cash is free. It's actually higher cost, especially for small retailers, than cards. They can also choose to avoid putting cash through the books which pushes the tax burden onto others.
I'm not advocating for the removal of cash though.
I am not so sure about the cost for the retailer.
and then you have stores that won't accept your credit card, like for Paris' Olympic games official stores, because they are sponsored by one of the card issuers so reject all other cards... (but cash is OK)
No, if the small merchant (and I've been that guy) does all of his money counting over dinner, then the cost to handle the cash is $0. With the right type of account at the right bank, the cost to deposit $40k is $0, again because 5 minutes in a bank that's in the same shopping center as my local grocery store also costs basically $0.
Also, with cash, there's zero percent chance that a fraudulent purchase will cause a transaction to be reversed.
I've worked with thousands of small retailers and the vast majority complained about managing cash (and to be transparent they also complained about cards).
The main arguments were around the cost of time spent going to the bank every day, counting the cash, theft from staff or robbery (or dealing with the risk), reconciliation and counterfeit notes.
This was about 10 years ago and since then card costs have come down and i don't know how much counterfeiting goes on with polymer notes.
The main complaint on cards was the delay in getting the money into their accounts. A lot of the retailers had very marginal cash flow so waiting 3 working days was painful. That could be fixed today though.
"You're being lied to about the cost of using cards. Check the PSR website for the facts. Interchange fee cap: 0.3% per transaction (credit cards), 0.2% per transaction (debit cards)."
I want to do business in whatever utopia you live in. Actual USA retailer here, small one-person operation. Yes, they are not burdensome, but they are present. Someone wanting to pay a $1 sale with a card costs me 12.6% of the sale through Square. https://squareup.com/us/en/payments/our-fees means that if they are buying some clearance item that I am getting rid of at cost ($1. costume jewelry) it is cheaper to me to just give them to her.
That utopia is the UK, although it's not often I'd ever consider it that way ;) It was originally an EU regulation.
The fees you're paying a extortionate though. AFAIK there isn't a PSR equivalent in the US and it's not a role the any of the Fed banks fill. At least not to the same extent.
Square is notoriously expensive. They've built a business on marketing and convenience, not on competitive pricing.
I had an acquaintance who worked for a company that did credit-card payment arrangements for small businesses, including (if the business wanted) everything from hardware to managing the clearing services. Their packages were much, much lower than Square's for the same parameters. The main difference was they sold or leased standalone hardware, not gadgets to plug into iPhones and iPads.
My car mechanic, who is quite trustworthy, apologized that he had to start charging a fee to pay with credit. He prefers checks - even though he has to drive to the bank to deposit them, it's FAR cheaper than the fees charged by the credit card companies.
Many of the small businesses here have a small percentage surcharge for using credit or debit. That's fine with me – covers their costs, is negligible for me, and lets me use the safer and more convenient option for paying. It may be a violation of their agreement with the card processors, but too bad for the later, frankly.
You may want to look what those IFR (interchange fee regulations) are actually about.
They are the fees the BANKS pay on card transactions (between banks) , they are NOT the Merchant Fees paid by retailers to Payment Service Providers
Repeated later in the comments
" I generally ask if they would prefer cash, because often they're paying 2 or 3 percent of their sales to the credit cards companies."
People acts as if accepting money was free... It isn't.
1) Open the cashier
2) Close the cashier
3) Take the koney to the bank (wonpaysbthe risk cost?)
4) Take insurance against robbery
And so on.
Credit? Don't even need to open the cashier: it's all acconted for - and you don't even have to think about fake bills. After visa/mastercard/whatever gives the ok, it's not your problem anymore.
Sure, accepting plastic has its costs to. But money isn't as free as they say...
At least in the US, the shopkeeps simply raised prices by the percentage charged by the card companies, so they make more off a cash purchase than a card purchase. I pay with a card almost everywhere, and have a well established, predictable and routine purchasing record. When I wish to purchase something off the record, out comes the cash
Re future biometrics: I don't think they will manage your biometric data - you device is supposed to do that and send them the confirmation only.
The biometric confirmation only is combined with a device fingerprint and sent to MS encrypted.
That device fingerprint is partly something builtin to the device, and partly what was installed by MS on the device later, when setting up your security.
It's unthinkable that a device's firmware biometric interface could ever be hacked to generate confirmations surreptitiously.
Not even in a raging big state sponsored hackers wildest dreams. So sleep easy!
> you device is supposed to...
My device is supposed to do many things it oft times fails at (and quite maliciously too)
> It's unthinkable that a device's firmware biometric interface could ever be hacked
You just thought of it, then I did, now the person reading this has as well!
> to generate confirmations surreptitiously
Don't underestimate the guys at DEFCON! We're just waiting for someone to find the correct sequence of brownout resets and I2C spoofing...
Also, please don't use the word "hacked" when referring to biometrics - it conjures up some unpleasant images: https://www.theregister.com/2021/05/06/samsung_galaxy/
Many biometric systems use non-dedicated sensors such as a general-purpose camera (facial recognition) or microphone (voice recognition), or motion/touch sensors for user-distinguishing behavioral features (habitual-motion analysis, gait analysis, etc). Those sensors are all very much vulnerable to privacy-violating design and implementation flaws, as has demonstrated in practical attacks.
Dedicated sensors which use a TPM for image1 storage are vulnerable to attacks on the sensor-TPM connection path, as others have pointed out.
Dedicated sensors which store images in the sensor itself, as for example some Synaptics fingerprint sensors (are claimed to) do, are potentially vulnerable to implementation errors and physical attacks such as power and radiation attacks. The communication path between the sensor and the host system is vulnerable.
In short, if you meant all of what you posted to be taken at face value, it's a load of rubbish. If some of the latter bits were meant to be sarcastic, you failed to make that clear.
1"Image" here is an industry term of art referring to whatever data is retained to verify subsequent inputs.
My bank (nameless, not blameless) has an annoying habit of "suddenly forgetting" my password every 60 days... forcing me to create a new one thru a torturous process of 2FA and thinking up something clever. They don't say it out loud, but no matter what you try, you can't get in unless you "decide" to request a new password.
Needless to mention that forcing users to change their passwords often only makes them come up with easier ones - but only allowing English letters and numbers without symbols makes the process worse. Better to stick with a more difficult password created once.
As they say - more security theatre.
"AiTM attacks are a widespread and can pose a major risk to organizations"
Whatever happened to end-to-end encryption? Isn't the primary cause of such security violations, using browser protocols on one end of the connection. Sockets being primarily stateless requiring third-party utilities to authenticate that can be bypassed, as described in the above article.
ref: AiTM BEC FIDO2 MFA SOCs
The sheer number of attacks going on even on new stuff implies that there are hundreds of millions of criminals out there who somehow find vulnerabilities in software about 5 minutes after its release. Criminals just don't tend to be that smart overall, and there just can't be that many intelligent criminals out there.
The only way I see this is possible is if the software companies themselves are doing this, and using this to herd everyone into letting them handle security. This new push by M$ just made it seem obvious. What better way to convince the sheep to let you be their shepherd than to provide the wolf packs with intelligence? Call me a cynic (I do) but I just can't see any other explanation to how well organized criminal organizations are when it comes to hacking when criminals in all other areas of crime are fairly incompetent. What better way to sell data to advertisers than to do away with the possibility of multiple usernames than to get rid of them and replace them with a means to KNOW you have accurate identifying information?
Thoughts?
First, it wanted me to enroll in something called "Hello Windows". I managed to get them (work laptop, so locked down) to disable that. Then I was supposed to install some Microsoft 2FA app on my phone. No, thanks (and I have been proven correct here) and my coworkers are currently complaining about the new secondary verification which has recently been introduced.
I purchased my own Yubikey and managed (after a not inconsiderable hassle) to get them to configure it and allow me to use it as my 2FA method instead of the iPhone app (I claimed my phone was too old). Works a treat. Simple, reliable, and all I need to do is remember to keep it with me. It's also much smaller than the iPhone, so easier to carry. Mostly, it just sits in my USB hub.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
