-
It’s still a big No Thank You from me.
3 users thanked author for this post.
-
-
I figured this was coming eventually because it’s a terrible decision and Microsoft can’t help but make those.
I wonder when they’ll remove the option to create a local account entirely.
Personally I despise the idea that everything electronic must be identifiable and trackable. It’s a tool, it doesn’t need to know me and hold a conversation with me and report on me to a trillion-dollar master.
3 users thanked author for this post.
-
The C: drive does not have any lock icons or warning flags.
Thank you for the advice, b!
1 user thanked author for this post.
-
-
-
Hoping someone can help me here.
I recently set up a Windows 11 Home laptop for my mother. (Lenovo, if it matters). I set it up with a local account, as in, I connected to the internet, input a bogus Microsoft Account address, “flubbed” the password, and got redirected to local account creation. So no microsoft account ever touched this laptop. There is a local account with administrator privileges.
I checked Disk Management, and it says her C: drive is Bitlocker encrypted. The control panel has no dedicated bitlocker or disk encryption tools anymore as those have been redirected to Settings. I checked Settings > Privacy and Security > Device Encryption. Encryption is ON, but choosing to “Bitlocker Drive Encryption” redirects to the Microsoft Store, and “Find Your Bitlocker Recovery Key” redirects to a web page where the advice hinges on the key being in your Microsoft Account.
I tried the prompt mentioned earlier
(Command Prompt, manage-bde -protectors C: -get and PowerShell, Get-BitLockerVolume)
(How To Get Bitlocker Recovery Key Without Microsoft Account (process.st))But it said access was denied and to make sure I have administrator privileges, even though I was using Command Prompt and Powershell from a Local Administrator account.
Is there any other way to find the Bitlocker key without resorting to a Microsoft account? And if the key cannot be elucidated without involving a Microsoft Account, is it advisable to turn off Device Encryption in Settings?
-
-
I’m not sure if I’m not explaining clearly or if everyone is misunderstanding me. All those other options involve passwords or other devices and therefore there is some continuity of devices involved. I’m talking about starting from zero.
Example. The year is 2080, and for reasons called This Is A Hypothetical Situation, the world is exactly the same as in 2023 except the password-to-passkey conversion is complete across the entire world of computers and the internet and passwords no longer exist.
At 2am your house is consumed in a five-alarm fire. The only material you possessions you have are the clothes you ran out in. Every computer, laptop, phone, token-generating dongle, and FIDO/USB key you had that had been “synced” and ever had your passkeys for your accounts stored on them is a puddle of melted plastic and silicon. While you get back on your feet, you’ll be making ample use of your local library’s computers, even though you haven’t set foot in your local library in a decade and they’ve swapped out all their hardware in that time.
How do you log into your email, your bank, and AskWoody in this specific scenario?
-
So if you have *only* one device, and for some reason you lose access over it (lost, stolen, destroyed), you are, in fact, locked out of your accounts permanently because you don’t have the only device capable of authenticating you?
1 user thanked author for this post.
-
This follow-up article is not impressing me any more than the last. We should not be tethering ourselves to devices ever-more permanently. Biometrics is a fraught method of authentication, and I’m pretty sure Livingston would have addressed that at some point in his illustrious career as a security researcher. Biometrics are not legally protected from searches. Tying identity and authentication to a device with a unique IMEI is essentially the end of journalists being able to conduct research anonymously, without fear of execution. If the big problems with passwords are social engineering and database breaches, then improve education and database security. To say nothing of the excerpts below:
As the FIDO Alliance describes it, “When a user creates a passkey on any of their devices, it gets synced to all the user’s other devices running the same OS platform which are also signed into the same user’s platform account.”
Another problem involves losing your device. Smartphones and laptops are stolen all the time. If your passkey is in the device — which is now gone — how do you re-establish access to all the websites where you’ve enjoyed a passwordless sign-in? …Passkey recovery needs to be included in a company’s thinking. Google solved part of the problem when it released Android 14 for smartphones last month. The new version of the mobile OS allows users to select a third-party passkey credential provider, which is similar to an online password manager (but more secure). Credential providers enable passkeys to be synchronized across different ecosystems…
You know what both of the above sound like? Transmitting the information over the Internet.
-
It may be more secure, but… yeah, not digging it.
To beat a dead horse, authentication methods are something you either are, know, or have. Passkeys cleverly combine all three in a way – your phone, your fingerprint or face, your PIN, all on your side of the Internet.
Problem is almost that it’s too secure. Passwords are device-agnostic and as a concept cannot ever be tied to one proprietary set of hardware. Since the authentication information (theoretically) never leaves the device, passkeys enforce trusted devices – you HAVE to have a device on you at all times to access anything. So if you’re homeless, or your house burned down, or someone stole everything including your shirt and shoes, you are absolutely screwed now, not just almost-definitely screwed. And that’s catastrophes. Phones break all the time. If your one trusted device starts acting up and needs to be repaired for a few days, you are still SOL. It’s pretty classist to assume that someone can afford multiple devices when most Americans can’t cover a $500 emergency, of which this is one!
Ah, but in case of emergency, use a backup code, you say? How ingenious. Something that is basically a glorified password, only even worse because it’s usually just numeric, and you never use it so you are less likely to remember it than a password, and you probably kept it on your device, or on a slip of paper in your house which you are now locked out of because the phone that unlocks the house was stolen. Or it burned down. Or your safe was robbed. Why didn’t I think of that.
So yes, passkeys may be more secure. I also see them as a way to tie people to proprietary software and hardware systems, destroy truly “anonymous” accounts, and push all security responsibility onto the end-user in an era where the phrase “customer service” is its own punchline.
-
I believe the site owner let the domain expire. I’m not sure of the reason.
I also vaguely recall there being an archive link to the website. Will look around and see if I can find it.
EDIT: Here’s something relevant: What Happened to Linux Journey? | Hacker News (ycombinator.com)
1 user thanked author for this post.
-
I sincerely hope that this last workaround is left in place by Microsoft, one last crumb of sanity. If they did take it away, they’d probably replace it with infinite tries until you input an actual account and password. And then, after that, they’d remove the option to revert to local after you create the desired account.
Maybe I’m just old-fashioned for someone who’s not yet thirty, but forcing internet connection before the computer is fully set up seems very cart-before-horse.
4 users thanked author for this post.
Author
