How not to 2-factor

I've had a nasty surprise on a Sunday morning: someone accessed my supposedly 2-factor protected Microsoft account, elegantly sidestepping the whole 2-factor authentication. How? And Why would Microsoft do this?

I registered a Microsoft account to have a "portable" profile for Windows 8 and to be able to use the app store. I've never used the mailing or calendar parts of it. Then I realized Windows 8 wasn't really my cup of tea, so now I don't use any function of it other than logging in to my Surface Pro 2.

The answer is: Microsoft STILL hasn't fixed their IMAP. As apparent from this now-year-old ZDnet article, you don't have to use a separate app password for IMAP logins. You can use your oh-its-2-factor-so-I-can-use-something-I-can-actually-remember. Also, don't forget that there is still a 16 characters limit to Microsoft passwords.

The official answer is that it would annoy customers. But just look at Google, who managed to actually use app passwords for the IMAP/POP3 access. So it can be done, and done well enough for companies using Google's service.

Official Fix? You won't get any!
As this compromise happened to an unused email account, I tried disabling IMAP, as I knew I could in GMail. You cannot. Great going, Microsoft! Why would I ever want to disable an attack vector?

The Solution
Your only choice is to have a limited length, 16-character password that you hope is secure enough and you remember every damn time you have to log in. If you find one, you might as well just turn the bloody 2-factor authentication off. As you can see from the story above, it doesn't help you mitigate attacks as well as a real 2-factor would. Or just transition to GMail, as Google has actually done a good job in implementing 2-factor authentication.

No comments: