Is passwordless logins less secure?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Is passwordless logins less secure?

Post by squirm »

Microsoft seems to be pushing passwordless logins to their accounts (onedrive, email, etc). Usually when logging into my Microsoft account, i would enter my password then the 2FA code from the app. My Microsoft authenticator app updated recently and i noticed when logging into my Microsoft account no password was required, instead the authenticator pushed a deny or approve popup. I tried logging on from several different computers, same thing. All you do is enter your email username, click enter and the authenticator app pushes a deny/approve popup.

This seems very very unsecure, is it???
All a hacker has to do is simply enter your username, your app ask to deny or approve but at some point, you''re going to accidently hit approve, boom, their in. Am i missing something here?? Again, this was from any computer i tried, I've never logged in before, so it wasn't like a trusted device.

I found a way to switch it back to asking for a password and code, btw.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

Passwordless (assuming they do it properly) usually requires a second factor, which is a pin. For example, if you use passwordless login using a Yubikey, you are or should be required to enter a pin in addition to key. Enter the pin too many times wipes out the key associaztion reseting the key. That particular method of passwordless has been available for a while for microsoft accounts.

Recently Microsoft has done two things.
1. Previously you could log into your microsoft account using passwordless but you could not do so on a PC.
2. They updated Microsoft Authenticator to be use as passwordless.

To passwordless up, you have to install authenticator first and then setup the account for use with authenticator. What happens is you get a QR Code that you scan into authenticator, establishing the relationship. Unfortunately, the process still requires you to have a SMS or email recovery. Both weakens your passwordless.

Once you setup your authenticator, you can go into your microsoft account and remove the password. Once removed, you cannot remove the authenticator unless you disable the passwordless at which point you will have to add a new password.

On windows, you would setup windows Hello which requires you to setup a pin. The pin is needed because to login you have to approve your login on the phone. If you don't have network connectivity, you will have to enter the pin.

When someone logs in using a new device, the autheticator prompt will be different. Instead of the usualy approve, the screen will be presented with 3 numbers like

80 20 50

To get to the approve button, you have to click on the number that is display on your login screen. This screen is warning that something might be wrong, since it must match the number on your login screen.

You will also have additional issues
* You cannot remote to your computer using password less.
* If you have a policy that tells you to update the password every 90 days or something, you will need to turn it off or it will prompt you to change your passwrod on a passwordless system.
Last edited by gavinsiu on Fri Jan 14, 2022 5:20 pm, edited 1 time in total.
Makefile
Posts: 1298
Joined: Fri Apr 22, 2016 11:03 pm

Re: Is passwordless logins less secure?

Post by Makefile »

squirm wrote: Fri Jan 14, 2022 1:39 pm This seems very very unsecure, is it???
All a hacker has to do is simply enter your username, your app ask to deny or approve but at some point, you''re going to accidently hit approve, boom, their in. Am i missing something here?? Again, this was from any computer i tried, I've never logged in before, so it wasn't like a trusted device.
I like to call it one-factor authentication.

You have to keep in context how aggressive the "remember password" feature is in modern browsers, and the lengths people will go to in order to circumvent sites that try to block it (like TreasuryDirect). So whether the password is sitting on the system ripe for the taking, or the user is using a password manager with a master password, for many users the password provides little security anyway. It's just a consequence of how the web has evolved, I guess.

That, and if you think about it, this process is just the same as the "forget password" workflow except not resetting anything, so it's arguably no worse.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

gavinsiu wrote: Fri Jan 14, 2022 3:52 pm Passwordless (assuming they do it properly) usually requires a second factor, which is a pin. For example, if you use passwordless login using a Yubikey, you are or should be required to enter a pin in addition to key. Enter the pin too many times wipes out the key associaztion reseting the key. That particular method of passwordless has been available for a while for microsoft accounts.

Recently Microsoft has done two things.
1. Previously you could log into your microsoft account using passwordless but you could not do so on a PC.
2. They updated Microsoft Authenticator to be use as passwordless.

To passwordless up, you have to install authenticator first and then setup the account for use with authenticator. What happens is you get a QR Code that you scan into authenticator, establishing the relationship. Unfortunately, the process still requires you to have a SMS or email recovery. Both weakens your passwordless.

Once you setup your authenticator, you can go into your microsoft account and remove the password. Once removed, you cannot remove the authenticator unless you disable the passwordless at which point you will have to add a new password.

On windows, you would setup windows Hello which requires you to setup a pin. The pin is needed because to login you have to approve your login on the phone. If you don't have network connectivity, you will have to enter the pin.

When someone logs in using a new device, the autheticator prompt will be different. Instead of the usualy approve, the screen will be presented with 3 numbers like

80 20 50

To get to the approve button, you have to click on the number that is display on your login screen. This screen is warning that something might be wrong.

You will also have additional issues
* You cannot remote to your computer using password less.
* If you have a policy that tells you to update the password every 90 days or something, you will need to turn it off or it will prompt you to change your passwrod on a passwordless system.
In my case, the QR code is kept in my Microsoft account cloud.

The authenticator updated itself, after that I noticed I could log into my Microsoft account using account verification with my phone, no password was required. All I had to do was enter my email on the login page and a notification was prompted on the authenticator. I tested logging in on multiple computers, computers that I have never logged into before. Each time, all I had to do was enter my Microsoft email address on the computer, then the authenticator would prompt me approve or deny. I was so very concerned about this, I even setup my wifes Microsoft account with her Microsoft Authenticator, same thing. Again, 2FA was enabled.

So if everyone is going this way, basically just a push notification sent to your phone, all I have to do is enter any outlook email address (valid or not) and see if someone eventually approves me into their account. Sounds pretty easy to hack into someone's account. They could easily accidently touch the correct number when prompted too.

My MS authenticator also dings when it is prompting me, so in reality if a hacker enters my email address at 2AM my time, I get the pleasure to be woken up with a prompt to basically approve or deny or any other time.

This sounds like a colossal failure in security just waiting to happen.

I figured out a way to undue this mess set it back to the old system of entering a password on the computer and then entering the TOTP from the authenticator.
UpperNwGuy
Posts: 7081
Joined: Sun Oct 08, 2017 7:16 pm

Re: Is passwordless logins less secure?

Post by UpperNwGuy »

Makefile wrote: Fri Jan 14, 2022 4:02 pm You have to keep in context how aggressive the "remember password" feature is in modern browsers, and the lengths people will go to in order to circumvent sites that try to block it (like TreasuryDirect). So whether the password is sitting on the system ripe for the taking, or the user is using a password manager with a master password, for many users the password provides little security anyway. It's just a consequence of how the web has evolved, I guess.
This paragraph confuses me. Can you explain this in layman's terms?
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

Makefile wrote: Fri Jan 14, 2022 4:02 pm
squirm wrote: Fri Jan 14, 2022 1:39 pm This seems very very unsecure, is it???
All a hacker has to do is simply enter your username, your app ask to deny or approve but at some point, you''re going to accidently hit approve, boom, their in. Am i missing something here?? Again, this was from any computer i tried, I've never logged in before, so it wasn't like a trusted device.
I like to call it one-factor authentication.

You have to keep in context how aggressive the "remember password" feature is in modern browsers, and the lengths people will go to in order to circumvent sites that try to block it (like TreasuryDirect). So whether the password is sitting on the system ripe for the taking, or the user is using a password manager with a master password, for many users the password provides little security anyway. It's just a consequence of how the web has evolved, I guess.

That, and if you think about it, this process is just the same as the "forget password" workflow except not resetting anything, so it's arguably no worse.
This had nothing to do with any password manager or the browser saving the passwords.

As I said, I went to computers that I have never logged into before (not trusted), opened up the browser, went to the MS website and entered my email address. After that my authenticator app prompted me to approve or deny the login. That was it. Nothing else. If it was a hacker and I accidently touched the approval or correct number, their in.
Makefile
Posts: 1298
Joined: Fri Apr 22, 2016 11:03 pm

Re: Is passwordless logins less secure?

Post by Makefile »

UpperNwGuy wrote: Fri Jan 14, 2022 5:14 pm
Makefile wrote: Fri Jan 14, 2022 4:02 pm You have to keep in context how aggressive the "remember password" feature is in modern browsers, and the lengths people will go to in order to circumvent sites that try to block it (like TreasuryDirect). So whether the password is sitting on the system ripe for the taking, or the user is using a password manager with a master password, for many users the password provides little security anyway. It's just a consequence of how the web has evolved, I guess.
This paragraph confuses me. Can you explain this in layman's terms?
Two-factor is supposed to be something you know and something you have.

If your browser has a stash of remembered passwords inside it, this degrades to something that's stored on your computer, and something you have. Or, if you both use the "remember password" feature of your browser, and the "remember this device for 90 days or whatever" feature of the site to bypass 2FA on subsequent logins, it degrades to two things stored on your computer.

In theory it's ok if the remembered password is actually stored using encryption that requires a master password that you type into a password manager (and don't store anywhere). Then it's still indirectly something you know.

Put in practice, the most popular password manager is your own browser, which stores the passwords on your locally on your computer encrypted, but in a way that malware can still access them. You can search online for utilities that extract them. That is, unless you go into your browser preferences and enable a master password, which basically no one does.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

In the Microsoft account settings, you can see how many attempts there were to get into your account successful or not, throughout the world. It isn't usually to see many unsuccessful attempts from various countries. Every time the hacker can't get through the first layer, you'll see "unsuccessful attempt, incorrect password". As this happens, you don't even realize it, and it's not a big deal. And if 2FA is turned on and the hacker somehow gets through the password stage, then the second layer will catch them.

However if Microsoft is pushing passwordless logins, and a push is sent to your phone, everyone will get a push notification at least several times a day from hackers and all it will take is that one time you mistakenly hit the accept or the correct number button.
Freefun
Posts: 941
Joined: Sun Jan 14, 2018 3:55 pm

Re: Is passwordless logins less secure?

Post by Freefun »

Google ask me to approve via a pop up in the gmail app on a different device since it knows I’m already logged in there.
Remember when you wanted what you currently have?
t_man
Posts: 24
Joined: Sun Oct 04, 2020 6:50 pm

Re: Is passwordless logins less secure?

Post by t_man »

Be very careful with the 'push' method of authentication. If all you do is 'approve' in the app, how do you know it's you or someone else with your credentials attempting the logon. If you have to enter a code from the authenticator app on your screen, then you know it is your computer asking for the code and only you can type it into the screen.

If you use the phone call (press 1 to approve) or the click 'approve' button, you have no way of knowing who is requesting the authentication. Typing in the code on the screen is the most secure when using this type of authentication.
t_man
Posts: 24
Joined: Sun Oct 04, 2020 6:50 pm

Re: Is passwordless logins less secure?

Post by t_man »

Do not use the browser itself for storing the passwords, use a 3rd party tool with plugin if you want to have them in the browser. Don't use Chrome/Edge to store the passwords, that is far less secure then a 3rd party password manager.
t_man
Posts: 24
Joined: Sun Oct 04, 2020 6:50 pm

Re: Is passwordless logins less secure?

Post by t_man »

squirm wrote: Fri Jan 14, 2022 5:25 pm In the Microsoft account settings, you can see how many attempts there were to get into your account successful or not, throughout the world. It isn't usually to see many unsuccessful attempts from various countries. Every time the hacker can't get through the first layer, you'll see "unsuccessful attempt, incorrect password". As this happens, you don't even realize it, and it's not a big deal. And if 2FA is turned on and the hacker somehow gets through the password stage, then the second layer will catch them.

However if Microsoft is pushing passwordless logins, and a push is sent to your phone, everyone will get a push notification at least several times a day from hackers and all it will take is that one time you mistakenly hit the accept or the correct number button.
You have to have a correct user ID and password to get the prompt for MFA. If you ever get an unexpected prompt for MFA, your ID/password are compromised and should be changed immediately.
User avatar
anon_investor
Posts: 10024
Joined: Mon Jun 03, 2019 1:43 pm

Re: Is passwordless logins less secure?

Post by anon_investor »

t_man wrote: Fri Jan 14, 2022 5:31 pm
squirm wrote: Fri Jan 14, 2022 5:25 pm In the Microsoft account settings, you can see how many attempts there were to get into your account successful or not, throughout the world. It isn't usually to see many unsuccessful attempts from various countries. Every time the hacker can't get through the first layer, you'll see "unsuccessful attempt, incorrect password". As this happens, you don't even realize it, and it's not a big deal. And if 2FA is turned on and the hacker somehow gets through the password stage, then the second layer will catch them.

However if Microsoft is pushing passwordless logins, and a push is sent to your phone, everyone will get a push notification at least several times a day from hackers and all it will take is that one time you mistakenly hit the accept or the correct number button.
You have to have a correct user ID and password to get the prompt for MFA. If you ever get an unexpected prompt for MFA, your ID/password are compromised and should be changed immediately.
I thought the OP was talking about the passwordless option.
runninginvestor
Posts: 979
Joined: Tue Sep 08, 2020 8:00 pm

Re: Is passwordless logins less secure?

Post by runninginvestor »

t_man wrote: Fri Jan 14, 2022 5:31 pm
squirm wrote: Fri Jan 14, 2022 5:25 pm In the Microsoft account settings, you can see how many attempts there were to get into your account successful or not, throughout the world. It isn't usually to see many unsuccessful attempts from various countries. Every time the hacker can't get through the first layer, you'll see "unsuccessful attempt, incorrect password". As this happens, you don't even realize it, and it's not a big deal. And if 2FA is turned on and the hacker somehow gets through the password stage, then the second layer will catch them.

However if Microsoft is pushing passwordless logins, and a push is sent to your phone, everyone will get a push notification at least several times a day from hackers and all it will take is that one time you mistakenly hit the accept or the correct number button.
You have to have a correct user ID and password to get the prompt for MFA. If you ever get an unexpected prompt for MFA, your ID/password are compromised and should be changed immediately.
it is definitely daunting seeing how many unsuccessful attempts there are when you log into the app and look. :(
lazydavid
Posts: 4065
Joined: Wed Apr 06, 2016 1:37 pm

Re: Is passwordless logins less secure?

Post by lazydavid »

squirm wrote: Fri Jan 14, 2022 5:17 pm This had nothing to do with any password manager or the browser saving the passwords.

As I said, I went to computers that I have never logged into before (not trusted), opened up the browser, went to the MS website and entered my email address. After that my authenticator app prompted me to approve or deny the login. That was it. Nothing else. If it was a hacker and I accidently touched the approval or correct number, their in.
So if I understand correctly, the concern is you will get an authentication request that you are not expecting, and instead of either outright ignoring it or rejecting it as fraudulent, you will accept it and grant the bad actor access to your account? It sounds pretty farfetched to me, but if this is a serious concern, then you definitely should add an extra factor.

There is a setting in the Microsoft Authenticator called "App Lock". Turn that on, and when you TRY to approve an authentication attempt or select one of the three validation numbers, you will be prompted for your screen lock. Workflow looks like this:

Push notification arrives
You select "Approve"
You are prompted for your fingerprint/PIN
Authentication proceeds

If you're still worried that you're going to "accidentally" let someone take over your account with this process, then yes you should definitely disable passwordless auth.
quantAndHold
Posts: 6998
Joined: Thu Sep 17, 2015 10:39 pm

Re: Is passwordless logins less secure?

Post by quantAndHold »

UpperNwGuy wrote: Fri Jan 14, 2022 5:14 pm
Makefile wrote: Fri Jan 14, 2022 4:02 pm You have to keep in context how aggressive the "remember password" feature is in modern browsers, and the lengths people will go to in order to circumvent sites that try to block it (like TreasuryDirect). So whether the password is sitting on the system ripe for the taking, or the user is using a password manager with a master password, for many users the password provides little security anyway. It's just a consequence of how the web has evolved, I guess.
This paragraph confuses me. Can you explain this in layman's terms?
Yeah. Of all the different authentication methods, passwords are the least secure. Mostly because people can’t handle the responsibility of setting and maintaining good passwords. It’s been that way for years, and things like Microsoft’s and Google’s authenticators, and Apple’s FaceID are attempts to get around the password problem.
Yes, I’m really that pedantic.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

squirm wrote: Fri Jan 14, 2022 5:08 pm
In my case, the QR code is kept in my Microsoft account cloud.

The authenticator updated itself, after that I noticed I could log into my Microsoft account using account verification with my phone, no password was required. All I had to do was enter my email on the login page and a notification was prompted on the authenticator. I tested logging in on multiple computers, computers that I have never logged into before. Each time, all I had to do was enter my Microsoft email address on the computer, then the authenticator would prompt me approve or deny. I was so very concerned about this, I even setup my wifes Microsoft account with her Microsoft Authenticator, same thing. Again, 2FA was enabled.

So if everyone is going this way, basically just a push notification sent to your phone, all I have to do is enter any outlook email address (valid or not) and see if someone eventually approves me into their account. Sounds pretty easy to hack into someone's account. They could easily accidently touch the correct number when prompted too.

My MS authenticator also dings when it is prompting me, so in reality if a hacker enters my email address at 2AM my time, I get the pleasure to be woken up with a prompt to basically approve or deny or any other time.

This sounds like a colossal failure in security just waiting to happen.

I figured out a way to undue this mess set it back to the old system of entering a password on the computer and then entering the TOTP from the authenticator.
The system does have try to mitigate this as I mentioned in my post. Let's say you log into the a microsoft account on a new device, it will display a number on the web page. At the same time, your authenticator will popup and present you with a multipe choice of numbers. You must now select from the multiple choice the number on the web page or you won't be able to approve. If you log into a known device, you won't get the multiple choice.

You can try this yourself. Go to your browser and open a Inprivate window and go to https://login.live.com/. Now signin using your passwordless account. You should get a screen that said check your authenticator and underneath that a number. This number will not appear if you login into a known device.

If a hacker log into the website on his or her computer, you will get a prompt that ask you to select the number display on screen. If you see this and you did not log into a new device, you should definitely not randomlyi select a number and approve it :-). If you don't approve it, the request will expire. I think the big issue is if your computer is stolen and someone triggers a login. I assume that on your phone, you will need to authenticate some non-microsoft way to get in.

In my opinion, the passwordless is actually moving in the right direction. They need to work out some of the kinks.
Last edited by gavinsiu on Fri Jan 14, 2022 5:49 pm, edited 1 time in total.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

t_man wrote: Fri Jan 14, 2022 5:31 pm
squirm wrote: Fri Jan 14, 2022 5:25 pm In the Microsoft account settings, you can see how many attempts there were to get into your account successful or not, throughout the world. It isn't usually to see many unsuccessful attempts from various countries. Every time the hacker can't get through the first layer, you'll see "unsuccessful attempt, incorrect password". As this happens, you don't even realize it, and it's not a big deal. And if 2FA is turned on and the hacker somehow gets through the password stage, then the second layer will catch them.

However if Microsoft is pushing passwordless logins, and a push is sent to your phone, everyone will get a push notification at least several times a day from hackers and all it will take is that one time you mistakenly hit the accept or the correct number button.
You have to have a correct user ID and password to get the prompt for MFA. If you ever get an unexpected prompt for MFA, your ID/password are compromised and should be changed immediately.
You cannot enter the password. You enter your username and viola, the authenticator is asking approve or deny, I just did it on my wifes account with her phone. No numbers either. Just approve or deny.
MathWizard
Posts: 5183
Joined: Tue Jul 26, 2011 1:35 pm

Re: Is passwordless logins less secure?

Post by MathWizard »

I set up security for accounts, and do not set it up that way.
You need password and MFA code from an app. No push to verify.

I've seen the push get people in trouble, since it is so easy to just accept.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

lazydavid wrote: Fri Jan 14, 2022 5:44 pm
squirm wrote: Fri Jan 14, 2022 5:17 pm This had nothing to do with any password manager or the browser saving the passwords.

As I said, I went to computers that I have never logged into before (not trusted), opened up the browser, went to the MS website and entered my email address. After that my authenticator app prompted me to approve or deny the login. That was it. Nothing else. If it was a hacker and I accidently touched the approval or correct number, their in.
So if I understand correctly, the concern is you will get an authentication request that you are not expecting, and instead of either outright ignoring it or rejecting it as fraudulent, you will accept it and grant the bad actor access to your account? It sounds pretty farfetched to me, but if this is a serious concern, then you definitely should add an extra factor.

There is a setting in the Microsoft Authenticator called "App Lock". Turn that on, and when you TRY to approve an authentication attempt or select one of the three validation numbers, you will be prompted for your screen lock. Workflow looks like this:

Push notification arrives
You select "Approve"
You are prompted for your fingerprint/PIN
Authentication proceeds

If you're still worried that you're going to "accidentally" let someone take over your account with this process, then yes you should definitely disable passwordless auth.
I would know better and not to approve, although it would be annoying hearing the phone ding knowing someone is trying to get in. As you might know, the PIN entry is optional on the MS authenticator. As far as I know, no other authenticator offers it. I have plenty of family members that I could see going through the simple step of approving.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

This is how easy it is to accidently hit approve, sorry about all the white space:

Image
quantAndHold
Posts: 6998
Joined: Thu Sep 17, 2015 10:39 pm

Re: Is passwordless logins less secure?

Post by quantAndHold »

I don’t have Microsoft Authenticator installed, but I think how it works is you authenticate with the authenticator. Then when you login to something on your computer or whatever, it uses the phone to authenticate.

There are 3 authentication factors:
  • Something you know (a password)
  • Something you have (in this case, a phone)
  • Something you are (biometrics, like fingerprint or faceid)
2FA is any two of those. Password doesn’t have to be one of the factors. Apple FaceID, for example uses the phone and your face. It sounds like Microsoft does basically the same thing, using your phone, and either a biometric or a password entered on the phone, in order to authenticate.

If Microsoft Authenticator pops up and asks you for approval and you aren’t in the middle of logging into something, wouldn’t you say no and investigate what’s going on?
Yes, I’m really that pedantic.
drk
Posts: 2784
Joined: Mon Jul 24, 2017 10:33 pm
Location: Overlooking Elliott Bay

Re: Is passwordless logins less secure?

Post by drk »

If you're concerned about accidentally approving, I would recommend disabling push notifications or at least enabling Do Not Disturb mode at night. A cursory search didn't turn up an article, but I remember hearing about an attack that involved spamming a company's employees with Duo notifications until they hit approve just to make it stop, assuming that something must have gone haywire.

That said, passwords are useless because people choose weak ones and enter them into any text field you put in front of them. At worst, this kind of MFA approach won't be less secure because at least you can verify that the user has access to a trusted device and (in theory) that the device is in the same approximate location, falling back to additional factors if something seems off.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

You are not getting the same thing I am seeing. Let's say I log into a new device, here's what I get:

Image https://postimg.cc/fS3qVfy0

On my android phone, I receive this popup

Image https://postimg.cc/SXvWnFMD

To approve, you must select the number matching the login. In this case, you must press 20. This prompt does not appear if you select an existing device, you get an approve or deny.

Note: I haven't use the image tag before and is not sure what I am doing wrong.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

drk wrote: Fri Jan 14, 2022 6:06 pm If you're concerned about accidentally approving, I would recommend disabling push notifications or at least enabling Do Not Disturb mode at night. A cursory search didn't turn up an article, but I remember hearing about an attack that involved spamming a company's employees with Duo notifications until they hit approve just to make it stop, assuming that something must have gone haywire.

That said, passwords are useless because people choose weak ones and enter them into any text field you put in front of them. At worst, this kind of MFA approach won't be less secure because at least you can verify that the user has access to a trusted device and (in theory) that the device is in the same approximate location, falling back to additional factors if something seems off.
How I was able to get around it was by going into the MS security account and installing a "other" authenticator. The QR picture is shown and you complete installing from there. That is the only way you can get out of using push.

Yes, I only use random character passwords and TOTP 2FA.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

gavinsiu wrote: Fri Jan 14, 2022 6:12 pm You are not getting the same thing I am seeing. Let's say I log into a new device, here's what I get:

Image https://postimg.cc/fS3qVfy0

On my android phone, I receive this popup

Image https://postimg.cc/SXvWnFMD

To approve, you must select the number matching the login. In this case, you must press 20. This prompt does not appear if you select an existing device, you get an approve or deny.

Note: I haven't use the image tag before and is not sure what I am doing wrong.

No, I don't get that. I get the deny or approve prompt that I posted above. Scary. Thanks for going through the effort of capturing and posting what you get.
drk
Posts: 2784
Joined: Mon Jul 24, 2017 10:33 pm
Location: Overlooking Elliott Bay

Re: Is passwordless logins less secure?

Post by drk »

squirm wrote: Fri Jan 14, 2022 6:19 pm How I was able to get around it was by going into the MS security account and installing a "other" authenticator. The QR picture is shown and you complete installing from there. That is the only way you can get out of using push.
It seems like you misunderstood my recommendation. On your phone, you can disable push notifications from the Authenticator app. That way you would have to intentionally unlock your phone and open the app to sign in, rather than getting noisy alerts at 2 am and interacting with the notification from the lock screen.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

drk wrote: Fri Jan 14, 2022 6:27 pm
squirm wrote: Fri Jan 14, 2022 6:19 pm How I was able to get around it was by going into the MS security account and installing a "other" authenticator. The QR picture is shown and you complete installing from there. That is the only way you can get out of using push.
It seems like you misunderstood my recommendation. On your phone, you can disable push notifications from the Authenticator app. That way you would have to intentionally unlock your phone and open the app to sign in, rather than getting noisy alerts at 2 am and interacting with the notification from the lock screen.
I see what your saying, yup that's an option, thanks! Fortunately, I reverted it back to the way it was, so it just displays the TOTP now.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

squirm wrote: Fri Jan 14, 2022 6:21 pm
gavinsiu wrote: Fri Jan 14, 2022 6:12 pm You are not getting the same thing I am seeing. Let's say I log into a new device, here's what I get:

Image https://postimg.cc/fS3qVfy0

On my android phone, I receive this popup

Image https://postimg.cc/SXvWnFMD

To approve, you must select the number matching the login. In this case, you must press 20. This prompt does not appear if you select an existing device, you get an approve or deny.

Note: I haven't use the image tag before and is not sure what I am doing wrong.

No, I don't get that. I get the deny or approve prompt that I posted above. Scary. Thanks for going through the effort of capturing and posting what you get.
Where is your screenshot coming from? Mines is on an android phone, and is verison 6.2112.8250. This may be a bug or something or maybe you have the app that is a different version, though that may also be a security issue if you can bypass using an older app.
SnowBog
Posts: 2615
Joined: Fri Dec 21, 2018 11:21 pm

Re: Is passwordless logins less secure?

Post by SnowBog »

For what it's worth, I'd argue passwordless - especially how Microsoft is doing it - is vastly more secure than any other alternative.

The caveat is for most people, this is done via their Authenticator app installed on their mobile phone. Obviously, you need to ensure that device is itself secure/protected, and as noted in my post below ensure Authenticator is setup for "screen lock". I think most people "know" when they don't have their phone (and maybe suffer withdrawals :wink:), so that part should be covered... Ideally their phone is locked with biometrics as well.

Combined, this means for someone to access your account they would need to:
  • Steal your mobile device
  • Have a way to bypass your biometric lock on your mobile device
  • And hide both of the above from you so that you don't go in and remove your - now lost/stolen - device
I'll take those odds!!!

And to add context, as most people "save passwords" to their browser - if they could get through the first 2 bullets above, they likely have access to your accounts regardless. But again, with the "passwordless" approach, the "saved password" is irrelevant. Once I update my device as lost - they can't access my account anymore.

And far more common are "phishing" attacks or other things attempting to steal my passwords - passwordless makes those forms of attacks obsolete! I'd be very, very happy - and far more secure - if/as more companies/sites support passwordless!
Last edited by SnowBog on Fri Jan 14, 2022 7:13 pm, edited 1 time in total.
SnowBog
Posts: 2615
Joined: Fri Dec 21, 2018 11:21 pm

Re: Is passwordless logins less secure?

Post by SnowBog »

drk wrote: Fri Jan 14, 2022 6:27 pm
squirm wrote: Fri Jan 14, 2022 6:19 pm How I was able to get around it was by going into the MS security account and installing a "other" authenticator. The QR picture is shown and you complete installing from there. That is the only way you can get out of using push.
It seems like you misunderstood my recommendation. On your phone, you can disable push notifications from the Authenticator app. That way you would have to intentionally unlock your phone and open the app to sign in, rather than getting noisy alerts at 2 am and interacting with the notification from the lock screen.
Personally, that's not what I'd recommend...

I think the push notifications are very helpful - both in making it easier to leverage the capability - as well as an "early warning system" if someone is trying to access your account without permissions.

That said, I'd offer an alternative that I think accomplishes the same thing you were recommending without removing the push notifications.

First, open the Authenticator app, go into settings, and turn on App Lock. This will require the phone to be unlocked - so a random person with physical access to your phone can't "allow" access - they'd need to be able to unlock your phone (as you suggested).

Second, I really don't want any random notices going off at 2 AM - from Authenticator or otherwise. So, I use the "do not disturb" setting on my phone to suppress (aka make silent) any alerts during my sleeping hours. That addresses your 2nd recommendation! (Admittedly you won't get the "early warning system" if a hacker is trying to access your account while you are asleep - but the reality is I wouldn't have heard the notice anyway... But when I get up, I'd see the alerts [since Push was left enabled] and know I need to check things out ASAP.)
drk
Posts: 2784
Joined: Mon Jul 24, 2017 10:33 pm
Location: Overlooking Elliott Bay

Re: Is passwordless logins less secure?

Post by drk »

SnowBog wrote: Fri Jan 14, 2022 7:11 pm Second, I really don't want any random notices going off at 2 AM - from Authenticator or otherwise. So, I use the "do not disturb" setting on my phone to suppress (aka make silent) any alerts during my sleeping hours.
This is literally what I recommended above:
drk wrote: Fri Jan 14, 2022 6:06 pm If you're concerned about accidentally approving, I would recommend disabling push notifications or at least enabling Do Not Disturb mode at night.
Feel free to use push notifications if you like, but I prefer to own my attention, so I disable them.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

gavinsiu wrote: Fri Jan 14, 2022 6:58 pm
squirm wrote: Fri Jan 14, 2022 6:21 pm
gavinsiu wrote: Fri Jan 14, 2022 6:12 pm You are not getting the same thing I am seeing. Let's say I log into a new device, here's what I get:

Image https://postimg.cc/fS3qVfy0

On my android phone, I receive this popup

Image https://postimg.cc/SXvWnFMD

To approve, you must select the number matching the login. In this case, you must press 20. This prompt does not appear if you select an existing device, you get an approve or deny.

Note: I haven't use the image tag before and is not sure what I am doing wrong.

No, I don't get that. I get the deny or approve prompt that I posted above. Scary. Thanks for going through the effort of capturing and posting what you get.
Where is your screenshot coming from? Mines is on an android phone, and is verison 6.2112.8250. This may be a bug or something or maybe you have the app that is a different version, though that may also be a security issue if you can bypass using an older app.
Same version 6.2112.8250, just checked. Screen shot was from my wife's phone, I clipped out everything else.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

squirm wrote: Fri Jan 14, 2022 7:19 pm Same version 6.2112.8250, just checked. Screen shot was from my wife's phone, I clipped out everything else.
What type of phone is your wife using? Is it an Android phone or IOS? Just trying to track down the differences.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

drk wrote: Fri Jan 14, 2022 7:15 pm Feel free to use push notifications if you like, but I prefer to own my attention, so I disable them.
I feel push notification is pointless for authenticator. You are the owner of the account, so you would know that you are logging in, so there is no need to notify that you are logging in.
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

gavinsiu wrote: Fri Jan 14, 2022 7:33 pm
squirm wrote: Fri Jan 14, 2022 7:19 pm Same version 6.2112.8250, just checked. Screen shot was from my wife's phone, I clipped out everything else.
What type of phone is your wife using? Is it an Android phone or IOS? Just trying to track down the differences.
She has an Android.
User avatar
Kenkat
Posts: 7848
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Is passwordless logins less secure?

Post by Kenkat »

In my instance, I have to unlock my phone using biometric and then a second biometric authentication when I go into MS Authenticator to respond to the request.
gavinsiu
Posts: 142
Joined: Sun Nov 14, 2021 12:42 pm

Re: Is passwordless logins less secure?

Post by gavinsiu »

squirm wrote: Fri Jan 14, 2022 7:35 pm She has an Android.
I installed the app on a totally different android device. The popup appears with the number, too. Did you notice a number when you log into an unknown device on the device's side?
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

gavinsiu wrote: Fri Jan 14, 2022 9:15 pm
squirm wrote: Fri Jan 14, 2022 7:35 pm She has an Android.
I installed the app on a totally different android device. The popup appears with the number, too. Did you notice a number when you log into an unknown device on the device's side?
Thanks for going out of your way like this.
That's a toughie because I just don't remember. I can check later when my wife returns with her phone.
User avatar
anon_investor
Posts: 10024
Joined: Mon Jun 03, 2019 1:43 pm

Re: Is passwordless logins less secure?

Post by anon_investor »

Kenkat wrote: Fri Jan 14, 2022 8:20 pm In my instance, I have to unlock my phone using biometric and then a second biometric authentication when I go into MS Authenticator to respond to the request.
That is how mine acts also when authenticating a session on the same device.
SnowBog
Posts: 2615
Joined: Fri Dec 21, 2018 11:21 pm

Re: Is passwordless logins less secure?

Post by SnowBog »

drk wrote: Fri Jan 14, 2022 7:15 pm
SnowBog wrote: Fri Jan 14, 2022 7:11 pm Second, I really don't want any random notices going off at 2 AM - from Authenticator or otherwise. So, I use the "do not disturb" setting on my phone to suppress (aka make silent) any alerts during my sleeping hours.
This is literally what I recommended above:
drk wrote: Fri Jan 14, 2022 6:06 pm If you're concerned about accidentally approving, I would recommend disabling push notifications or at least enabling Do Not Disturb mode at night.
Feel free to use push notifications if you like, but I prefer to own my attention, so I disable them.
My apologies!

I missed that post. I only saw the followup I quoted. My bad. :beer
SnowBog
Posts: 2615
Joined: Fri Dec 21, 2018 11:21 pm

Re: Is passwordless logins less secure?

Post by SnowBog »

gavinsiu wrote: Fri Jan 14, 2022 7:35 pm
drk wrote: Fri Jan 14, 2022 7:15 pm Feel free to use push notifications if you like, but I prefer to own my attention, so I disable them.
I feel push notification is pointless for authenticator. You are the owner of the account, so you would know that you are logging in, so there is no need to notify that you are logging in.
Except for when someone who isn't you is attempting to log in to your account... And you might want to know about it so you can take action before damage is done...
donfairplay
Posts: 237
Joined: Mon Oct 06, 2008 8:16 pm

Re: Is passwordless logins less secure?

Post by donfairplay »

On your wife's phone, you need to disable passwordless login in your wife's Microsoft account page. (account home -> security -> security dashboard -> advanced security options, then toggle off "passwordless account")

You can still have your Microsoft account authenticated by authenticator without the passwordless login option.

Image
Topic Author
squirm
Posts: 3968
Joined: Sat Mar 19, 2011 11:53 am

Re: Is passwordless logins less secure?

Post by squirm »

donfairplay wrote: Sat Jan 15, 2022 12:44 am On your wife's phone, you need to disable passwordless login in your wife's Microsoft account page. (account home -> security -> security dashboard -> advanced security options, then toggle off "passwordless account")

You can still have your Microsoft account authenticated by authenticator without the passwordless login option.

Image
Thanks, however the passwordless option has always been turned off.
The *authenticator* displays passwordless under the account, but there is no way to change it.
I know this sounds confusing, but when I log into the MS account via website, the passwordless option is turned off, always has been off. But when go to the phone and open the MS authenticator and press on the MS account, it says passwordless, but there is no option to turn that off.

The fix was to remove the MS authenticator login option on her MS website, then add a "other" authenticator. Now it reverts back to asking for the password and 6 digits.

I believe MS is trying to push more accounts to onto passwordless, this is one of their ways of doing that.

IMO, email accounts need to be very very secured, I don't like the push notifications...
SnowBog
Posts: 2615
Joined: Fri Dec 21, 2018 11:21 pm

Re: Is passwordless logins less secure?

Post by SnowBog »

For clarification, the "passwordless" setting actually removes the password from your account. The only way to login would be through a trusted approach like Windows Hello or via the Authenticator app.
Post Reply