Jump to content



Photo

  • Please log in to reply
19 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 19 August 2014 - 19:57

Is anyone else annoyed by the Microsoft's Account two-factor authentication?

 

14786142970_872e7b0656_b.jpg

 

 

 

14972473422_41a38f403f_o.jpg

 

I've had numerous customer almost get locked out of their account already. I understand that Two-authentication is great everything but the following is the issue I have with the way Microsoft is doing it.

 

One day I got a call about a woman who all of the sudden started getting this message (the 1st photo). They wouldn't let her enter her account until she would validate she was the owner of her own account and enter the code they would send her. The issue was she was at the lakes for the summer and the recovery email she had on the account was from her home ISP which was currently disconnected while gone.

 

So the best we could do is create her a new gmail address which she could use (on photo 2) just to authenticate her account and to change her security information. They say that it takes 30 days for this to take in effect.

 

But what about this

 

Hacker, hacks an account which isn't used a lot. They tell Microsoft, I cant authenticate with the email on file, use this one. So he enters his email address and they send the hacker a link which he clicks and resets the security information. Now normally it takes 30 days for this to take in effect but the person who's account he logged into doesn't use it once every 60 days.

 

It's just something about how the implicated their two factor authentication which just annoys me.




#2 Nogib

Nogib

    Neowinian

  • Joined: 01-June 03
  • OS: Windows 8.1 Pro
  • Phone: LG Nexus 5

Posted 19 August 2014 - 20:09

I've run into this recently where the second account I had tied to it hadn't been used in years and being that it was also a hotmail account meant it got auto deleted long ago. No way for me to get full access to edit my account unless I jump through the 30 day hoop. -_-



#3 testman

testman

    Neowinian

  • Joined: 06-April 05

Posted 19 August 2014 - 20:15

Not sure what the problem is here. You're the one who 1. switched on two-factor authentication and 2. elected to use e-mail addresses for authentication. It's your job to make sure you keep those e-mail accounts alive. If you can't, don't use e-mail addresses and use another option (mobile, app, etc.).

#4 JaykeBird

JaykeBird

    Puck does not lie.

  • Joined: 21-March 10
  • Location: United States
  • OS: Windows 7
  • Phone: Android 4.1

Posted 19 August 2014 - 20:17

For me, I do the two-factor authentication by having it send me a text message. For me, I get logged out of my account a lot. Especially Skype. Skype likes to randomly log me out about every 3rd time I start it up on either my computer or my phone. So every single time I log in, even when I check the "Don't ask for codes while using this device" box, they still require me to go through the hoops and have it send me a text message.

 

It'd be more fine if after I log in, the webpage says "Okay, sent a text message to your phone (***)-***-**56" or something like that. But instead, they have to ask me how I'd like to verify my account (fortunately, the text message option is the default), and then they ask me to put in the last four digits of my phone number before sending the text messge, which is just an annoying extra step.

 

On paper, it seems like a good idea, but... if someone else were to steal my phone, it'd be as simple as four taps from the home screen to get to my full phone number. Simply asking for the last four digits doesn't really seem to be a way to stop anybody. If they wanted me to verify some personal information, why not choose something that's not so easily accessible from my physical device?



#5 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 19 August 2014 - 20:23

Had a guy call me today using all sorts of profanity towards this. It started a month ago and he just got around to calling. It started saying unless you validate we aren't letting you in, well the recovery address was his last name at hotmail.com but he claims he doesn't have that address so maybe he mistyped it.

 

So now he entered his friends email address to send the email to and to change his security into ...blah blah.. the whole thing could be done better.



#6 +techbeck

techbeck

    It's not that I am lazy, it's that I just don't care

  • Tech Issues Solved: 14
  • Joined: 20-January 05

Posted 19 August 2014 - 20:25

Isnt there an option to not prompt again?  I thought I remember there being an option like that.



#7 Ilys

Ilys

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 10-October 01

Posted 19 August 2014 - 20:32

There is an option to remember the device and add it to the trusted devices, but there is also the option to remove all trusted devices on the account. If a hacker gains access, they can simply revoke all of your devices before changing the details.



#8 Joe User

Joe User

    Lazy Joe's

  • Tech Issues Solved: 1
  • Joined: 29-May 07
  • Location: Somewhere in the US
  • OS: Windows 8.1 Update 1
  • Phone: Nexus 5

Posted 19 August 2014 - 20:35

You can always use a two factor authenticator program for Android, Windows Phone, iOS, Blackberry, Windows, Linux or OSX, and you're good.



#9 winrez

winrez

    Chronic Master Debater

  • Tech Issues Solved: 1
  • Joined: 07-March 07
  • Location: Manitowoc, WI
  • OS: Windows 7 Enterprise 64-Bit, Windows 8 64-Bit, Windows RT 8.1 (Surface)
  • Phone: Samsung Focus WP7.8/ Nokia Lumina 520

Posted 19 August 2014 - 20:40

yes I have had it not trust me for the 30 day waiting period which affected my Surface Pro, Windows Phone, Xbox 360 along with services Onedrive & Hotmail after getting a new Windows Phone & #  when my old was the main verification.



#10 Ilys

Ilys

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 10-October 01

Posted 19 August 2014 - 20:40

 

You can always use a two factor authenticator program for Android, Windows Phone, iOS, Blackberry, Windows, Linux or OSX, and you're good.

 

 

The exploit warwagon mentions would circumvent the 2-factor app, as you enter the code at the same point as you would enter the email security code.

This is actually pretty worrying for those who do not access their account often, or never keep it up to date with their newest email address or mobile number.



#11 -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 19 August 2014 - 20:47

Not sure what the problem is here. You're the one who 1. switched on two-factor authentication and 2. elected to use e-mail addresses for authentication. It's your job to make sure you keep those e-mail accounts alive. If you can't, don't use e-mail addresses and use another option (mobile, app, etc.).

Pretty much this.

For me, I do the two-factor authentication by having it send me a text message. For me, I get logged out of my account a lot. Especially Skype. Skype likes to randomly log me out about every 3rd time I start it up on either my computer or my phone. So every single time I log in, even when I check the "Don't ask for codes while using this device" box, they still require me to go through the hoops and have it send me a text message.

I never get asked that and I have two factor turned on and I login to skype like once a month. I hate the program and try to avoid using it as much as humanely possible. The only time I've ever seen the "please enter the code to login" was when I logged into it using another computer.

Not sure why it asks you so often.

On paper, it seems like a good idea, but... if someone else were to steal my phone, it'd be as simple as four taps from the home screen to get to my full phone number. Simply asking for the last four digits doesn't really seem to be a way to stop anybody. If they wanted me to verify some personal information, why not choose something that's not so easily accessible from my physical device?

If someone had your phone then the entire thing is worthless anyways since they'll get the text message and be able to login. The 4 digits thing is to verify that it's actually you and not someone else.

There is an option to remember the device and add it to the trusted devices, but there is also the option to remove all trusted devices on the account. If a hacker gains access, they can simply revoke all of your devices before changing the details.

And? That's the way it is with every two-factor authentication. If someone gets access to your device and knows your password well nothing can really protect you anymore.

It's like if someone got access your computer then apart from like encryption, nothing is going to protect you.

#12 Harrison H.

Harrison H.

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 21-August 04
  • Location: Florida
  • OS: Windows 8.1
  • Phone: Nokia Lumia 1520

Posted 19 August 2014 - 20:50

 

 
 

 

The exploit warwagon mentions would circumvent the 2-factor app, as you enter the code at the same point as you would enter the email security code.

This is actually pretty worrying for those who do not access their account often, or never keep it up to date with their newest email address or mobile number.

 

 

Yep. This is why most implementations of 2FA only allow you to use either a recovery code, or a code from the mobile authenticator app. Most will also add text based codes as a backup. The idea is to require access to another device which only the true user should have access to. When implemented like this, if you lose access to recovery codes, your phone number, and the mobile authenticator app, you lose access to your account.

 

The images in the original post aren't from a 2FA enabled account though. This is just something that Microsoft pops up on devices it doesn't recognize for accounts without 2FA enabled.



#13 elenarie

elenarie

    Newbie .NET / game dev

  • Tech Issues Solved: 2
  • Joined: 23-March 14
  • OS: Windows 8.1 Pro x64
  • Phone: Lumia 920 Yellow

Posted 20 August 2014 - 10:21

Has worked fine here on multiple occasions. But I use the simple Authenticator app for WP.



#14 BajiRav

BajiRav

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 15-July 04
  • Location: Xbox, where am I?
  • OS: Windows 8.1, Windows 8
  • Phone: Lumia 920

Posted 20 August 2014 - 10:27

No. Because it's the user who is at fault here. I have it turned on and use code generator for it. If that fails, I can always recover using a secondary email or phone/text.

These things work if you pay attention to what you are doing.

#15 InsaneNutter

InsaneNutter

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 15-March 03
  • Location: Yorkshire, England
  • OS: Win 8.1, OSX 10.10 & Ubuntu
  • Phone: OnePlus One

Posted 20 August 2014 - 10:40

In general i think its a good thing, the customers complaining are the ones that likely need protection from themselves.

 

The only problem i have with Microsoft's two factor authentication are devices / services that don't support codes generated by an authentication app, and require a one time use password.

It's a right pain having to log in to account.live.com, create a one time use password then entering it on a friends Xbox 360 for example. It would be nice if Microsoft updated all their products and services to support codes generated by authentication apps.

 

Google Authenticator works fine for any Microsoft services that support authentication apps on Android and iOS.