Microsoft Moving to Two Factor Authentication For Their Accounts

Microsoft-account-Authenticator-app thumb

Well, well, well Microsoft is catching up to companies like Google when it comes to attempting to secure user accounts. Although many of the steps they stated they were going to take are still in the development stage we are at least hearing that they will be implementing two-factor authentication (TFA) for their Microsoft Account Services. This move is behind Google and a few others that use either an app or a key token to generate a random number which is used to verify your identity. The move comes as many are criticizing Microsoft for making such a big push to the cloud.

According to the pictures over at LiveSide.net the authentication UI looks very similar to what Google uses for Gmail, Google+ and YouTube. While we do not know the details of how Microsoft is implementing this it is a fairly straight forward process. When you log in using your user name and password a second request is sent to you. You will enter a one-time password that is randomly generated for you based on whatever algorithm Microsoft is using at the time (there are plenty). This will be interrogated by the authentication servers to verify that it is indeed you. If everything passes you are granted access and all is well. There are a few caveats though, this will not work on linked accounts so you will need to break them and you will also have to generate a special “App Password” for mobile apps like Microsoft Mail (which is the same as the Google Service).

This is a good move by Microsoft although we have to remind everyone that there is no such thing as a secure service (or OS, Email client, Browser etc…). In the past hackers have been able to compromise servers and gain access to the algorithm that is used to generate the codes. With this in hand it is theoretically possible to create a password that would allow you to gain access to a user’s account. The good news here is that the effort needed to gain access to a single account is often not worth it to the hackers. They might release the information showing that they were able to break into a gain the code, but from there unless they really want what you have you are pretty safe. It is also important to remember that if a hacker has gotten in so far that they have access to the servers that generate the OTP (One Time Password) algorithms they probably have access to much more interesting things than your email or documents.

Still we have to chuckle a little bit as we looked over the images that LiveSide have posted on their website. After working through Google’s TFA setup I was experiencing a nice case of deja vu after all their pages look almost identical to what you would see when setting this up for a Google account including the “App Password” feature. Now what we are waiting for is Apple to come along and try to patent this and then sue everyone claiming they invented it first…

Image credit LiveSide.net

Discuss this in our Forum

 

No comments

Leave your comment

In reply to Some User