Microsoft Passwordless Code Support

j9ac9k
j9ac9k
Community Member

Hello 1password community,

Today Microsoft rolled out their "passwordless" account service to all accounts. From a glance, it appears that using the Microsoft authenticator, you can get a 1-time password whenever you login. Here is an arstechnica article about it

In the article, it explicitly states:

Other authenticator apps like Authy or Google Authenticator won't work with the QR code format that Microsoft uses to enable passwordless accounts.

When I went to my microsoft account site, and attempted to enable it, 1password would not accept/read-in the QR code that was provided (not unexpected).

My question here is, would this be something that 1password would try and support?

Thanks!
Love the product btw.


1Password Version: 7.8.7
Extension Version: Not Provided
OS Version: macOS 11.6

Comments

  • Hey @j9ac9k

    Thanks for sharing. :) I'm not sure what technology Microsoft is using under the hood here, or if it is available to 3rd parties such as ourselves. I will definitely file this feedback with our development team so they can investigate further, though. :+1:

    Ben

    ref: dev/projects/customer-feature-requests#909

  • [Deleted User]
    [Deleted User]
    Community Member

    @j9ac9k Microsoft is using a proprietary format for the QR code which links the Microsoft Authenticator app to your Microsoft account. However, they also support industry standard authenticator apps, like 1Password. Starting from:
    https://account.live.com/proofs/manage/additional
    Click on Add a new way to sign in or verify -> Use an app -> set up a different authenticator app

  • @rootzero

    I know that is true with their TOTP implantation, but is it true of this new passwordless feature as well? Are they just using standard TOTP on the backend to support that too?

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben You're right that the passwordless feature relies on using Microsoft Authenticator and/or Windows Hello, so this cannot be added to 1Password. I don't think they've added new verification options to support this, they're just allowing people to rely on Microsoft Authenticator push notifications and delete their password entries. I just wanted to make sure that @j9ac9k was aware that they could continue to use 1Password to login to their Microsoft account.

  • Tertius3
    Tertius3
    Community Member
    edited September 2021

    @j9ac9k You might not fully understand how the Microsoft Authenticator works. It's not simply a TOTP app. It is a TOTP app for every 3rd party account except the Microsoft account. If a login to your Microsoft account is pending, a push notification appears on the Microsoft authenticator app that presents you with 3 different numbers. You need to touch the number that matches the number displayed on the login page. If you touch the wrong number, the login is denied. This is much more convenient than the common behavior of authenticator apps, where you need to enter the 6 digit code for login.
    This special push functionality is proprietary, probably not possible to add by 3rd party authenticators like 1Password. It also doesn't work offline.

    If you want the common behavior (enter 6 digits for authentication), don't choose the "send sign-in notification" login option in the Microsoft account security (that's for the Microsoft authenticator with push) but instead add a login option described as "Enter a code from an authenticator app". Here you get the conventional QR code you can scan with every standard authenticator app including 1Password.

    However, I don't recommend you go passwordless for the Microsoft account. Instead act as if it were passwordless by using only one of the other authentication methods. Change your password to some generated one and store it with 1Password, but never use it after you changed it successfully. If you used your account for half a year without you using your password, you might go passwordless. But I don't see a benefit from it: it's an easy way for recovering your account in case one of the regular methods fail, for example if your smartphone gets lost or broken.

  • j9ac9k
    j9ac9k
    Community Member

    @rootzero

    I just wanted to make sure that @j9ac9k was aware that they could continue to use 1Password to login to their Microsoft account.

    Yeah, I'm aware, I use it as such right now, I didn't mean to suggest I thought 1password was removing that functionality.

    @Tertius3

    You might not fully understand how the Microsoft Authenticator works. It's not simply a TOTP app. It is a TOTP app for every 3rd party account except the Microsoft account.

    Yeah, I admit I've never used it, figured it must do something different for microsoft accounts after 1password would not read in the QR code

    If you want the common behavior (enter 6 digits for authentication), don't choose the "send sign-in notification" login option in the Microsoft account security (that's for the Microsoft authenticator with push) but instead add a login option described as "Enter a code from an authenticator app". Here you get the conventional QR code you can scan with every standard authenticator app including 1Password.

    However, I don't recommend you go passwordless for the Microsoft account. Instead act as if it were passwordless by using only one of the other authentication methods. Change your password to some generated one and store it with 1Password, but never use it after you changed it successfully. If you used your account for half a year without you using your password, you might go passwordless. But I don't see a benefit from it: it's an easy way for recovering your account in case one of the regular methods fail, for example if your smartphone gets lost or broken.

    This is indeed what I use right now, it works well, there are some instances (first time logins with microsoft accounts on newly formatted Windows PCs) where I think Microsoft's "passwordless" feature would come in handy if 1password were to support it (which I recognize would require more than just 1password's desire to support it, but microsoft exposing the capability to do so).

  • nguyenthuyen
    nguyenthuyen
    Community Member

    Hello, cybersecurity experts!

    I think this is a useful topic.

    According to experts, for Microsoft accounts. Should we use Yubikey FIPS, Windows Hello to authenticate, log passwordless? Or still in the traditional way, that the way to set a hundred-character password - so powerful - save it to 1Password and forget about it?

    What will be the benefits and advantages of passwordless?

    I have a question, if I only have 1 laptop, 1 phone, and use Microsoft Authenticator to log in without a password, in case the phone breaks down and cannot access Microsoft Authenticator, how do I access my account?

This discussion has been closed.