New Windows 10 build silences Cortana, brings passwordless accounts

Though as ever, Home users are special.

New Windows 10 build silences Cortana, brings passwordless accounts

The latest Insider build of Windows 10, 18309, expands the use of a thing that Microsoft has recently introduced: passwordless Microsoft accounts. It's now possible to create a Microsoft account that uses a one-time code delivered over SMS as its primary authenticator, rather than a conventional password.

In the new Windows 10 build, these passwordless accounts can be used for logging into a machine locally. The initial sign-in will use SMS, and it will then prompt you to configure biometric or PIN authentication. Your face, fingerprint, or PIN will be used subsequently. This capability is in all the editions, from Home up to Enterprise. A few previous builds had constrained it to Home only.

While SMS-based authentication has security issues of its own, Microsoft seems to feel that it's a better bet for most home users than a likely insecure password. Removing the Windows login password is part of the company's broader efforts to switch to using a mix of one-time passwords, biometrics, and cryptographic keys.

Read 3 remaining paragraphs | Comments

Microsoft offers completely passwordless authentication for online apps

Phone-based authentication is the way forward instead.

Article intro image

Applications using Azure Active Directory (AD) to authenticate—a category that includes Office 365, among other things—will soon be able to stop using passwords entirely.

Azure AD accounts can already use the Microsoft Authenticator app for two factor authentication, combining a password with a one-time code. With the new passwordless support, authentication is handled entirely by the app; the app itself represents "something you have," and this is combined with either biometric authentication or a PIN. Passwords have a long, problematic history; while they can be very strong, if suitably long and suitably random, human passwords are often short, non-random, and reused across multiple sites. App-based authentication avoids this long-standing weakness.

Enabling two-factor authentication is just one of the things that organizations can do to improve their security. To that end, Microsoft has extended "Microsoft Security Score," a tool used to assess organizational policy and provide guidance on measures that can be taken to harden an organization against attack. Secure Score already spans Office 365 and Windows security features; to these, Microsoft has added Azure AD, Azure Security Center, and Enterprise Mobility Suite, covering a wider range of settings and options.

Read 2 remaining paragraphs | Comments

Practical passwordless authentication comes a step closer with WebAuthn

Enlarge (credit: Pablo Viojo / Flickr)
The World Wide Web Consortium (W3C) and FIDO Alliance today announced that a new spec, WebAuthn (“Web Authentication”) had been promoted to the Candidate Recommendation stage, the penultimate stage in the Web s…

Enlarge (credit: Pablo Viojo / Flickr)

The World Wide Web Consortium (W3C) and FIDO Alliance today announced that a new spec, WebAuthn ("Web Authentication") had been promoted to the Candidate Recommendation stage, the penultimate stage in the Web standards process.

WebAuthn is a specification to allow browsers to expose hardware authentication devices—USB, Bluetooth, or NFC—to sites on the Web. These hardware devices enable users to prove their identity to sites without requiring usernames and passwords. The spec has been developed as a joint effort between FIDO, an industry body that's developing secure authentication systems, and W3C, the industry group that oversees development of Web standards.

With WebAuthn-enabled browsers and sites, users can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems that are widely deployed) and external authentication systems such as the popular YubiKey USB hardware. With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks.

Read 3 remaining paragraphs | Comments

security – Ars Technica 2017-08-25 15:40:03

Enlarge (credit: Michael Theis)
Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 “Internet of things” devices and make them part of a destructi…

Enlarge (credit: Michael Theis)

Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.

Read 10 remaining paragraphs | Comments