• Setting up MFA properly

    Home » Forums » Newsletter and Homepage topics » Setting up MFA properly

    Author
    Topic
    #2673324

    ISSUE 21.21 • 2024-05-20 MICROSOFT 365 By Peter Deegan Is that multifactor authentication setup complete and truly ready to handle any situation? Two-
    [See the full post at: Setting up MFA properly]

    6 users thanked author for this post.
    Viewing 11 reply threads
    Author
    Replies
    • #2673423

      Looks like the bad guys now have 6 ways to prove they are you.  Seems like less security?

      Similar to my Microsoft account that uses a 6 digit pin instead of my old 25 random character password.  Also seems like less security to me?

      I do not have a cell phone, but I do not understand how having a cell phone that can be lost or stolen is a secure way to prove I am me?

      I only sign on to anything from my not portable heavy home computer.  I have a Yubikey that is not accepted by any site I use?

      And I am fed up with phone calls to make me write down a number so I can type it on my keyboard.

      1 user thanked author for this post.
    • #2673436

      I do not understand how having a cell phone that can be lost or stolen is a secure way to prove I am me

      If you lose the phone the finder has to also have your user/password. Having all of these is highly unlikely, unless it is you.

      If you are fed up writing things down, get a password manager that can also do TOTP. Then you can do everything from one place and will have a backup for the day your computer dies.

      cheers, Paul

    • #2673463

      Further to Paul’s comments ….

      Microsoft is trying to strike a balance between security and ease of access.

      A long password is more secure but it’s also a PITA.

      Features like PIN are optional.  You don’t have to use them if you prefer to enter a longer password.  The PIN, Fingerprint and face recognition are there to provide easier access  choices as a balance between complex access/passwords and fast login.

      Any smartphone should require a personal login (PIN, face ID etc.) and the option to lock the device if it’s lost/stolen.  See https://www.askwoody.com/forums/topic/what-to-do-before-your-phone-is-stolen/

      Text/SMS to a phone is one way to get the verification code but it’s not as secure as other options like an authentication app because there’s a risk of the phone number being hijacked or just SMS messages not being received (e.g when overseas).

      The important point of my article is NOT to assume that your usual way of logging in with verification will always work.   Always have alternative verification methods available as fall-back positions.

      Peter Deegan

      • #2673472

        Features like PIN are optional.  You don’t have to use them if you prefer to enter a longer password.  The PIN, Fingerprint and face recognition are there to provide easier access  choices as a balance between complex access/passwords and fast login.

        Aren’t they more secure because they’re local to a single device?

        • #2673567

          It’s more than just a single device though that’s part of it.

          Options like face recognition and fingerprint require special hardware configurations to be accepted as secure login alternative.  For example, not all laptop cameras are accepted by Windows for face recognition.

          Peter Deegan

          • #2673706

            It’s more than just a single device though that’s part of it.

            Options like face recognition and fingerprint require special hardware configurations to be accepted as secure login alternative.

            But where available, PIN, face or fingerprint are also more secure, not just easier and faster?

    • #2673495

      Authy used to have a desktop app, but discontinued it in March 2024.

    • #2673500

      I’m all good with 2FA but my phone doesn’t make facial recognition easy. Dell, in their infinite wisdom, decided not to spend the extra 2 cents on a camera that does facial recognition in my laptop and fingerprint is unreliable. My phone has useless facial recognition and recognises my fingerprint about 1% of the time. It is easier to do it with OTP. The annoying part is being prompted to configure biometric sign in (laptop or phone). The best choice ‘Later’ does not stop the prompt happening again and doing.

       

      Group A (but Telemetry disabled Tasks and Registry)
      1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
      2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

    • #2673531

      I’m similar to MinnesotaVegans. I have no smartphone and no need for one. I won’t be buying some $xxx expensive phone and a cellular account just to run an authenticator app. It seems almost every single reputable authenticator app is only for Apple or Android smartphones.

      Last fall I installed Authy’s desktop Windows software and began setting up my accounts – only to have Authy pull the rug and drop support. I tried to find a desktop app to replace it. They seem like hen’s teeth apparently.

      I changed from Keepass to KeepassXC for my password manager because they added TOTP support. I set up my PayPal account for 2FA as a test. It worked for several months until just recently when it repeatedly failed and PayPal said they no longer support such software (or some such excuse). I had to have customer service set me back up with email 2FA. Not really that secure.

      I don’t want to roll the dice on some random desktop app on the Windows Store – or have a password manager that is cloud based just to get TOTP security.

      Is there some kind of technical security reason why authenticator apps aren’t generally available for the Windows desktop? I’m not going to misplace my desktop. My Windows sign-in is a very complex password. My password manager is protected by a very complex password. I have an external, always-updated copy of my password database file.

      Is buying a couple of Yubi keys my only effective choice as a non-smartphone person? Any recommendations?

      Edit: I forgot to mention, I don’t have a Microsoft Account.

      Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

      • #2673563

        Part of the security process is that the MFA code comes from another device not just another source on the same computer.

        That’s not always the case, of course, but it’s generally the situation.

        In your situation, it seems the main MFA code option is text/SMS which isn’t ideal or necessarily always available.

        An alternative email address is another MFA option to consider.

        Strange that the Keepass codes stopped working.  Paypal, like most companies, will only support their preferred TOTP app. That doesn’t mean others won’t work, just that the sign-in organization won’t help.

        Peter Deegan

         

        1 user thanked author for this post.
    • #2673586

      until just recently when it repeatedly failed

      That is most likely a time issue – TOPT is time based and needs your clock to be accurate.

      Any app that does TOTP correctly (KeePass/XC) will work with whatever account you are using. (It is what I use.)

      Check your computer clock is correct by going to this site: https://time.is/

      Check your computer time sync: https://answers.microsoft.com/en-us/windows/forum/all/how-to-force-windows-10-time-to-synch-with-a-time/20f3b546-af38-42fb-a2d0-d4df13cc8f43

      cheers, Paul

      1 user thanked author for this post.
    • #2673623

      I changed from Keepass to KeepassXC for my password manager because they added TOTP support. I set up my PayPal account for 2FA as a test. It worked for several months until just recently when it repeatedly failed and PayPal said they no longer support such software (or some such excuse).

      Ditto to what Paul T said. Check your computer clock.

      I tested to confirm it still works, and I had no trouble logging into my PayPal acct just now using KeePass with the “KeeOtp2” TOTP plugin for KeePass.

      If you want some other non-cloud, Windows-based TOTP program for Windows, I have used and can recommend WinAuth.

       

      1 user thanked author for this post.
      • #2673723

        Yes, it’s important for MFA that all devices are time syncronized.   That’s one reason for MFA not working but that’s quite unusual reason these days.

        Most devices time sync automatically and the user has to dig into settings to turn it off … assuming that it’s an option at all. Windows, Mac time sync by default.  As far as I can tell  Apple mobile devices also time sync and it can’t be disabled.  I don’t have an Android device handy but pretty sure they do too.

        Just to be clear …

        Time synchronization is different from time zone settings which can be auto or manual.  Time zone settings do NOT affect authentication because MFA uses universal (UTC) time regardless of where you are.

        1 user thanked author for this post.
    • #2673725

      I use OTPAuth on my iOS devices.  It syncs between them and automatically backs up into my iCloud.  I also download a backup of the database to save on my local PC.  It’s works great on my Apple Watch for the codes.

      The only thing not in it are my Microsoft account (I use MS Authenticator) and strictly 2FA codes for client sites.  I use Google Authenticator for those (mainly just to keep them separate from mine).  Recovery codes are in an encrypted folder on my hard drive and backed up in my iCloud folder.

      I also have 3 YubiKeys I use for all accounts that make use of them.  One goes with me, one is home in a safe and the 3rd offsite in a safe.

      Banking sites, for me, seem to be the ones lagging behind in 2FA support.

    • #2673955

      Thanks for all the pointers.

      I have my computer set to automatically sync with the time server at us.pool.ntp.org. I tried manually synchronizing but it failed. I normally run on a VPN server located in my time zone. I turned the VPN off and a second manual synch was successful. Not sure if that was just a coincidence. Time will tell (pun intended.)

      I’ll go back to square one and set up PayPal OTP again in KeepassXC and see how it goes. Also, will check out WinAuth.

      Thanks again!

      Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

    • #2674072

      I have my computer set to automatically sync with the time server at us.pool.ntp.org.

      I’ve always used NIST’s global time.nist.gov address which “randomly” connects to one of the 24 NIST Internet Time Servers and have never had any problems with my PC clock being off more than maybe a second or so from the actual time.

    • #2674259

      In the Article Peter wrote

      Use a passkey — A passkey uses the device’s secure login (Windows Hello facial recognition, fingerprint, or PIN). Passkeys have been around for a few years but have only recently been released as an option for Microsoft personal accounts.

      Cool – but how?  I have registered a passkey in Windows Hello, and nothing asks for it in the Windows 11 personal  environment.  It uses the Windows Hello PIN and doesn’t offer a way of defaulting to the key.  That is, the key could just as well be a brick and it does not care whether it is plugged in or not.  Is there a trick to forcing the passkey to be the first port of call.  (Yubico Key NFC).

      If I logout, the only option to logon is the PIN, or “Forgot Pin” (which just wants to send me an email message).

      • #2674273

        A Microsoft account passkey can’t be used to login to a Windows computer — if that was possible anyone could access the computer just by turning it on.

        Passkeys are used once you’ve logged into Windows (using Windows Hello, password etc) to authenticate you to other web sites.

        In other words, Windows Hello verifies your identity first.  Then the passkeys are a way to pass that secure login assurance to other sites/apps.

        What you’re describing sounds like Windows behaving correctly. Login with the Windows Hello PIN then you can optionally setup passkeys to more easily login to sites like Microsoft’s.

        Peter Deegan

        1 user thanked author for this post.
        • #2674412

          A Microsoft account passkey can’t be used to login to a Windows computer — if that was possible anyone could access the computer just by turning it on.

          Every use of a passkey requires entry of a PIN, face, fingerprint or security key.

      • #2674406

        Is there a trick to forcing the passkey to be the first port of call. (Yubico Key NFC).

        To use that physical security key to sign into Windows instead of a PIN, register it at Settings, Accounts, Sign-in options, Security key.

        (It can also be used for a local account with Yubico Login for Windows 10/11.)

        2 users thanked author for this post.
    Viewing 11 reply threads
    Reply To: Setting up MFA properly

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: