Microsoft Account passwordless authentication

[SpyderTracks]

Microsoft are heavily pushing passwordless authentication for Microsoft Accounts, I think all the big providers are heading this way, 2025 is the cut off when they want to fully do away with passwords and head to Biometric MFA completion over mobile devices.

Passwordless works very well, although almost as soon as I'd activated it, I got an attempt from an IP in China, so you have to be aware not just to click approve on your authenticator app.

BUT, if you're doing any kind of RDP connections, currently a passwordless Microsoft Account is not supported. There are workarounds, but they greatly compromise security. If you require an RDP connection to that PC, I'd suggest not using passwordless at the moment until Microsoft roll out a fix for it.

 

[SpyderTracks]

Here's a notable link on the topic

Remote Desktop or Network Shares with Microsoft Account Sign-In

If you sign-in to your PC using a Microsoft Account, you may be unable to connect to that with Remote Desktop or with network file sharing. Here’s how to fix it.

cmdrkeene.com

 

[Martinr36]

2025 is the cut off when they want to fully do away with passwords and head to Biometric MFA completion over mobile devices.

That's all well and good if the biometrics sensor on the mobile device works properly, I've got face recognition on my samsung galaxy tab 7FE with a PIN as fallback, 99.9% of the time I have to use my PIN

 

[SpyderTracks]

That's all well and good if the biometrics sensor on the mobile device works properly, I've got face recognition on my samsung galaxy tab 7FE with a PIN as fallback, 99.9% of the time I have to use my PIN

More and more laptops now come with biometrics built in, I think Windows Hello faceID will become the norm for most devices over the next couple of years. Seems like Mac are sticking to fingerprint, not sure what Chromebooks are doing now, but think it's fingerprint also.

I reckon, since windows 11 requires TPM, they'll start shipping modular biometric readers at low cost for PC within the next 6 months or so to prepare people with PCs. Or use Windows Hello certified webcams.

 

[Tron1982]

Microsoft are heavily pushing passwordless authentication for Microsoft Accounts, I think all the big providers are heading this way, 2025 is the cut off when they want to fully do away with passwords and head to Biometric MFA completion over mobile devices.

Passwordless works very well, although almost as soon as I'd activated it, I got an attempt from an IP in China, so you have to be aware not just to click approve on your authenticator app.

BUT, if you're doing any kind of RDP connections, currently a passwordless Microsoft Account is not supported. There are workarounds, but they greatly compromise security. If you require an RDP connection to that PC, I'd suggest not using passwordless at the moment until Microsoft roll out a fix for it.

..........
Pleaase, don't. Just, don't ...
Anyway, I know i'm old fashion some time for some things, but giving my biometrics to a Big Tech company is a big no-no for me ...

 

[TonyCarter]

..........
Pleaase, don't. Just, don't ...
Anyway, I know i'm old fashion some time for some things, but giving my biometrics to a Big Tech company is a big no-no for me ...

Isn't the point that the encrypted biometrics data stay on the computer, in a secure chip (TPM / Secure Enclave / T2 chip), so that Microsoft/Apple/Google never actually get to see them?

So when the computer/website asks for identification, it simply asks if it's 'you'...the chip checks the stored biometric data with the live data it's requesting from the biometric sensor (finger, eye, face, etc.) and then say's "Yes, it's me". It only sends the response in the form of a confirmation, but does not send the biometric data as proof.

 

[SpyderTracks]

Isn't the point that the encrypted biometrics data stay on the computer, in a secure chip (TPM / Secure Enclave / T2 chip), so that Microsoft/Apple/Google never actually get to see them?

So when the computer/website asks for identification, it simply asks if it's 'you'...the chip checks the stored biometric data with the live data it's requesting from the biometric sensor (finger, eye, face, etc.) and then say's "Yes, it's me". It only sends the response in the form of a confirmation, but does not send the biometric data as proof.

Yep, that’s what makes them so much more reliable, they’re never shared outside of the local device.

 

[Martinr36]

Yep, that’s what makes them so much more reliable, they’re never shared outside of the local device.

so how do you synchronise between different machines

 

[SpyderTracks]

so how do you synchronise between different machines

What do you mean? Nothing syncs?

 

[Martinr36]

What do you mean? Nothing syncs?

so what about logging into things such as onedrive

 

[SpyderTracks]

so what about logging into things such as onedrive

You’re not actually logging onto OneDrive with Biometrics, or any other account.

All that’s happening is the device you’re on is sending you a prompt with a code to confirm it’s you.

Your biometrics is used for the device to confirm it’s you. The code is a randomly generated one time code that changes each logon.

The pc recognises it’s you from your biometric reading stored in the tpm chip. It simply sends a return acceptance, but no biometric info. The code is the security layer that pairs the online account with your personal account.

Biometric data never leaves the TPM encryption.

 

[Steveyg]

I strongly dislike biometrics, for me it's a case of if it's not broke don't fix it

 

[SpyderTracks]

I strongly dislike biometrics, for me it's a case of if it's not broke don't fix it

I think that's the point though, passwords are broken.

 

[Steveyg]

I think that's the point though, passwords are broken.

Two factor authentications is pretty solid though doesn't need biometrics

 

[SpyderTracks]

Two factor authentications is pretty solid though doesn't need biometrics

True.

 

[Steveyg]

True.

Could also be my relentless paranoia

 

[TonyCarter]

Two factor authentications is pretty solid though doesn't need biometrics

Yes, TFA is better than nothing, but it's still susceptible to man-in-the-middle attacks, or SIM-cloning, or gmail hacks, etc.

In theory - and until someone finds the backdoor manufacturers will have been force to install by governments - even if someone stole your phone or computer, there is no way to bypass the TPM to log into your devices/accounts.

Unfortunately, until this becomes the norm, there will be websites/apps offering varying levels of security as they can't guarantee everyone will have biometric access...and people are mostly lazy and will stay using the 'easiest' method until something 'bad' happens.

I use a mix of biometrics, 2FA, 3FA and basic password options (but only for those sites that don't offer the more secure options...or they don't work reliably - and I use a local password manage for those). I can use the Face-ID on my iPhone or Touch-ID on my iPad to verify my identity on a few websites/apps...I wish there were more as I just get a ping on my phone when I go to log in, and simply look at or touch it to continue.

 

[SpyderTracks]

Could also be my relentless paranoia

Who said that???

 

[SpyderTracks]

Yes, TFA is better than nothing, but it's still susceptible to man-in-the-middle attacks, or SIM-cloning, or gmail hacks, etc.

In theory - and until someone finds the backdoor manufacturers will have been force to install by governments - even if someone stole your phone or computer, there is no way to bypass the TPM to log into your devices/accounts.

Don’t get me started on damn government protocol! Backdoor to encryption? VPNs illegal? As someone who’s worked in many government systems, they don’t have a scoobies about security! One of our clients infrastructure is still on server 2008 simply because they wanna save a buck!

 

[TonyCarter]

Could also be my relentless paranoia

"Just because you're paranoid, doesn't mean THEY are not out to get you." - Joseph Heller, Catch-22