ISSUE 21.21 • 2024-05-20 MICROSOFT 365 By Peter Deegan Is that multifactor authentication setup complete and truly ready to handle any situation? Two-
[See the full post at: Setting up MFA properly]
![]() |
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Setting up MFA properly
Home » Forums » Newsletter and Homepage topics » Setting up MFA properly
- This topic has 21 replies, 11 voices, and was last updated 11 months, 3 weeks ago.
Tags: Authentication Apps Authy Legacy Contact Multi-factor Authentication Newsletters Recovery Codes Recovery Passwords Two-Factor Authentication
AuthorTopicPeter Deegan
AskWoody PlusMay 20, 2024 at 2:45 am #2673324Viewing 11 reply threadsAuthorReplies-
MinnesotaVegans
AskWoody PlusMay 20, 2024 at 10:54 am #2673423Looks like the bad guys now have 6 ways to prove they are you. Seems like less security?
Similar to my Microsoft account that uses a 6 digit pin instead of my old 25 random character password. Also seems like less security to me?
I do not have a cell phone, but I do not understand how having a cell phone that can be lost or stolen is a secure way to prove I am me?
I only sign on to anything from my not portable heavy home computer. I have a Yubikey that is not accepted by any site I use?
And I am fed up with phone calls to make me write down a number so I can type it on my keyboard.
1 user thanked author for this post.
-
Paul T
AskWoody MVPMay 20, 2024 at 10:58 am #2673436I do not understand how having a cell phone that can be lost or stolen is a secure way to prove I am me
If you lose the phone the finder has to also have your user/password. Having all of these is highly unlikely, unless it is you.
If you are fed up writing things down, get a password manager that can also do TOTP. Then you can do everything from one place and will have a backup for the day your computer dies.
cheers, Paul
-
Peter Deegan
AskWoody PlusMay 20, 2024 at 1:54 pm #2673463Further to Paul’s comments ….
Microsoft is trying to strike a balance between security and ease of access.
A long password is more secure but it’s also a PITA.
Features like PIN are optional. You don’t have to use them if you prefer to enter a longer password. The PIN, Fingerprint and face recognition are there to provide easier access choices as a balance between complex access/passwords and fast login.
Any smartphone should require a personal login (PIN, face ID etc.) and the option to lock the device if it’s lost/stolen. See https://www.askwoody.com/forums/topic/what-to-do-before-your-phone-is-stolen/
Text/SMS to a phone is one way to get the verification code but it’s not as secure as other options like an authentication app because there’s a risk of the phone number being hijacked or just SMS messages not being received (e.g when overseas).
The important point of my article is NOT to assume that your usual way of logging in with verification will always work. Always have alternative verification methods available as fall-back positions.
Peter Deegan
-
b
AskWoody_MVPMay 20, 2024 at 2:18 pm #2673472Features like PIN are optional. You don’t have to use them if you prefer to enter a longer password. The PIN, Fingerprint and face recognition are there to provide easier access choices as a balance between complex access/passwords and fast login.
Aren’t they more secure because they’re local to a single device?
-
Peter Deegan
AskWoody PlusMay 20, 2024 at 11:49 pm #2673567It’s more than just a single device though that’s part of it.
Options like face recognition and fingerprint require special hardware configurations to be accepted as secure login alternative. For example, not all laptop cameras are accepted by Windows for face recognition.
Peter Deegan
-
b
AskWoody_MVPMay 21, 2024 at 8:20 am #2673706It’s more than just a single device though that’s part of it.
Options like face recognition and fingerprint require special hardware configurations to be accepted as secure login alternative.
But where available, PIN, face or fingerprint are also more secure, not just easier and faster?
-
-
-
-
Davin Peterson
Guest -
Peter Deegan
AskWoody Plus
-
-
SteveTree
AskWoody LoungerMay 20, 2024 at 5:31 pm #2673500I’m all good with 2FA but my phone doesn’t make facial recognition easy. Dell, in their infinite wisdom, decided not to spend the extra 2 cents on a camera that does facial recognition in my laptop and fingerprint is unreliable. My phone has useless facial recognition and recognises my fingerprint about 1% of the time. It is easier to do it with OTP. The annoying part is being prompted to configure biometric sign in (laptop or phone). The best choice ‘Later’ does not stop the prompt happening again and doing.
Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price) -
Steve S.
AskWoody PlusMay 20, 2024 at 8:57 pm #2673531I’m similar to MinnesotaVegans. I have no smartphone and no need for one. I won’t be buying some $xxx expensive phone and a cellular account just to run an authenticator app. It seems almost every single reputable authenticator app is only for Apple or Android smartphones.
Last fall I installed Authy’s desktop Windows software and began setting up my accounts – only to have Authy pull the rug and drop support. I tried to find a desktop app to replace it. They seem like hen’s teeth apparently.
I changed from Keepass to KeepassXC for my password manager because they added TOTP support. I set up my PayPal account for 2FA as a test. It worked for several months until just recently when it repeatedly failed and PayPal said they no longer support such software (or some such excuse). I had to have customer service set me back up with email 2FA. Not really that secure.
I don’t want to roll the dice on some random desktop app on the Windows Store – or have a password manager that is cloud based just to get TOTP security.
Is there some kind of technical security reason why authenticator apps aren’t generally available for the Windows desktop? I’m not going to misplace my desktop. My Windows sign-in is a very complex password. My password manager is protected by a very complex password. I have an external, always-updated copy of my password database file.
Is buying a couple of Yubi keys my only effective choice as a non-smartphone person? Any recommendations?
Edit: I forgot to mention, I don’t have a Microsoft Account.
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
-
Peter Deegan
AskWoody PlusMay 20, 2024 at 11:45 pm #2673563Part of the security process is that the MFA code comes from another device not just another source on the same computer.
That’s not always the case, of course, but it’s generally the situation.
In your situation, it seems the main MFA code option is text/SMS which isn’t ideal or necessarily always available.
An alternative email address is another MFA option to consider.
Strange that the Keepass codes stopped working. Paypal, like most companies, will only support their preferred TOTP app. That doesn’t mean others won’t work, just that the sign-in organization won’t help.
Peter Deegan
1 user thanked author for this post.
-
-
Paul T
AskWoody MVPMay 21, 2024 at 12:30 am #2673586until just recently when it repeatedly failed
That is most likely a time issue – TOPT is time based and needs your clock to be accurate.
Any app that does TOTP correctly (KeePass/XC) will work with whatever account you are using. (It is what I use.)
Check your computer clock is correct by going to this site: https://time.is/
Check your computer time sync: https://answers.microsoft.com/en-us/windows/forum/all/how-to-force-windows-10-time-to-synch-with-a-time/20f3b546-af38-42fb-a2d0-d4df13cc8f43
cheers, Paul
1 user thanked author for this post.
-
dg1261
AskWoody_MVPMay 21, 2024 at 4:48 am #2673623I changed from Keepass to KeepassXC for my password manager because they added TOTP support. I set up my PayPal account for 2FA as a test. It worked for several months until just recently when it repeatedly failed and PayPal said they no longer support such software (or some such excuse).
Ditto to what Paul T said. Check your computer clock.
I tested to confirm it still works, and I had no trouble logging into my PayPal acct just now using KeePass with the “KeeOtp2” TOTP plugin for KeePass.
If you want some other non-cloud, Windows-based TOTP program for Windows, I have used and can recommend WinAuth.
1 user thanked author for this post.
-
Peter Deegan
AskWoody PlusMay 21, 2024 at 9:53 am #2673723Yes, it’s important for MFA that all devices are time syncronized. That’s one reason for MFA not working but that’s quite unusual reason these days.
Most devices time sync automatically and the user has to dig into settings to turn it off … assuming that it’s an option at all. Windows, Mac time sync by default. As far as I can tell Apple mobile devices also time sync and it can’t be disabled. I don’t have an Android device handy but pretty sure they do too.
Just to be clear …
Time synchronization is different from time zone settings which can be auto or manual. Time zone settings do NOT affect authentication because MFA uses universal (UTC) time regardless of where you are.
1 user thanked author for this post.
-
-
Zathras
AskWoody PlusMay 21, 2024 at 10:00 am #2673725I use OTPAuth on my iOS devices. It syncs between them and automatically backs up into my iCloud. I also download a backup of the database to save on my local PC. It’s works great on my Apple Watch for the codes.
The only thing not in it are my Microsoft account (I use MS Authenticator) and strictly 2FA codes for client sites. I use Google Authenticator for those (mainly just to keep them separate from mine). Recovery codes are in an encrypted folder on my hard drive and backed up in my iCloud folder.
I also have 3 YubiKeys I use for all accounts that make use of them. One goes with me, one is home in a safe and the 3rd offsite in a safe.
Banking sites, for me, seem to be the ones lagging behind in 2FA support.
-
Steve S.
AskWoody PlusMay 22, 2024 at 4:16 am #2673955Thanks for all the pointers.
I have my computer set to automatically sync with the time server at us.pool.ntp.org. I tried manually synchronizing but it failed. I normally run on a VPN server located in my time zone. I turned the VPN off and a second manual synch was successful. Not sure if that was just a coincidence. Time will tell (pun intended.)
I’ll go back to square one and set up PayPal OTP again in KeepassXC and see how it goes. Also, will check out WinAuth.
Thanks again!
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
-
n0ads
AskWoody LoungerMay 22, 2024 at 10:50 am #2674072I have my computer set to automatically sync with the time server at us.pool.ntp.org.
I’ve always used NIST’s global time.nist.gov address which “randomly” connects to one of the 24 NIST Internet Time Servers and have never had any problems with my PC clock being off more than maybe a second or so from the actual time.
-
WSkiwiandrewo
AskWoody PlusMay 22, 2024 at 11:55 pm #2674259In the Article Peter wrote
Use a passkey — A passkey uses the device’s secure login (Windows Hello facial recognition, fingerprint, or PIN). Passkeys have been around for a few years but have only recently been released as an option for Microsoft personal accounts.
Cool – but how? I have registered a passkey in Windows Hello, and nothing asks for it in the Windows 11 personal environment. It uses the Windows Hello PIN and doesn’t offer a way of defaulting to the key. That is, the key could just as well be a brick and it does not care whether it is plugged in or not. Is there a trick to forcing the passkey to be the first port of call. (Yubico Key NFC).
If I logout, the only option to logon is the PIN, or “Forgot Pin” (which just wants to send me an email message).
-
Peter Deegan
AskWoody PlusMay 23, 2024 at 12:42 am #2674273A Microsoft account passkey can’t be used to login to a Windows computer — if that was possible anyone could access the computer just by turning it on.
Passkeys are used once you’ve logged into Windows (using Windows Hello, password etc) to authenticate you to other web sites.
In other words, Windows Hello verifies your identity first. Then the passkeys are a way to pass that secure login assurance to other sites/apps.
What you’re describing sounds like Windows behaving correctly. Login with the Windows Hello PIN then you can optionally setup passkeys to more easily login to sites like Microsoft’s.
Peter Deegan
1 user thanked author for this post.
-
b
AskWoody_MVPMay 23, 2024 at 9:37 am #2674406Is there a trick to forcing the passkey to be the first port of call. (Yubico Key NFC).
To use that physical security key to sign into Windows instead of a PIN, register it at Settings, Accounts, Sign-in options, Security key.
(It can also be used for a local account with Yubico Login for Windows 10/11.)
2 users thanked author for this post.
-
Viewing 11 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Blocking Search (on task bar) from going to web
by
HenryW
10 seconds ago -
Windows 10: Microsoft 365 Apps will be supported up to Oct. 10 2028
by
Alex5723
3 hours, 18 minutes ago -
Add or Remove “Ask Copilot” Context Menu in Windows 11 and 10
by
Alex5723
3 hours, 24 minutes ago -
regarding april update and may update
by
heybengbeng
4 hours, 54 minutes ago -
MS Passkey
by
pmruzicka
58 minutes ago -
Can’t make Opera my default browser
by
bmeacham
12 hours, 34 minutes ago -
*Some settings are managed by your organization
by
rlowe44
1 hour, 51 minutes ago -
Formatting of “Forward”ed e-mails
by
Scott Mills
11 hours, 28 minutes ago -
SmartSwitch PC Updates will only be supported through the MS Store Going Forward
by
PL1
1 day, 7 hours ago -
CISA warns of hackers targeting critical oil infrastructure
by
Nibbled To Death By Ducks
1 day, 16 hours ago -
AI slop
by
Susan Bradley
6 hours, 16 minutes ago -
Chrome : Using AI with Enhanced Protection mode
by
Alex5723
1 day, 17 hours ago -
Two blank icons
by
CR2
5 hours, 11 minutes ago -
Documents, Pictures, Desktop on OneDrive in Windows 11
by
ThePhoenix
2 days, 2 hours ago -
End of 10
by
Alex5723
2 days, 5 hours ago -
Single account cannot access printer’s automatic duplex functionality
by
Bruce
1 day, 2 hours ago -
test post
by
gtd12345
2 days, 11 hours ago -
Privacy and the Real ID
by
Susan Bradley
2 days, 1 hour ago -
MS-DEFCON 2: Deferring that upgrade
by
Susan Bradley
3 hours, 30 minutes ago -
Cant log on to oldergeeks.Com
by
WSJonharnew
2 days, 15 hours ago -
Upgrading from Win 10
by
WSjcgc50
1 day, 3 hours ago -
USB webcam / microphone missing after KB5050009 update
by
WSlloydkuhnle
1 day, 6 hours ago -
TeleMessage, a modified Signal clone used by US government has been hacked
by
Alex5723
3 days, 7 hours ago -
The story of Windows Longhorn
by
Cybertooth
2 days, 18 hours ago -
Red x next to folder on OneDrive iPadOS
by
dmt_3904
3 days, 9 hours ago -
Are manuals extinct?
by
Susan Bradley
9 hours, 23 minutes ago -
Canonical ditching Sudo for Rust Sudo -rs starting with Ubuntu
by
Alex5723
3 days, 18 hours ago -
Network Issue
by
Casey H
3 days, 5 hours ago -
Fedora Linux is now an official WSL distro
by
Alex5723
4 days, 6 hours ago -
May 2025 Office non-Security updates
by
PKCano
4 days, 6 hours ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.