Is anyone else annoyed by the Microsoft's Account two-factor authentication?

By +Warwagon
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

Is anyone else annoyed by the Microsoft's Account two-factor authentication?

 

14786142970_872e7b0656_b.jpg

 

 

 

14972473422_41a38f403f_o.jpg

 

I've had numerous customer almost get locked out of their account already. I understand that Two-authentication is great everything but the following is the issue I have with the way Microsoft is doing it.

 

One day I got a call about a woman who all of the sudden started getting this message (the 1st photo). They wouldn't let her enter her account until she would validate she was the owner of her own account and enter the code they would send her. The issue was she was at the lakes for the summer and the recovery email she had on the account was from her home ISP which was currently disconnected while gone.

 

So the best we could do is create her a new gmail address which she could use (on photo 2) just to authenticate her account and to change her security information. They say that it takes 30 days for this to take in effect.

 

But what about this

 

Hacker, hacks an account which isn't used a lot. They tell Microsoft, I cant authenticate with the email on file, use this one. So he enters his email address and they send the hacker a link which he clicks and resets the security information. Now normally it takes 30 days for this to take in effect but the person who's account he logged into doesn't use it once every 60 days.

 

It's just something about how the implicated their two factor authentication which just annoys me.

Grand Master

Nogib

Posted
Posted

I've run into this recently where the second account I had tied to it hadn't been used in years and being that it was also a hotmail account meant it got auto deleted long ago. No way for me to get full access to edit my account unless I jump through the 30 day hoop. -_-

Experienced

testman

Posted
Posted

Not sure what the problem is here. You're the one who 1. switched on two-factor authentication and 2. elected to use e-mail addresses for authentication. It's your job to make sure you keep those e-mail accounts alive. If you can't, don't use e-mail addresses and use another option (mobile, app, etc.).

Proficient

JaykeBird

Posted
Posted

For me, I do the two-factor authentication by having it send me a text message. For me, I get logged out of my account a lot. Especially Skype. Skype likes to randomly log me out about every 3rd time I start it up on either my computer or my phone. So every single time I log in, even when I check the "Don't ask for codes while using this device" box, they still require me to go through the hoops and have it send me a text message.

 

It'd be more fine if after I log in, the webpage says "Okay, sent a text message to your phone (***)-***-**56" or something like that. But instead, they have to ask me how I'd like to verify my account (fortunately, the text message option is the default), and then they ask me to put in the last four digits of my phone number before sending the text messge, which is just an annoying extra step.

 

On paper, it seems like a good idea, but... if someone else were to steal my phone, it'd be as simple as four taps from the home screen to get to my full phone number. Simply asking for the last four digits doesn't really seem to be a way to stop anybody. If they wanted me to verify some personal information, why not choose something that's not so easily accessible from my physical device?

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Had a guy call me today using all sorts of profanity towards this. It started a month ago and he just got around to calling. It started saying unless you validate we aren't letting you in, well the recovery address was his last name at hotmail.com but he claims he doesn't have that address so maybe he mistyped it.

 

So now he entered his friends email address to send the email to and to change his security into ...blah blah.. the whole thing could be done better.

Enthusiast

Ilys

Posted
Posted

There is an option to remember the device and add it to the trusted devices, but there is also the option to remove all trusted devices on the account. If a hacker gains access, they can simply revoke all of your devices before changing the details.

Veteran

Joe User

Posted
Posted

You can always use a two factor authenticator program for Android, Windows Phone, iOS, Blackberry, Windows, Linux or OSX, and you're good.

Mentor

winrez

Posted
Posted

yes I have had it not trust me for the 30 day waiting period which affected my Surface Pro, Windows Phone, Xbox 360 along with services Onedrive & Hotmail after getting a new Windows Phone & #  when my old was the main verification.

Enthusiast

Ilys

Posted
Posted
 

You can always use a two factor authenticator program for Android, Windows Phone, iOS, Blackberry, Windows, Linux or OSX, and you're good.

 

 

The exploit warwagon mentions would circumvent the 2-factor app, as you enter the code at the same point as you would enter the email security code.

This is actually pretty worrying for those who do not access their account often, or never keep it up to date with their newest email address or mobile number.

Grand Master

Mr. Gibs

Posted
Posted

Not sure what the problem is here. You're the one who 1. switched on two-factor authentication and 2. elected to use e-mail addresses for authentication. It's your job to make sure you keep those e-mail accounts alive. If you can't, don't use e-mail addresses and use another option (mobile, app, etc.).

Pretty much this.

For me, I do the two-factor authentication by having it send me a text message. For me, I get logged out of my account a lot. Especially Skype. Skype likes to randomly log me out about every 3rd time I start it up on either my computer or my phone. So every single time I log in, even when I check the "Don't ask for codes while using this device" box, they still require me to go through the hoops and have it send me a text message.

I never get asked that and I have two factor turned on and I login to skype like once a month. I hate the program and try to avoid using it as much as humanely possible. The only time I've ever seen the "please enter the code to login" was when I logged into it using another computer.

Not sure why it asks you so often.

On paper, it seems like a good idea, but... if someone else were to steal my phone, it'd be as simple as four taps from the home screen to get to my full phone number. Simply asking for the last four digits doesn't really seem to be a way to stop anybody. If they wanted me to verify some personal information, why not choose something that's not so easily accessible from my physical device?

If someone had your phone then the entire thing is worthless anyways since they'll get the text message and be able to login. The 4 digits thing is to verify that it's actually you and not someone else.

There is an option to remember the device and add it to the trusted devices, but there is also the option to remove all trusted devices on the account. If a hacker gains access, they can simply revoke all of your devices before changing the details.

And? That's the way it is with every two-factor authentication. If someone gets access to your device and knows your password well nothing can really protect you anymore.

It's like if someone got access your computer then apart from like encryption, nothing is going to protect you.

  • ajua and Aspire4520
  • Like 2
Proficient

Harrison H.

Posted
Posted

 

 
 

 

The exploit warwagon mentions would circumvent the 2-factor app, as you enter the code at the same point as you would enter the email security code.

This is actually pretty worrying for those who do not access their account often, or never keep it up to date with their newest email address or mobile number.

 

 

Yep. This is why most implementations of 2FA only allow you to use either a recovery code, or a code from the mobile authenticator app. Most will also add text based codes as a backup. The idea is to require access to another device which only the true user should have access to. When implemented like this, if you lose access to recovery codes, your phone number, and the mobile authenticator app, you lose access to your account.

 

The images in the original post aren't from a 2FA enabled account though. This is just something that Microsoft pops up on devices it doesn't recognize for accounts without 2FA enabled.

Grand Master

BajiRav

Posted
Posted

No. Because it's the user who is at fault here. I have it turned on and use code generator for it. If that fails, I can always recover using a secondary email or phone/text.

These things work if you pay attention to what you are doing.

Grand Master

+InsaneNutter MVC

Posted
  • MVC
Posted

In general i think its a good thing, the customers complaining are the ones that likely need protection from themselves.

 

The only problem i have with Microsoft's two factor authentication are devices / services that don't support codes generated by an authentication app, and require a one time use password.

It's a right pain having to log in to account.live.com, create a one time use password then entering it on a friends Xbox 360 for example. It would be nice if Microsoft updated all their products and services to support codes generated by authentication apps.

 

Google Authenticator works fine for any Microsoft services that support authentication apps on Android and iOS.

Mentor

ajua

Posted
Posted

It really isn't two factor authentication per se. It's a way to have a current medium like phone or secondary email address so they can contact you in the event you lose access (forgotten password most likely) to the Microsoft account.

 

When you have your security info updated and verified, you can still log in using only your Microsoft ID and password. There is a separate option to enable true two-factor authentication.

 

InsaneNutter above is right. This is aimed towards people that will not have any means to recover an account once their password is lost or forgotten.

 

This security authentication is required is when you sign in from a previously unknown (to Microsoft) device. On Windows 8-8.1 you don't need this when using IE but the first time you try log in from another browser, you will get prompted for a code. Once this is done, it's not required anymore.

 

I've had many clients in the past that couldn't remember the password and they couldn't get a reset because of outdated/missing secondary email address or a phone number on the account.

 

The only downside of adding security info is the 30 day waiting period but it works on the user favor if they didn't trigger the request to change info or change password.

Enthusiast

Ilys

Posted
Posted

And? That's the way it is with every two-factor authentication. If someone gets access to your device and knows your password well nothing can really protect you anymore.

It's like if someone got access your computer then apart from like encryption, nothing is going to protect you.

 

However, you do not need access to any of their devices, you only need their password. Try it out for yourself. You'll see resetting the security info on a MS live account is a lot easier (but more time consuming) than other 2-factor authentications. At least with Google, and various MMO 2-factor authentications, you need to answer the security questions you would have been forced to enter when setting up the account.
 

 

The images in the original post aren't from a 2FA enabled account though. This is just something that Microsoft pops up on devices it doesn't recognize for accounts without 2FA enabled.

 

Even with the 2-factor authentication app, you only have to click the "get a code in a different way" link to either try the email/text code or enter the recovery code. Once you say no to both, the security info can be replaced and after 30 days you can login using those details. Granted, this is not an issue for anyone who regularly uses their account or have set up email/text security alerts, but for those who don't this could be a problem.

Grand Master

tsupersonic

Posted
Posted

I've had it working perfectly with Microsoft, Google, Dropbox, and other services. I think it's just your approach to 2FA. 

 

I use Authy to sync/get my 2FA codes.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Google's next-gen Tensor AI chips might be produced by Samsung, report says

      By Hamid Ganji · Posted

      Google's next-gen Tensor AI chips might be produced by Samsung, report says by Hamid Ganji Image via Google Google’s Tensor Processing Unit (TPU) is produced in collaboration with companies such as Broadcom and TSMC, but a recent report suggests that the search giant is in talks with Samsung to hand over part of the production to the Korean tech company. According to a report by The Information, citing people familiar with the matter, Google has begun talks with Samsung about using its chip manufacturing capacity for the next generation of Tensor AI chips. Google’s upcoming TPUs are reportedly codenamed “Icefish” and will be produced using Samsung's 2-nanometer process technology. Meanwhile, Samsung is expected to produce only a portion of the next-generation Tensor chips, with most of the production remaining at TSMC. The Information says the new Tensor chips are currently in the design stage and are scheduled to enter mass production in 2028. TSMC is generally considered one of the most reliable chip manufacturing partners and is trusted by tech giants such as Apple and Google. However, the growing demand for TSMC’s AI chips, combined with the company’s focus on meeting demand from AI data centers, has reportedly prompted Google to seek additional manufacturing partners for its next-generation TPUs. Besides Samsung and TSMC, Intel could also be assigned part of the production. The Information reported this week is that Google has begun talks with Intel to produce up to three million TPUs in 2028. However, this is not the first time Google has partnered with Samsung on chip production, as Samsung has previously manufactured Tensor chips for Pixel smartphones. Google’s Tensor Processing Unit is used in cloud data centers and competes with NVIDIA’s chips, which currently dominate the market. By relying on in-house chips, Google can not only reduce its dependence on third-party providers but also create new revenue opportunities. The company has already supplied its TPUs to the AI firm Anthropic.
    • Nvidia's GeForce NOW summer sale drops prices for Ultimate and Premium memberships

      By excalpius · Posted

      Reminder that the Premium and Ultimate plans already come with a 100 hour per month limit, which you then have to pay more to increase in 15 hour blocks.
    • Microsoft is bringing big performance improvements to OneDrive on Mac

      By MacDaddyAz · Posted

      It does invite Linux because MS should have been improving their products all along these years instead chose to ignore the users now this year they’re making all of these improvements to their products where as Linux doesn’t have this kind of problems in fact it has gotten so good I can even play Windows games in Steam that I no longer ever needed Windows to carry on with my life, unlike you still use Windows and chose to try beat down down those who don't use Windows because they love their LG TV. (Surprisingly I actually own a 55” LED LG TV and it has been going strong for almost 14 years, longer than any Sony TV”)
    • Nvidia's GeForce NOW summer sale drops prices for Ultimate and Premium memberships

      By sphbecker · Posted

      As much as I love owning my own hardware, it's hard to argue with the value. I'm not a huge gamer, I'd actually be interested in a cheaper plan with limited monthly hours, or even a pay-by-the-hour plan.
    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By leonsk29 · Posted

      Well, they (LibreOffice/The Document Foundation) are bitchy and whiny, yes, but they're right, at least this time. It doesn't make sense to market something as "free and open source to thwart dependency on foreign companies' software" but at the same time, using the formats of said companies (Microsoft) by default. That way, you are changing nothing, essentially, you're just using another UI. We all know that users just use the defaults and almost never change them. I'm not saying they should drop other formats altogether, but they shouldn't default to the thing they're trying to run away from in the first place. If you're gonna do something, just go all the way in, don't stop in the middle, IMO. Otherwise, shut up and move along.

  • Recent Achievements

    • Week One Done
      FBSPL earned a badge
      Week One Done
    • One Year In
      Jim Dugan earned a badge
      One Year In
    • One Month Later
      Tommi118 earned a badge
      One Month Later
    • One Month Later
      sjbousquet earned a badge
      One Month Later
    • Week One Done
      sjbousquet earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      487
    2. 2
      PsYcHoKiLLa
      196
    3. 3
      +Edouard
      155
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      69
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!