Microsoft preps two-factor account login: Twitter next?

accountMicrosoft is getting ready to launch two-factor authentication for its Microsoft accounts, according to a report by Microsoft news site LiveSide. This is an optional feature designed to thwart hackers and prevent accounts from being hijacked.

Once enabled by the user, the feature will require a user to enter a code generated by their smartphone when logging into their Microsoft accounts on a computer or device not on their list of trusted PCs.

In other words, for people who enable the feature, there will hopefully be no more saying this to your contacts: I’m sorry about those messages, my account has been hacked.

Competing services including Google already offer two-factor authentication, but one site that has yet to roll it out is Twitter, which could clearly use this type of account protection, given some of the issues it has experienced.

Here’s what Del Harvey, Twitter’s director of trust and safety, said in response to my questions about the issue last year: ”I think everything is a possibility in the future, certainly, but quite frankly, two-factor authentication is not the most practical use of resources. The folks who use two-factor authentication are a pretty small segment of the population as a whole. They’re usually the more savvy folks who are less likely to get phished in the first place.”

However, a job post that surfaced in February indicated that Twitter also has multifactor authentication in the works

Microsoft hasn’t confirmed plans for two-factor authentication, but LiveSide has screenshots, and an Authenticator app is already available from Microsoft in the Windows Store (although there isn’t yet the option to link it with a Microsoft account). LiveSide reports that Microsoft’s two-factor account authentication will also work with authentication apps on Android, iOS and BlackBerry.

  • http://www.mainstreetchatham.com/ JimmyFal

    I see dozens of Yahoo accounts hacked, AOL. I haven’t seen an Outlook.com hacked message in my inbox yet, but this is good.

    What I really want to know is exactly how an account gets hacked. Do bots systematically guess passwords or are they getting around the passwords? Honest question that I have never received a satisfactory answer to.

    • http://www.christopherbudd.com Christopher Budd

      First, it’s good that they’re doing this finally. Though it is sad that it’s taken this long given that account hijacking has been a real problem since at least 2007 (http://www.zdnet.com/blog/security/xbox-live-hacked-accounts-stolen/131) up through March (http://www.theverge.com/2013/3/19/4125886/microsoft-confirms-high-profile-employee-xbox-live-accounts-hacked).

      And to be clear, this is (and has been) an industry-wide issue. Like Todd notes, Twitter takes the cake for account hijacking problems and they STILL don’t have a solution or the promise of one.

      How does it happen? There are a number of ways and often it’s never completely clear what caused it. Some possible causes:

      1. Phishing: someone inadvertantly gives their account information away to a phishing site which then gets

      2. Malware: you get a keylogger or other malware on your system that records your credentials when you’re using your account.
      3. Cookie theft over unsecured WiFi: Generally less of an issue today because more sites secure their authentication cookies with SSL, but if you’re interacting with a site that doesn’t use SSL to protect the cookie over an open WiFi network, I can sniff your traffic, capture your cookie and pose as you.
      4. Hacking account recovery options: This is an angle that combines information gathering and social engineering (often against support people). Through a combination of means, you assemble enough information to be able to successfully use the account recovery mechanisms in place to take control of an account. This is labor intensive and so tends to be targeted (e.g. Sara Palin, the recent rash of celebrities whose info got posted).

      5. Successful attacks against account repositories: This is things like when Twitter had account info lost and forced a password reset. This is particularly bad when people are recycling usernames and passwords. If I get your email and password from some small, poorly secured site and that password is what you use for that email account: then I’ll have your email account under my control in no time.

      Two factor authentication is a good countermeasure because it’s effective across many scenarios so the specific how doesn’t matter so much.

      • http://www.facebook.com/people/Mike-Christensen/676694755 Mike Christensen

        I wonder if two-factor authentication would still be susceptible to cookie theft then. I’d guess they use a cookie to mark a “trusted computer”, so if that cookie were stolen, you’d have the same problem. Perhaps they could hash the cookie by IP address for some added security though.

        • http://www.christopherbudd.com Christopher Budd

          By itself 2FA wouldn’t protect the cookie theft vector, you’re right. The second authentication token is used to verify and then you get the session cookie.
          But realisically, implementing SSL at least for the cookie if not the entire session is easier and cheaper than 2FA and so we’ve seen nearly all major vendors adopt SSL already.