• Specal@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    5
    ·
    11 months ago

    Alot of people don’t like Microsoft, but they’re pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.

    • andrew@lemmy.stuart.fun
      link
      fedilink
      English
      arrow-up
      26
      ·
      edit-2
      11 months ago

      This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.

      Passkeys are interesting and potentially quite strong but they’re going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.

      • hydration9806@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        2
        ·
        11 months ago

        Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.

        • cley_faye@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          Yeah, good luck with that. You can tell someone “if you lose this token, all data are unrecoverable”, they’ll reply with “ok, got it!” and about two and a half second later call you saying “Hey I lost my token can you recover my data?”.

      • Specal@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.

    • CubitOom@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      How does Microsoft’s implementation work?

      Is it possible to log into windows without a Microsoft account using that method?