Asking AgileBits: OTP with Microsoft -- is it wonky for anybody else?
Hi everybody, so I ran into something strange and hallelujah, the strangeness is not happening with 1Password. So I started listening to the 1PW podcast, and realized I should implement OTP in the 1Password app for those services using Google Authenticator. Did all the service updates and got OTP running in 1PW, everything went smoothly with the exception of Microsoft.
I realized after a day or two, that despite disabling OTP, and then immediately reenabling OTP with Microsoft, that I was no longer prompted to provide a OTP, only ID and password.
I actually raised a security alert with MSFT's security team. They said, yeah, that looks like a bug but because [reasons] we are closing the ticket and try customer support. So I did that and got the strangest response from customer support. They said that because I made a security change, that change would not be implemented for 30 days. This sounds like total BS to me, but whatever.
30 days has elapsed, and not surprisingly, two factor authentication is still not working correctly with MS.
Has anybody else encountered this?
Edit: Ah! I forgot an important wrinkle. So if I surf directly to onedrive.live.com, I am not prompted for the OTP. BUT if I try to open the MS account security page, then I'm asked to provide the OTP. Screwed up, isn't it?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
You did say Microsoft, right? 8-) ;)
0 -
@AlwaysSortaCurious can't blame me for asking here ;-) I reckon I can't be the first 1Password & MS user to have disabled OTP (using only Google Authenticator on my phone and MS OTP worked perfectly) only to reenable OTP immediately (for 1PW and Google Authenticator and now OTP is screwed up). I wonder if anybody else might have found themselves with the same MS situation, and if so, what they did to fix it.
Half tempted to ping Krebs on Security.
0 -
I suspect it's got something to do with all the various separate authentication systems Microsoft has merged over time. I used to have separate accounts for Skype, Live, Office, and probably some others I'm forgetting. They're mostly all covered by one now, but it can still be confusing for me. I wonder if I signed up from scratch now I'd have a more seamless, unified experience. I can't say I've encountered the specific issue you describe, but something similar used to happen to me with HockeyApp...
HockeyApp! Yeah, that's another one. :lol:
Regarding OneDrive versus account settings, that does make some sense to me, because the latter would allow someone to steal your account completely, while the former would "only" allow them to get files you stored there. But do you maybe see different results when signing in using a new browser? It may be that they're just not requiring full authentication where you've already signed in. I guess if nothing else it just isn't obvious as a user.
Anyway, I agree that Google's authentication systems seem to work more like I'd expect them too, which in comparison is kind of impressive since they too use to have separate systems for YouTube, Gmail, etc. But then Microsoft probably still has stuff behind the scenes from before Google even existed. Not nearly as bad as financial institutions, which often seem to have infrastructure dating back to the Cold War (when your bank only allows an 8-12 character password -- true story, though this changed for me recently). I find this stuff fascinating. :)
0 -
@brenty Thank you for your observations Brenty. From a cleared-cache no-addons browser, I have also tried logging into outlook.com, same issue with the missing OTP prompt. On a daily basis, I use onedrive.live.com most so used that service as a primary example. I haven't gone to the trouble of testing all the various MS services yet. I suppose I ought more thoroughly document the issue and resubmit to the MS security center, and see if I can get them to reconsider their initial closure of the bug report. In addition to pinging Krebs on Security :-)
Thank you again!
0 -
@Superfandominatrix lol.. I wasn’t poking fun at your choice of posting location I was poking fun a a desire for consistency and Microsoft!
0 -
You're welcome! I'd be curious what they said the first time, and what you hear back with any followup you end up doing. :)
0 -
@brenty My first attempt was to contact Microsoft Security Response Center secure@microsoft.com. This was their first response. I am not a security researcher, so fulfilling their list of reporting requirements, particularly the 3rd bullet point, is outside my wheelhouse. Honestly, I shouldn't have to explain to security professionals why a bad implementation of 2fa can lead to their user base having increased security risks.
Thank you for contacting the Microsoft Security Response Center (MSRC). What you're reporting appears to be a bug, but would not meet the bar for security servicing. If you can consistently produce this,
please send in a new report and it may potentially meet
the bar for servicing. Please make sure to include the follow information when sending in vulnerability reports:* Description of the vulnerability
* Detailed steps required to consistently reproduce the issue
* Short explanation on how an attacker could use the information to exploit another user remotely
* Proof-of-concept (POC), such as relevant code samples, a video recording, crash reports, or screenshotsEdit: splitting to see if formatting improved
0 -
Part 2: The security center guys suggested I escalate through normal support channels. This is my communication with the CS robot.
Kenneth B
Well as you have mentioned earlier you have removed the 2 step verification yesterday.Me
i removed two factor authentication on Oct 27, then added back immediately the same day.Kenneth B
So if you added it back you will need to wait for about 30 days before it will reflect on your account.Kenneth B
That means that you must wait until Nov. 27Me
that's crazy.Me
if i change a password, do i have to wait 30 days?Kenneth B
Changing passwords is not included there.Me
is there a support page that says two factor authentication does not reflect on an account for 30 days?Me
because I have a hard time believing that is the way Microsoft implemented two factor authentication.Me
2fa does not work like that *anywhere* else for any other cloud computing platform.Kenneth B
There is, here's the only page that will answer to that question
https://support.microsoft.com/en-us/help/12428/microsoft-account-security-info-security-codes
Microsoft has a different way of making their security.Kenneth B
Same as the othersMe
okay. I see that note. I did not, however "remove all my security information". The recovery email address
and mobile telephone number did not change.Me
the only thing that changed was the removal and return of two-factor authentication.Me
so the case of "removing all security information" does not apply in this case.Kenneth B
_Okay let me give you this link _
https://support.microsoft.com/en-us/help/12408/microsoft-account-how-to-use-two-step-verificationKenneth B
As this will also prompt you to the link which I also provided earlierMe
i have full control over my account, i never lost control. so the 30 day period still does not apply.Kenneth B
That's why I told you that making any changes on your security info's will have to wait for about 30 daysKenneth B
before it reflects on your account.Me
listen, what i will do is wait until Nov 28 and see if this clears up. i will be in touch if this does not clear up. To be clear, this
security implementation is substandard.0 -
Part 3: In parallel to whining here, I spoke to MS support over the phone this morning. The poor fellow tried to tell me that this new behavior was normal because MS was smart enough to know my home IP address, therefore would only prompt me for a OTP when I tried to log in away from home.
I told him I would believe him for now, but the next time I take a device to Starbucks, I was going to test his theory.
I am guessing that his explanation is incorrect. I just went on a trip over the Thanksgiving holiday, and while I can't remember if I logged into https://onedrive.live.com while away from home, I 99.9% remember logging into notebooks.azure.com and the faulty behavior occurred on that service while away from my home IP address.
0 -
@prime I ran across that news too, while googling. MS's 2fa implementation sure looks dubious. Here's to keeping close track on recovery keys!
0 -
@prime I ran across that news too, while googling. MS's 2fa implementation sure looks dubious. Here's to keeping close track on recovery keys!
You’re not kidding! Microsoft can screw up a 1 car funeral.
0 -
@Superfandominatrix: Just in case you're at all worried that you're losing your mind, I use a few different VPNs frequently and haven't (yet) triggered additional authentication requirements from Microsoft -- though some other services definitely do make me go through extra steps as a result.
Honestly, I wouldn't be too worried about getting locked out. Microsoft (and, frankly, most vendors) err on the side of "fail safe" as opposed to "fail secure" -- e.g. we've got multiple recovery options at our disposal. That sounds not-good-for-security, but as long as we use fake security answers (e.g. not your mother's actual maiden name) then an attacker couldn't either.
I get why they're more lax in this regard, and while "lax" sounds bad, I don't hold it against them since I think it is a reasonable tradeoff given their business. We've taken a different approach with 1Password.com security though, certainly because our entire focus is security, but also, related, because we're cowards and don't want there to be any way for an attacker to socially engineer us to get to user data; we're just not in a position to grant access to it.
I really appreciate you sharing this though. First, it never hurts to bring something like this up here because we're nerds and may have some insight (though not so much in this particular case). But also I think it's important for us to look at what others are doing to consider if we've made the right decisions or not, and what we might do better. I think we've made the right call in the context of 1Password, but one thing we do struggle with equally with Microsoft in this area is it's not always obvious to the user what they should expect. For example, a common point of confusion is that some people expect that having two-factor authentication enabled on their account will require them to enter a one-time password any time they unlock 1Password. That isn't how it works, since that would mean not being able to access our data offline. But I do hope we can do better with making 1Password intuitive. There are a lot of different perspectives to consider. Cheers! :)
0 -
@brenty have a solution for this, if anybody else runs across any difficulty. In the account security page, head to "Additional Security Options". Apparently, in addition to having set up the "Identity Verification Apps" section (something I had already done), the end user has to know to also enable the "Two step verification" section right above. I did not do this last step thinking that two step and identity verification app set up would be different pathways to establishing different types of controls over the account. I had thought two step verification set up SMS / email code delivery or some such. This apparently is not the case, and two separate set up steps were required to fully secure the account using an external code generation service like Google Authenticator / 1Password.
0 -
@Superfandominatrix: Ohhhhhhhhhhhhh. Okay. That helps, though I agree it's confusing and not quite what I'd expected either. Probably doesn't make it any easier that no two sites seem to do this the same way. Thank you for sharing that! :)
0