I'm trying to manage my Microsoft Account protections, with an ultimate goal of protecting it with a passkey and maybe dropping my password to make the account truly paswordless, but I'm running into some weird idiosyncracies on https://account.live.com/proofs/manage/additional:
I couldn't actually see the WebAuthn option at all in the latest macOS Safari - I had to switch to macOS Chrome before the "Windows Hello" option appeared that let me then register an iCloud Keychain-synced passkey.
I removed my phone number as a second factor because SIM jacking is a thing. However the next time I tried to log in I was prompted to add my phone number to "never lose access to your Microsoft account"...but I have other BETTER second-factors configured, so why would I want to continue to allow use of weak SMS OTP? At least I could cancel out and continue on without giving them my phone number again...
Attempting to turn on "Passwordless account" forces you down a path that wants you to set up the Microsoft authenticator app. But I already have a synced passkey in the mix, so why are you bothering with app-based push? Push bombing is also an easy way to get past 2FA protections.
Another example of how the left hand doesn't know what the right hand is doing...
#microsoft #passkeys #passwordless
Matthew Miller :donor: /
npub1zd…fqsnl
2024-01-22 18:03:04
Author Public Key
npub1zdlexn6s8y58ezfz79yqzszjy3xwltuvr8uvfahrmwtzgnwqs4ps3fqsnlPublished at
2024-01-22 18:03:04Event JSON
{
"id": "cfc6f2d971ff9b3cd98c2f0e84ec2d81d753b45d8733f9118eb8d5471ca2c49c",
"pubkey": "137f934f5039287c8922f148014052244cefaf8c19f8c4f6e3db96244dc08543",
"created_at": 1705946584,
"kind": 1,
"tags": [
[
"t",
"microsoft"
],
[
"t",
"Passkeys"
],
[
"t",
"passwordless"
],
[
"proxy",
"https://infosec.exchange/users/iamkale/statuses/111800915340254737",
"activitypub"
]
],
"content": "I'm trying to manage my Microsoft Account protections, with an ultimate goal of protecting it with a passkey and maybe dropping my password to make the account truly paswordless, but I'm running into some weird idiosyncracies on https://account.live.com/proofs/manage/additional:\n\n\n\nI couldn't actually see the WebAuthn option at all in the latest macOS Safari - I had to switch to macOS Chrome before the \"Windows Hello\" option appeared that let me then register an iCloud Keychain-synced passkey.\n\n\nI removed my phone number as a second factor because SIM jacking is a thing. However the next time I tried to log in I was prompted to add my phone number to \"never lose access to your Microsoft account\"...but I have other BETTER second-factors configured, so why would I want to continue to allow use of weak SMS OTP? At least I could cancel out and continue on without giving them my phone number again...\n\n\nAttempting to turn on \"Passwordless account\" forces you down a path that wants you to set up the Microsoft authenticator app. But I already have a synced passkey in the mix, so why are you bothering with app-based push? Push bombing is also an easy way to get past 2FA protections.\n\nAnother example of how the left hand doesn't know what the right hand is doing...\n\n#microsoft #passkeys #passwordless",
"sig": "65e7320a8fa8b78920c0da60f4e6ca81073162ba327c6a8379b240170a7cac8a300d32a47e54756606bce3d23d5f7383984566474cfbdb52607a2b6731f00e0b"
}