Microsoft Wants to Kill Passwords, Starting with Windows 10

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,003
Back in May, Microsoft shared their vision of a world without passwords, and the company is already on its way to making that a reality in the next version of Windows 10: the latest Insider Build supports password-less accounts, which allows users to sign in using their phone and texted codes instead of a traditional passphrase. Users are only asked to re-enter a code if they sign in on a new PC.

You can now create a Microsoft account without a password. Instead, you just provide your phone number. When you sign into Windows 10 with that phone number, Microsoft will text you a code that you enter on the sign-in screen. After that, you can use Windows Hello to set up a PIN, fingerprint, or face login method. You never have to type a password—your account doesn’t even have one!
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,918
For a remote connection to work I have to enter my username and password to get redirected to microsoft. I enter my password again then I have to go to a two phase lookup that requires a phone call or a connection to an android app. Then I enter my password again. And finally when connected to a site I need to yet again enter the same password for some of the links. If it was not for password utilities I would go nuts..
 

Raghar

Limp Gawd
Joined
Jun 23, 2012
Messages
209
This is scary, I don't have a cell phone. Anyway, giving someone your cellphone number is also easy way how to find your home address.

This stuff has serious privacy issues. (Well you can use phone of people you visit when you activate youtube upload...)
 

MrDeaf

Limp Gawd
Joined
Jun 9, 2017
Messages
428
Instead of trying to kill off the password, microsoft should work towards passwords that are made up of a bunch of random words.

No one is going to guess my password is GoldTurnHorseAnvil
 

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
20,391
I've used the MS authenticator SMS system before. It works darn well. Well until that one time when the MS authentication servers went down and it all came crashing down... Yeah I remember that day..... You need to authenticate Windows....
 
Joined
Jan 27, 2015
Messages
520
Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.
 

velusip

[H]ard|Gawd
Joined
Jan 24, 2005
Messages
1,579
Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.
Not just scraping and selling consumer data, but also verifying and proving its authenticity is becoming big business. i.e. Ad revenue services provide real-time updates to vendors of which sites you are logged into. So it makes sense that Microsoft would want to corroborate identity and activity in real-time across multiple devices. It's potentially worth more than the software licence in the long term.
 
Joined
Jan 27, 2015
Messages
520
Not just scraping and selling consumer data, but also verifying and proving its authenticity is becoming big business. i.e. Ad revenue services provide real-time updates to vendors of which sites you are logged into. So it makes sense that Microsoft would want to corroborate identity and activity in real-time across multiple devices. It's potentially worth more than the software licence in the long term.

Agreed, but the law itself in many countries has yet to catch up with current technologies and business models, I have this great feeling like eventually that data must be anonymous and agnostic data that has zero PII will be regulated because at some point personal data laws will be constructed due to liability for breaches that is costing the country millions if not billions.
 

FlawleZ

[H]ard|Gawd
Joined
Oct 20, 2010
Messages
1,350
My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

The cell phone has changed our world exponentially. Not all of it for the better.
 

fairlane

Limp Gawd
Joined
Jun 18, 2004
Messages
297
OMG :shifty: SMS has been depricated for use as a form of 2FA for a reason. Also, it's not clear in the article that this is for local accounts, only Microsoft Accounts, which to me is bad for those who are trying to log on while on public networks that have portal pages where you land first. I have a portal page set up that you have to agree to our terms first before you're allowed through but those who use Microsoft accounts to log into windows can't log in because they can't get past the portal page to ACTUALLY LOG IN :confused: And their Authenticator app is trash. I don't see them allowing support for Google's anytime soon also.

Lastly, as far as I'm concerned SQRL is the way to go for passwordless site authentication


https://www.grc.com/sqrl/sqrl.htm
 
Joined
Oct 11, 2018
Messages
543
Well we all know how reliable cell phone numbers are at identifying people. It's not like you can just steal them out from under people or spoof them with cloned burners
 

Ranulfo

2[H]4U
Joined
Feb 9, 2006
Messages
2,311
After that, you can use Windows Hello to set up a PIN, fingerprint, or face login method. You never have to type a password—your account doesn’t even have one

How in the hell is a PIN not a password? Its just generally numbers and a smaller amount than many passwords. On top of that, it assumes ones cell phone is secure. Insert Bender "you're serious" gif here.
 

[Spectre]

[H] Admin
Staff member
Joined
Aug 29, 2004
Messages
17,331

mtrupi

Gawd
Joined
Mar 26, 2007
Messages
765
Didn't I just see two factor authentication is not secure either. A PC as a Christmas present insisted on windows setting a PIN after sending a code to the cell phone. I am doubtful, but it seems everyone wants to go this way. Not just MS.
 

RogueKitsune

Weaksauce
Joined
Apr 5, 2011
Messages
110
Using just SMS for authentication seems like a terrible idea. As we have seen several times in the past year just how easy it is to execute a port out.
 
  • Like
Reactions: DPI
like this

jfreund

[H]ard|Gawd
Joined
Sep 3, 2006
Messages
1,240
Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.

But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.
 

PenGunn

Limp Gawd
Joined
May 30, 2013
Messages
349
I've been like that on Google for several years now. They just send me a message with a check in click, on my phone. I like it..
 

Nenu

[H]ardened
Joined
Apr 28, 2007
Messages
19,616
This is a ploy to gather even more information about you, now from your mobile.
The world is their oyster.
 
  • Like
Reactions: DPI
like this

DPI

[H]F Junkie
Joined
Apr 20, 2013
Messages
11,490
This is a ploy to gather even more information about you, now from your mobile.
The world is their oyster.

Ding ding ding!

MS doesn't actually care about security or making customers lives better or really innovating anything - this is just more trying to ride Android and iPhone coattails and get their hooks into phones to siphon data any way they can, since they failed at their own so spectacularly.

No thanks.
 
Last edited:
Joined
Jan 27, 2015
Messages
520
But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.

Microsoft can try making it a sub, the problem is it will never fly with customers, before even I would have said that, the problem is now it's different Microsoft barely has staff working in the OS division and is more working on information sevices and alternative projects for a revenue stream they have 86% of the OS marketshare with no real competitors.

In reality I can see Microsoft offering the OS for a price or pay a sub for access, because I can 100% guarantee Enterprise will never go for this.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.

A few years ago, I would have agreed partially that it could go to a subscription model. But with their recent stuff, their adoption of open-source, and change of attitude towards Linux, it may just as easily go towards a "pay for support" model like a lot of Linux distributions do. I could see a "freemium" tier of the OS where it's free, but to get support, you have to pay and you can't turn off telemetry. They'd make up the license revenue with targeted ads, premium app placement, and other items.

What I don't like is locking a lot of features behind so many different SKUs with limitations. It's a nuisance. If I want Enterprise, let me buy Enterprise.
 

The Mad Atheist

[H]ard|Gawd
Joined
Mar 9, 2018
Messages
1,219
My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

The cell phone has changed our world exponentially. Not all of it for the better.
I don't use a phone service and hate when sites like Twitter or Facebook require a phone number to verify it's not a spam account.
 

Jim Kim

2[H]4U
Joined
May 24, 2012
Messages
3,787
Microsoft Wants to Kill Passwords, Starting with Windows 10

Well they've already killed the desktop os, killing passwords should be a cinch.

No one is going to guess my password is GoldTurnHorseAnvil
But they'd easily guess [^WdGxh&7wcm!kQ286r+ ???
 

likeman

Gawd
Joined
Aug 17, 2011
Messages
782
Wish Google would let us use 2fa keys but in normal mode (the higher hardened mode has to many limits, all I want is to be able to not use sms and email as an account recovery method as both are insecure and bypasses my 2fa yes/no login or 2fa codes)

Be nice if Google would follow ms with no password sign in (unlock phone to use ms authenticator to press yes no) as I have to use email password then yea/no if 2fa is enabled (if yes no is only enabled I can use yes no)
 

mord

Limp Gawd
Joined
Mar 8, 2005
Messages
377
Why is a 4-digit PIN more secure than a 10+ character complex password?

Because it gives Microsoft more access to your personally identifiable information and location info for marketing purposes.
 

Flogger23m

[H]F Junkie
Joined
Jun 19, 2009
Messages
11,507
I don't get it. Getting to a phone just takes longer. Get up, find phone, get phone. Unlock phone. Wait for message. Sometimes it can take 3 minutes to 12 hours to get a message. At this point most people will just turn off any kind of protection making the entire point moot.
 
  • Like
Reactions: mord
like this

HAL_404

[H]ard|Gawd
Joined
Dec 16, 2018
Messages
1,069
each person's DNA is unique to that person. What we need is a small device made by Microsoft and each time a password code is needed we just spit at the device
 

cjcox

[H]ard|Gawd
Joined
Jun 7, 2004
Messages
1,925
Microsoft defines security!!!! If only they knew what it means.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
each person's DNA is unique to that person. What we need is a small device made by Microsoft and each time a password code is needed we just spit at the device

Just don't kiss anyone goodbye before trying to sign in.

Seems like a lot of the alternatives to passwords involve extra steps that can go wrong. Instead try NOT forcing an email address as your account name? An account name of say AmberHorseKicksCat and a password of DeadBatterySucksBigtime will take a brute force approach a long time to crack.

When many database breeches provide lists of valid email addresses, it becomes fairly trivial to use that list matched with the top 10 list of passwords against sites that mandate account name = email address.
 

MaZa

2[H]4U
Joined
Sep 21, 2008
Messages
3,245
This is scary, I don't have a cell phone. Anyway, giving someone your cellphone number is also easy way how to find your home address.

This stuff has serious privacy issues. (Well you can use phone of people you visit when you activate youtube upload...)


I cannot help but ask, who in this day and age in a western world does not have a cellphone? And I mean ANY cellphone, even a dumb call and text phone which is all this system needs? And for what reason?
 

Spire3660

[H]ard|Gawd
Joined
Jan 5, 2005
Messages
1,032
ITs incredibly frustrating that we continue to be tied to phone numbers. I dont want a phone number, period, i have no need for one other than these stupid authentication schemes.
 

Krenum

Fully [H]
Joined
Apr 29, 2005
Messages
17,741
i42TkmB.jpg
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
14,257
My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

The cell phone has changed our world exponentially. Not all of it for the better.

Why aren't you using the MS authentication app. You just click "approve" and you don't even have to enter anything.
 
Top