26

I have a Microsoft Account linked to a Microsoft Authenticator app for 2FA purposes. Every time I log in, it first sends me the Authenticator request, but I can always click "Other ways to sign in" and then choose "Use my password instead", which then prompts me for the good old password, and logs me in successfully.

1 2

Lastly,

2a

But doesn't that negate the point of having the 2FA at all?

I wouldn't expect this mix of a cargo cult meets security theater from a major corporation. Or did I misunderstand something?

schroeder
  • 123,438
  • 55
  • 284
  • 319
mehov
  • 421
  • 4
  • 9
  • 1
    Is this on a PC you've used this account on before? It might be different on entirely new PCs. – Vivelin Jun 23 '20 at 06:43
  • Paysera offers the same two options for their users. – elsadek Jun 23 '20 at 17:43
  • 5
    "I wouldn't expect this mix of a cargo cult meets security theater from a major corporation." Do you have much experience with major corporations? – Tashus Jun 24 '20 at 20:22

2 Answers2

99

You didn't actually set up 2FA. You set up your authenticator as an alternative method of single-factor authentication. This is clear from the first screenshot: "... to sign in without a password". If it didn't ask you for a password in the first place, it's probably not 2FA; the password is one of the two factors. The way I read this question it seemed like you'd gotten that prompt after entering your password, because that's when any second-factor authentication prompt would appear, but it looks like that's not what happened.

Go to https://account.live.com/proofs/manage/additional and click "Set up two-step authentication" if you actually want 2FA. You will still be able to "remember" trusted devices after you've completed the two-step auth on them, but any time you try to sign in using a new device (or a private browser, etc.) it should ask for both factors.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • 4
    I just checked your link and have 2 step verification enabled on my microsoft account and I see the same thing happening. I think this is more a matter of the device being trusted, and thus only requiring one step. – Luke Jun 23 '20 at 15:04
  • 9
    I have 2FA enabled, and am not able to log in without both entering my password and using the app. Note that I'm prompted to remember this device when using 2FA, which would likely cause me to only have to use a single other factor (first factor being trusted device). – Erik A Jun 23 '20 at 17:00
  • 3
    You're right, that page said I didn't have the 2FA at all. I take my claim back then. This could be Microsoft at it's finest: they failed to communicate to me that this is *not really* 2FA, while they kinda-sorta advertised it as such. And surely, my bad for not double-checking. I enabled the 2FA on that page now, and hopefully it will work as expected. Thank you! – mehov Jun 24 '20 at 08:42
  • 12
    @aexl I wouldn't say they failed to communicate, the page doesn't say anything about 2FA. More like you you failed to interpret the message – GammaGames Jun 24 '20 at 22:39
  • 1
    A remembered device is still 2FA: two factors with caching of one factor, or making it non-interactive. If a 2FA authentication method remembers your device, what I think that usually means is that it does some handshake with your device without prompting, and that's a second factor. The password is a secret you know, and the device you're using is a token you have. – Kaz Jun 25 '20 at 03:32
  • @Kaz the "handshake" is typically literally just a value in an HTTP cookie, created when the user clicked 'trust this device' and sent from the client to the server with every request, but yes. – CBHacking Jun 25 '20 at 05:47
  • @aexl The authenticator pages are pretty explicit about it - the application offers multiple options. 1) easier sign in, relying on your phone _instead_ of a password, _or_ 2) two-step verification for more security, _or_ 3) use time-based, one-time passwords. – Luaan Jun 25 '20 at 09:04
  • @GammaGames @ Luaan I get it, but up to this point I've been reading about the importance of the 2FA so much, that when I've seen there's a separate authentication app involved, I by default expected that this is going to be a sort of 2FA. By *failed to communicate* I meant that they never explicitly said it wasn't, e.g. smth like **This is for convenience and not security. This is not a 2FA; if that's what you want - click [here](https://account.live.com/proofs/manage/additional)**. Lastly, I am a user after all; I am likely to misread or misunderstand, and it's their job to improve the UX. – mehov Jun 25 '20 at 09:57
11

I can't be sure this is what is happening, but some implementations have the concept of a "trusted device" from where they only ask for 2FA once, then consider (at your request) that the device is fully under your control and you don't want to be bothered having to 2FA all the time.

Failing that, you're absolutely right, it completely negates the purpose of having 2FA.

Maybe it's configurable?

Pedro
  • 3,911
  • 11
  • 25
  • 2
    I checked my MS account, and you're right. On trusted machines I can log-in with a password. – Anemoia Jun 23 '20 at 19:02
  • One of the authenticator's functions is to allow 2FA - but it's not the only way to use it. It's easy to see on https://www.microsoft.com/en-us/account/authenticator that the primary use is meant to be to make logging in _easier_ - 2FA is optional. If you go into "learn more", it also notes you can use the authenticator for one-time passwords. Again, can be used for 2FA, but doesn't have to be. – Luaan Jun 25 '20 at 09:08