Microsoft Wants to Kill Passwords, Starting with Windows 10

Discussion in 'HardForum Tech News' started by Megalith, Jan 6, 2019.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    13,004
    Joined:
    Aug 20, 2006
    Back in May, Microsoft shared their vision of a world without passwords, and the company is already on its way to making that a reality in the next version of Windows 10: the latest Insider Build supports password-less accounts, which allows users to sign in using their phone and texted codes instead of a traditional passphrase. Users are only asked to re-enter a code if they sign in on a new PC.

    You can now create a Microsoft account without a password. Instead, you just provide your phone number. When you sign into Windows 10 with that phone number, Microsoft will text you a code that you enter on the sign-in screen. After that, you can use Windows Hello to set up a PIN, fingerprint, or face login method. You never have to type a password—your account doesn’t even have one!
     
  2. Paul_Johnson

    Paul_Johnson [H] Admin Staff Member

    Messages:
    15,604
    Joined:
    Aug 29, 2004
    Oh, let me guess how long this takes to run into serious security issues as well............
     
  3. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,369
    Joined:
    Nov 19, 2008
    For a remote connection to work I have to enter my username and password to get redirected to microsoft. I enter my password again then I have to go to a two phase lookup that requires a phone call or a connection to an android app. Then I enter my password again. And finally when connected to a site I need to yet again enter the same password for some of the links. If it was not for password utilities I would go nuts..
     
    steakman1971 likes this.
  4. Raghar

    Raghar Limp Gawd

    Messages:
    209
    Joined:
    Jun 23, 2012
    This is scary, I don't have a cell phone. Anyway, giving someone your cellphone number is also easy way how to find your home address.

    This stuff has serious privacy issues. (Well you can use phone of people you visit when you activate youtube upload...)
     
    Uvaman2, Revdarian, cyclone3d and 6 others like this.
  5. EODetroit

    EODetroit [H]ard|Gawd

    Messages:
    1,486
    Joined:
    Oct 20, 2004
    If my internet goes out, or Microsoft's server malfunctions, I'm locked out of my own fucking computer. Sounds like a great idea!

    Not.
     
  6. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    12,880
    Joined:
    Oct 7, 2000
    you can still use a normal password, I am. this is optional.

    but isn't that a password? ;)
     
  7. The Mad Atheist

    The Mad Atheist Gawd

    Messages:
    915
    Joined:
    Mar 9, 2018
    No thanks, I'll keep my password.
     
  8. MrDeaf

    MrDeaf Limp Gawd

    Messages:
    428
    Joined:
    Jun 9, 2017
    Instead of trying to kill off the password, microsoft should work towards passwords that are made up of a bunch of random words.

    No one is going to guess my password is GoldTurnHorseAnvil
     
    The Mad Atheist likes this.
  9. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,720
    Joined:
    Apr 10, 2003
    I've used the MS authenticator SMS system before. It works darn well. Well until that one time when the MS authentication servers went down and it all came crashing down... Yeah I remember that day..... You need to authenticate Windows....
     
    dragonstongue and jfreund like this.
  10. 1Nocturnal101

    1Nocturnal101 Gawd

    Messages:
    521
    Joined:
    Jan 27, 2015
    Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.
     
  11. velusip

    velusip [H]ard|Gawd

    Messages:
    1,578
    Joined:
    Jan 24, 2005
    Not just scraping and selling consumer data, but also verifying and proving its authenticity is becoming big business. i.e. Ad revenue services provide real-time updates to vendors of which sites you are logged into. So it makes sense that Microsoft would want to corroborate identity and activity in real-time across multiple devices. It's potentially worth more than the software licence in the long term.
     
  12. MavericK

    MavericK Zero Cool

    Messages:
    28,685
    Joined:
    Sep 2, 2004
    Why is a 4-digit PIN more secure than a 10+ character complex password?
     
    dragonstongue, cyclone3d and eclypse like this.
  13. 1Nocturnal101

    1Nocturnal101 Gawd

    Messages:
    521
    Joined:
    Jan 27, 2015
    Agreed, but the law itself in many countries has yet to catch up with current technologies and business models, I have this great feeling like eventually that data must be anonymous and agnostic data that has zero PII will be regulated because at some point personal data laws will be constructed due to liability for breaches that is costing the country millions if not billions.
     
  14. FlawleZ

    FlawleZ Gawd

    Messages:
    790
    Joined:
    Oct 20, 2010
    My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

    The cell phone has changed our world exponentially. Not all of it for the better.
     
  15. ir0nw0lf

    ir0nw0lf [H]ardness Supreme

    Messages:
    6,286
    Joined:
    Feb 7, 2003
    That's what I came in here to say.
     
  16. fightingfi

    fightingfi Look at Me! I need the attention.

    Messages:
    2,511
    Joined:
    Oct 9, 2008
    Sooooooooooooooooooo MS nows spys on your phone and your pc?
     
  17. fairlane

    fairlane Limp Gawd

    Messages:
    298
    Joined:
    Jun 18, 2004
    OMG :shifty: SMS has been depricated for use as a form of 2FA for a reason. Also, it's not clear in the article that this is for local accounts, only Microsoft Accounts, which to me is bad for those who are trying to log on while on public networks that have portal pages where you land first. I have a portal page set up that you have to agree to our terms first before you're allowed through but those who use Microsoft accounts to log into windows can't log in because they can't get past the portal page to ACTUALLY LOG IN :confused: And their Authenticator app is trash. I don't see them allowing support for Google's anytime soon also.

    Lastly, as far as I'm concerned SQRL is the way to go for passwordless site authentication


    https://www.grc.com/sqrl/sqrl.htm
     
  18. Darth Ender

    Darth Ender Limp Gawd

    Messages:
    130
    Joined:
    Oct 11, 2018
    Well we all know how reliable cell phone numbers are at identifying people. It's not like you can just steal them out from under people or spoof them with cloned burners
     
    Armenius and Ranulfo like this.
  19. Ranulfo

    Ranulfo [H]ard|Gawd

    Messages:
    1,462
    Joined:
    Feb 9, 2006
    How in the hell is a PIN not a password? Its just generally numbers and a smaller amount than many passwords. On top of that, it assumes ones cell phone is secure. Insert Bender "you're serious" gif here.
     
  20. Paul_Johnson

    Paul_Johnson [H] Admin Staff Member

    Messages:
    15,604
    Joined:
    Aug 29, 2004
    Well, because it says PIN not password in the name. It is sort of like if person A is mortician and person B is a funeral director.
     
    Revdarian, Ranulfo and jfreund like this.
  21. mtrupi

    mtrupi Gawd

    Messages:
    727
    Joined:
    Mar 26, 2007
    Didn't I just see two factor authentication is not secure either. A PC as a Christmas present insisted on windows setting a PIN after sending a code to the cell phone. I am doubtful, but it seems everyone wants to go this way. Not just MS.
     
  22. RogueKitsune

    RogueKitsune [H]Lite

    Messages:
    110
    Joined:
    Apr 5, 2011
    Using just SMS for authentication seems like a terrible idea. As we have seen several times in the past year just how easy it is to execute a port out.
     
    DPI likes this.
  23. jfreund

    jfreund Gawd

    Messages:
    951
    Joined:
    Sep 3, 2006
    But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.
     
    Uvaman2 and Travolta like this.
  24. PenGunn

    PenGunn Limp Gawd

    Messages:
    350
    Joined:
    May 30, 2013
    I've been like that on Google for several years now. They just send me a message with a check in click, on my phone. I like it..
     
  25. Nenu

    Nenu [H]ardened

    Messages:
    18,729
    Joined:
    Apr 28, 2007
    This is a ploy to gather even more information about you, now from your mobile.
    The world is their oyster.
     
    DPI likes this.
  26. DPI

    DPI Nitpick Police

    Messages:
    10,956
    Joined:
    Apr 20, 2013
    Ding ding ding!

    MS doesn't actually care about security or making customers lives better or really innovating anything - this is just more trying to ride Android and iPhone coattails and get their hooks into phones to siphon data any way they can, since they failed at their own so spectacularly.

    No thanks.
     
    Last edited: Jan 6, 2019
  27. 1Nocturnal101

    1Nocturnal101 Gawd

    Messages:
    521
    Joined:
    Jan 27, 2015
    Microsoft can try making it a sub, the problem is it will never fly with customers, before even I would have said that, the problem is now it's different Microsoft barely has staff working in the OS division and is more working on information sevices and alternative projects for a revenue stream they have 86% of the OS marketshare with no real competitors.

    In reality I can see Microsoft offering the OS for a price or pay a sub for access, because I can 100% guarantee Enterprise will never go for this.
     
  28. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,677
    Joined:
    Dec 15, 2003
    A few years ago, I would have agreed partially that it could go to a subscription model. But with their recent stuff, their adoption of open-source, and change of attitude towards Linux, it may just as easily go towards a "pay for support" model like a lot of Linux distributions do. I could see a "freemium" tier of the OS where it's free, but to get support, you have to pay and you can't turn off telemetry. They'd make up the license revenue with targeted ads, premium app placement, and other items.

    What I don't like is locking a lot of features behind so many different SKUs with limitations. It's a nuisance. If I want Enterprise, let me buy Enterprise.
     
    jfreund likes this.
  29. The Mad Atheist

    The Mad Atheist Gawd

    Messages:
    915
    Joined:
    Mar 9, 2018
    I don't use a phone service and hate when sites like Twitter or Facebook require a phone number to verify it's not a spam account.
     
    FlawleZ likes this.
  30. Jim Kim

    Jim Kim 2[H]4U

    Messages:
    3,415
    Joined:
    May 24, 2012
    Microsoft Wants to Kill Passwords, Starting with Windows 10

    Well they've already killed the desktop os, killing passwords should be a cinch.

    But they'd easily guess [^WdGxh&7wcm!kQ286r+ ???
     
    Travolta likes this.
  31. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    Wish Google would let us use 2fa keys but in normal mode (the higher hardened mode has to many limits, all I want is to be able to not use sms and email as an account recovery method as both are insecure and bypasses my 2fa yes/no login or 2fa codes)

    Be nice if Google would follow ms with no password sign in (unlock phone to use ms authenticator to press yes no) as I have to use email password then yea/no if 2fa is enabled (if yes no is only enabled I can use yes no)
     
  32. mord

    mord Limp Gawd

    Messages:
    377
    Joined:
    Mar 8, 2005
    Because it gives Microsoft more access to your personally identifiable information and location info for marketing purposes.
     
  33. Flogger23m

    Flogger23m [H]ardForum Junkie

    Messages:
    9,805
    Joined:
    Jun 19, 2009
    I don't get it. Getting to a phone just takes longer. Get up, find phone, get phone. Unlock phone. Wait for message. Sometimes it can take 3 minutes to 12 hours to get a message. At this point most people will just turn off any kind of protection making the entire point moot.
     
    mord likes this.
  34. HAL_404

    HAL_404 Limp Gawd

    Messages:
    275
    Joined:
    Dec 16, 2018
    each person's DNA is unique to that person. What we need is a small device made by Microsoft and each time a password code is needed we just spit at the device
     
  35. cjcox

    cjcox [H]ard|Gawd

    Messages:
    1,133
    Joined:
    Jun 7, 2004
    Microsoft defines security!!!! If only they knew what it means.
     
  36. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,422
    Joined:
    Mar 4, 2013
    Just don't kiss anyone goodbye before trying to sign in.

    Seems like a lot of the alternatives to passwords involve extra steps that can go wrong. Instead try NOT forcing an email address as your account name? An account name of say AmberHorseKicksCat and a password of DeadBatterySucksBigtime will take a brute force approach a long time to crack.

    When many database breeches provide lists of valid email addresses, it becomes fairly trivial to use that list matched with the top 10 list of passwords against sites that mandate account name = email address.
     
    HAL_404 likes this.
  37. MaZa

    MaZa 2[H]4U

    Messages:
    2,704
    Joined:
    Sep 21, 2008

    I cannot help but ask, who in this day and age in a western world does not have a cellphone? And I mean ANY cellphone, even a dumb call and text phone which is all this system needs? And for what reason?
     
  38. Spire3660

    Spire3660 [H]ard|Gawd

    Messages:
    1,030
    Joined:
    Jan 5, 2005
    ITs incredibly frustrating that we continue to be tied to phone numbers. I dont want a phone number, period, i have no need for one other than these stupid authentication schemes.
     
  39. Krenum

    Krenum [H]ardForum Junkie

    Messages:
    15,402
    Joined:
    Apr 29, 2005
  40. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,981
    Joined:
    Aug 16, 2004
    Why aren't you using the MS authentication app. You just click "approve" and you don't even have to enter anything.