According to the pictures over at LiveSide.net the authentication UI looks very similar to what Google uses for Gmail, Google+ and YouTube. While we do not know the details of how Microsoft is implementing this it is a fairly straight forward process. When you log in using your user name and password a second request is sent to you. You will enter a one-time password that is randomly generated for you based on whatever algorithm Microsoft is using at the time (there are plenty). This will be interrogated by the authentication servers to verify that it is indeed you. If everything passes you are granted access and all is well. There are a few caveats though, this will not work on linked accounts so you will need to break them and you will also have to generate a special “App Password” for mobile apps like Microsoft Mail (which is the same as the Google Service).
This is a good move by Microsoft although we have to remind everyone that there is no such thing as a secure service (or OS, Email client, Browser etc…). In the past hackers have been able to compromise servers and gain access to the algorithm that is used to generate the codes. With this in hand it is theoretically possible to create a password that would allow you to gain access to a user’s account. The good news here is that the effort needed to gain access to a single account is often not worth it to the hackers. They might release the information showing that they were able to break into a gain the code, but from there unless they really want what you have you are pretty safe. It is also important to remember that if a hacker has gotten in so far that they have access to the servers that generate the OTP (One Time Password) algorithms they probably have access to much more interesting things than your email or documents.
Still we have to chuckle a little bit as we looked over the images that LiveSide have posted on their website. After working through Google’s TFA setup I was experiencing a nice case of deja vu after all their pages look almost identical to what you would see when setting this up for a Google account including the “App Password” feature. Now what we are waiting for is Apple to come along and try to patent this and then sue everyone claiming they invented it first…
Image credit LiveSide.net
Discuss this in our Forum