News Microsoft makes passkeys the default authentication method for all new accounts

Toggle sidebar Toggle sidebar
TheSecondPower said:
Passkeys look to me like a form of vendor lock-in.
Click to expand...
Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).

It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords.
 
Will this mean they are also going to do away with the ability to use a local user/password method?

I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC. About the time you change things to "let Windows decide" on your shares then connection issues abound.
 
  • Like
Reactions: phenomiix6
2Be_or_Not2Be said:
Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).

It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords.
Click to expand...
So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?
 
punkncat said:
I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC.
Click to expand...
Same here. When I'm installing Windows in remote locations with no broadband or 4G/5G internet access, this might make things difficult. I'm discounting satellite internet because the end users may not be able to afford this option. Some folk don't need extra bells and whistkes or Copilot. Maybe Linux would be a better choice?
 
  • Like
Reactions: phenomiix6
If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.
 
dwd999 said:
If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.
Click to expand...
Indeed.
This is recent activity on my MS acct:
VSSPMUj.png
 
  • Like
Reactions: dwd999
Is quite convenient, I've used a PIN for ages with Windows Hello and Microsoft Authenticator for when account access is required. While it is far more secure than a password, it's not exactly friendly to people who don't keep a phone near them, refuse to use an app authenticator, or don't have service.

Ideally people would use a FIDO key (I don't), but pin and app are good enough.
 
Biometrics are really just a password that you can never change. Once someone has a scan of your face/iris/finger, it’ll never change and it really follows you between devices and platforms. I think using biometrics without a human doing the scan is bad idea.

…also not a fan of apps or devices, especially because they do multiply with the different systems you deal with, you have to remember how each one works, and you get locked into having to do whatever lifecycle each platform requires. If you have one, single high security device that you use daily ( eg a work laptop), it can make sense, but using it widely would suck.

What _really_ sucks are systems that you use 1-2 times per year that add tons of steps if you haven’t logged in for 90 days.
 
  • Like
Reactions: stonecarver
dwd999 said:
If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.
Click to expand...
Wouldn't this be an example of why you shouldn't use non-local accounts?
It will then send a verification code to confirm your identity, and once done, it will become your default credential for your new account.
Click to expand...
This doesn't confirm identity, it just confirms your* access to something.
*or hackers', etc...
 
TheSecondPower said:
So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?
Click to expand...
Yes that’s the gist of it. All those OSes support passkeys so you should be fine.

Ideally, if you have that many different devices, you’d use a usb key or an app on your phone for identification.
 
Call me dumb but I don't get it... What's more secure and harder to guess/hack? A 4-6 digit numerical only PIN code or a much longer password containing a mix of numbers, letters, special letters with case sensitive? :homer:
 
  • Like
Reactions: palladin9479
USAFRet said:
Indeed.
This is recent activity on my MS acct:
VSSPMUj.png
Click to expand...

also for @dwd999 ; there is an easy way to defeat those bots constantly trying to log into your account : in your Microsoft account settings, you can add e-mail aliases. Create a new one that you will only use for login and never to sign up anywhere, then make this new alias the primary one and disable your other addresses/aliases for login purposes (in Your Info > Sign-in preferences). This will make it impossible for anyone to login with the e-mail address that was leaked

And I really hope that no, they don’t eventually remove password support, these other methods seem like they would be very inconvenient for me 🙁 My desktop PC doesn’t have a camera or fingerprint reader (and fingerprint reading often fails for me), and I don’t want to always have my phone with me and often can’t even. I also don’t really like the idea of Microsoft having pictures of my face for face recognition ?
 
This sounds like it might make some heads explode at my support department. I'm "that guy" at work, the one who had for many years a custom rom on a phone but now a full Linux phone. I have told my IT department flat out, buy me a company phone or get me a yubikey.

I will not downgrade from my Linux phone to some Apple or Google device. As far as the world of spyware world OSs are concerned, I am off grid.

I always get a yubikey sent to me. :)
 
  • Like
Reactions: TheSecondPower
TheOtherOne said:
Call me dumb but I don't get it... What's more secure and harder to guess/hack? A 4-6 digit numerical only PIN code or a much longer password containing a mix of numbers, letters, special letters with case sensitive? :homer:
Click to expand...
Not calling you dumb, but having a passkey on a device you physically have to have like your laptop or phone or a usb key that you unlock biometrically (or with a pin) is in by far the most cases way safer than a password that anyone in the world can use on any device in the world.
 
TheSecondPower said:
So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?
Click to expand...
If you used Windows Hello to store your passkey, then no, not without using a fallback password. If you logged in on iOS or MacOS and saved your passkeys to iCloud Keychain, same issue. The systems that make passkeys not work if stolen also prevents transfer between ecosystems, although this is a problem they’re supposedly looking into. For now, though, you’ll need to either override the OS’s default to save passkeys in its own password manager and force it to use a cross-platform 3rd party option, or you’ll need to create and enroll multiple passkeys per site.
 
dwd999 said:
If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity.
Click to expand...
As luck would have it, I don't have any Windows PCs associated with a Microsoft Account. Does that mean I'm immune from this particular threat, if I don't have a Microsoft Account?


BryanFRitt said:
Wouldn't this be an example of why you shouldn't use non-local accounts?
Click to expand...
I prefer Local Accounts, which is how I used to set up client machines to log on to Workgroups and Domains. Admittedly my most recent systems are still running Windows 10, apart from some legacy (oofline) PCs on Windows 7 and XP.

I installed Windows 11 the day it came out as a VM under Hyper-V so I still have a collection of old Windows 11 ISOs that should allow Local Account installation from the outset. Whether or not they still work and can be updated remains to be seen.

Many of my systems do not have TPM 2.0 or "compatible" CPUs, so this October I'll consider using Rufus to install Windows 11, or look for an alternative "safe" OS with ongoing security updates.

I run two 10Gb/s LANs behind hardware firewalls and one of them is completely isolated from the Internet. Nothing is 100% secure, but I could move my older PCs over to the offline LAN.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom