Conversation

Notices

1. Embed this notice
   Thomas (geekiga@mastodon.social)'s status on Monday, 18-May-2026 19:12:26 JST Thomas

   in reply to

   • Kevin Beaumont
   • cafeinux

   @cafeinux @GossiTheDog kind of but kind of not. Actually, if I remember it correctly, it displays a number on the screen of the device you log in and you have to enter the same number in the Authenticator app. But it has been a long time since I have used a Microsoft account, so it may have changed.

   • Embed this notice
     cafeinux (cafeinux@infosec.exchange)'s status on Monday, 18-May-2026 19:12:27 JST cafeinux

     • Kevin Beaumont

     @GossiTheDog
     So... If I get this right, this "passwordless" feature that major websites advertise as being the most secure authentication method to date, actually means for Microsoft "back to single-factor authentication"?

   • Embed this notice
     Thomas (geekiga@mastodon.social)'s status on Monday, 18-May-2026 19:37:49 JST Thomas

     • Kevin Beaumont
     • cafeinux

     @GossiTheDog @cafeinux but doesn’t it change the numbers it shows every time? So you have independent random experiments and the probability of hitting at least one correct is 1-(2/3)^n. But yeah, at around trial number 10, you can hit it with high probability. I hope that Microsoft blocks requests after 3 trials though 😅.

   • Embed this notice
     shadowwwind (shadowwwind@fosstodon.org)'s status on Monday, 18-May-2026 21:24:12 JST shadowwwind

     • Kevin Beaumont

     @GossiTheDog app based passwordless. Passkey don't have that problem.

   • Embed this notice
     fuzzyfuzzyfungus (fuzzyfuzzyfungus@cyberplace.social)'s status on Monday, 18-May-2026 21:35:12 JST fuzzyfuzzyfungus

     • Kevin Beaumont

     @GossiTheDog Is there any explanation for how heavily 'authenticator' features in MS sign-in flows beyond them wanting a beachhead on mobile?

     It seems to be a surprisingly stubborn default even on accounts with registered passkeys; and surprisingly hard to remove from the MFA enrollment process even if you are twiddling all the knobs for a tenant and looking to control the situation for your users; not dealing with the random microsoft consumer account behavior.

   • Embed this notice
     shadowwwind (shadowwwind@fosstodon.org)'s status on Monday, 18-May-2026 22:00:50 JST shadowwwind

     • Kevin Beaumont

     @GossiTheDog you can disable the app sign in method.
     Additionally, I don't have the app. I don't get notifications.

   • Embed this notice
     shadowwwind (shadowwwind@fosstodon.org)'s status on Monday, 18-May-2026 22:16:20 JST shadowwwind

     • Kevin Beaumont

     @GossiTheDog screenshot from my personal account showing the remove option.

     The only issue I am having is, that your original post makes it sound like passwordless is the issue. When the issue here is how Microsoft does it.

   • Embed this notice
     Phil (h0ru2@cyberplace.social)'s status on Monday, 18-May-2026 22:35:31 JST Phil

     • Kevin Beaumont

     @GossiTheDog Which is the first thing that came to my mind, when I read about it.
     How can computer security trained people not expect this, when it's so obvious? Was some manager's agenda more important?

   • Embed this notice
     Phil (h0ru2@cyberplace.social)'s status on Monday, 18-May-2026 22:46:59 JST Phil

     • Kevin Beaumont
     • cafeinux

     @GossiTheDog @geekiga @cafeinux There are multiple variants of this. Both methods you described exist and are different.
     For some reason I have seen more than one at seemingly random times.
     An option is also to enter a classic six digit code (one account has eight digits, no idea why or how).
     Then, there is also just confirmation without even entering a password.