Is anyone else annoyed by the Microsoft's Account two-factor authentication?

[+Warwagon MVC]

Is anyone else annoyed by the Microsoft's Account two-factor authentication?

 

 

 

 

 

I've had numerous customer almost get locked out of their account already. I understand that Two-authentication is great everything but the following is the issue I have with the way Microsoft is doing it.

 

One day I got a call about a woman who all of the sudden started getting this message (the 1st photo). They wouldn't let her enter her account until she would validate she was the owner of her own account and enter the code they would send her. The issue was she was at the lakes for the summer and the recovery email she had on the account was from her home ISP which was currently disconnected while gone.

 

So the best we could do is create her a new gmail address which she could use (on photo 2) just to authenticate her account and to change her security information. They say that it takes 30 days for this to take in effect.

 

But what about this

 

Hacker, hacks an account which isn't used a lot. They tell Microsoft, I cant authenticate with the email on file, use this one. So he enters his email address and they send the hacker a link which he clicks and resets the security information. Now normally it takes 30 days for this to take in effect but the person who's account he logged into doesn't use it once every 60 days.

 

It's just something about how the implicated their two factor authentication which just annoys me.

[Nogib]

I've run into this recently where the second account I had tied to it hadn't been used in years and being that it was also a hotmail account meant it got auto deleted long ago. No way for me to get full access to edit my account unless I jump through the 30 day hoop. -_-

[testman]

Not sure what the problem is here. You're the one who 1. switched on two-factor authentication and 2. elected to use e-mail addresses for authentication. It's your job to make sure you keep those e-mail accounts alive. If you can't, don't use e-mail addresses and use another option (mobile, app, etc.).

[JaykeBird]

For me, I do the two-factor authentication by having it send me a text message. For me, I get logged out of my account a lot. Especially Skype. Skype likes to randomly log me out about every 3rd time I start it up on either my computer or my phone. So every single time I log in, even when I check the "Don't ask for codes while using this device" box, they still require me to go through the hoops and have it send me a text message.

 

It'd be more fine if after I log in, the webpage says "Okay, sent a text message to your phone (***)-***-**56" or something like that. But instead, they have to ask me how I'd like to verify my account (fortunately, the text message option is the default), and then they ask me to put in the last four digits of my phone number before sending the text messge, which is just an annoying extra step.

 

On paper, it seems like a good idea, but... if someone else were to steal my phone, it'd be as simple as four taps from the home screen to get to my full phone number. Simply asking for the last four digits doesn't really seem to be a way to stop anybody. If they wanted me to verify some personal information, why not choose something that's not so easily accessible from my physical device?

[+Warwagon MVC]

Had a guy call me today using all sorts of profanity towards this. It started a month ago and he just got around to calling. It started saying unless you validate we aren't letting you in, well the recovery address was his last name at hotmail.com but he claims he doesn't have that address so maybe he mistyped it.

 

So now he entered his friends email address to send the email to and to change his security into ...blah blah.. the whole thing could be done better.

[techbeck]

Isnt there an option to not prompt again?  I thought I remember there being an option like that.

[Ilys]

There is an option to remember the device and add it to the trusted devices, but there is also the option to remove all trusted devices on the account. If a hacker gains access, they can simply revoke all of your devices before changing the details.

[Joe User]

You can always use a two factor authenticator program for Android, Windows Phone, iOS, Blackberry, Windows, Linux or OSX, and you're good.

[winrez]

yes I have had it not trust me for the 30 day waiting period which affected my Surface Pro, Windows Phone, Xbox 360 along with services Onedrive & Hotmail after getting a new Windows Phone & #  when my old was the main verification.

[Ilys]

 

You can always use a two factor authenticator program for Android, Windows Phone, iOS, Blackberry, Windows, Linux or OSX, and you're good.

 

 

The exploit warwagon mentions would circumvent the 2-factor app, as you enter the code at the same point as you would enter the email security code.

This is actually pretty worrying for those who do not access their account often, or never keep it up to date with their newest email address or mobile number.

[Mr. Gibs]

Not sure what the problem is here. You're the one who 1. switched on two-factor authentication and 2. elected to use e-mail addresses for authentication. It's your job to make sure you keep those e-mail accounts alive. If you can't, don't use e-mail addresses and use another option (mobile, app, etc.).

Pretty much this.

For me, I do the two-factor authentication by having it send me a text message. For me, I get logged out of my account a lot. Especially Skype. Skype likes to randomly log me out about every 3rd time I start it up on either my computer or my phone. So every single time I log in, even when I check the "Don't ask for codes while using this device" box, they still require me to go through the hoops and have it send me a text message.

I never get asked that and I have two factor turned on and I login to skype like once a month. I hate the program and try to avoid using it as much as humanely possible. The only time I've ever seen the "please enter the code to login" was when I logged into it using another computer.

Not sure why it asks you so often.

On paper, it seems like a good idea, but... if someone else were to steal my phone, it'd be as simple as four taps from the home screen to get to my full phone number. Simply asking for the last four digits doesn't really seem to be a way to stop anybody. If they wanted me to verify some personal information, why not choose something that's not so easily accessible from my physical device?

If someone had your phone then the entire thing is worthless anyways since they'll get the text message and be able to login. The 4 digits thing is to verify that it's actually you and not someone else.

There is an option to remember the device and add it to the trusted devices, but there is also the option to remove all trusted devices on the account. If a hacker gains access, they can simply revoke all of your devices before changing the details.

And? That's the way it is with every two-factor authentication. If someone gets access to your device and knows your password well nothing can really protect you anymore.

It's like if someone got access your computer then apart from like encryption, nothing is going to protect you.

[Harrison H.]

 

 

 

 

The exploit warwagon mentions would circumvent the 2-factor app, as you enter the code at the same point as you would enter the email security code.

This is actually pretty worrying for those who do not access their account often, or never keep it up to date with their newest email address or mobile number.

 

 

Yep. This is why most implementations of 2FA only allow you to use either a recovery code, or a code from the mobile authenticator app. Most will also add text based codes as a backup. The idea is to require access to another device which only the true user should have access to. When implemented like this, if you lose access to recovery codes, your phone number, and the mobile authenticator app, you lose access to your account.

 

The images in the original post aren't from a 2FA enabled account though. This is just something that Microsoft pops up on devices it doesn't recognize for accounts without 2FA enabled.

[Guest]

Has worked fine here on multiple occasions. But I use the simple Authenticator app for WP.

[BajiRav]

No. Because it's the user who is at fault here. I have it turned on and use code generator for it. If that fails, I can always recover using a secondary email or phone/text.

These things work if you pay attention to what you are doing.

[+InsaneNutter MVC]

In general i think its a good thing, the customers complaining are the ones that likely need protection from themselves.

 

The only problem i have with Microsoft's two factor authentication are devices / services that don't support codes generated by an authentication app, and require a one time use password.

It's a right pain having to log in to account.live.com, create a one time use password then entering it on a friends Xbox 360 for example. It would be nice if Microsoft updated all their products and services to support codes generated by authentication apps.

 

Google Authenticator works fine for any Microsoft services that support authentication apps on Android and iOS.

[Hum]

I get angry when web sites fish around for personal phone numbers.

 

No way in hades I'm giving out my number.

 

Yahoo keeps pestering for this kind of 'authentication'.

[ajua]

It really isn't two factor authentication per se. It's a way to have a current medium like phone or secondary email address so they can contact you in the event you lose access (forgotten password most likely) to the Microsoft account.

 

When you have your security info updated and verified, you can still log in using only your Microsoft ID and password. There is a separate option to enable true two-factor authentication.

 

InsaneNutter above is right. This is aimed towards people that will not have any means to recover an account once their password is lost or forgotten.

 

This security authentication is required is when you sign in from a previously unknown (to Microsoft) device. On Windows 8-8.1 you don't need this when using IE but the first time you try log in from another browser, you will get prompted for a code. Once this is done, it's not required anymore.

 

I've had many clients in the past that couldn't remember the password and they couldn't get a reset because of outdated/missing secondary email address or a phone number on the account.

 

The only downside of adding security info is the 30 day waiting period but it works on the user favor if they didn't trigger the request to change info or change password.

[Ilys]

And? That's the way it is with every two-factor authentication. If someone gets access to your device and knows your password well nothing can really protect you anymore.

It's like if someone got access your computer then apart from like encryption, nothing is going to protect you.

 

However, you do not need access to any of their devices, you only need their password. Try it out for yourself. You'll see resetting the security info on a MS live account is a lot easier (but more time consuming) than other 2-factor authentications. At least with Google, and various MMO 2-factor authentications, you need to answer the security questions you would have been forced to enter when setting up the account.

 

 

The images in the original post aren't from a 2FA enabled account though. This is just something that Microsoft pops up on devices it doesn't recognize for accounts without 2FA enabled.

 

Even with the 2-factor authentication app, you only have to click the "get a code in a different way" link to either try the email/text code or enter the recovery code. Once you say no to both, the security info can be replaced and after 30 days you can login using those details. Granted, this is not an issue for anyone who regularly uses their account or have set up email/text security alerts, but for those who don't this could be a problem.

[Argi]

Never had any problems with 2FA on Outlook.com or Gmail.

[tsupersonic]

I've had it working perfectly with Microsoft, Google, Dropbox, and other services. I think it's just your approach to 2FA. 

 

I use Authy to sync/get my 2FA codes.