If the attacker tries to log in and clicks Approve first, the victim can click Deny but it won’t matter – the attacker will get in and once again – no indication is sent to the victim that someone got in. But what happens if one of us chooses Allow and the other chooses Deny? Apparently first to click wins. Microsoft Authenticator would not prevent a criminal from accessing an account once they have obtained a username and password.Īfter this experiment we were both able to log into my account, each with our own phones. Microsoft completely ignored me pushing the Deny button and didn’t provide any feedback that a new Authenticator app was registered on my behalf.
My friend was then able to enter my password and email verification code and successfully register his Microsoft Authenticator using my account. But my friend was faster and selected “use password instead” on his phone moments before I selected “Deny”. I opened the push notification on my device and selected “Deny” to deny him from continuing. After he entered my email address I got a push notification on my mobile device.
So I asked a friend to try to add my personal Microsoft account to his Microsoft Authenticator app. It goes without saying that no one should be able to register another Authenticator app on my behalf without me approving it first with the Authenticator app that I already have. My assumption, after enabling the app, was that no one else could log into my account without me approving it first through the Authenticator app. I could log into my account without a password. I completed the registration process and logged into my account several times using the Authenticator app to verify that it worked. Note that both of these are vulnerable to a simple phishing attack. The app asked for my Microsoft password and email verification code. I downloaded the Authenticator app and added my personal Microsoft account to it. With Authenticator, your phone provides an extra layer of security on top of your PIN or fingerprint.” As a naturally curious security professional, I am constantly trying out new security services and decided to test Microsoft’s claims. Passwords can be forgotten, stolen, or compromised. Microsoft describes the Authenticator as “More secure. With all the hype surrounding Authenticator Apps, I decided to enable the Microsoft Authenticator on my personal Microsoft account.
0 kommentar(er)
