Page 4 of 4 FirstFirst ... 234
  1.    19 Jan 2017 #31
    Join Date : Oct 2013
    A Finnish expat in Germany
    Posts : 12,979
    Windows 10 Pro

    Quote Originally Posted by AndreTen View Post
    As the word stupid became so popular with you and dencal...
    I use the S word to stress the fact that not using Two-Step Authentication is just that.

    I have some difficulties to understand your apparent and pointless need to undermine that fact. Somewhat tired to your "yes, but..." I am unsubscribing this thread after posting this; feel free to post next "yes, but..." for other members to read, I will not see it.


    Quote Originally Posted by DavidY View Post
    My understanding was that Microsoft's own Authenticator app uses the same algorithm as Google Authenticator.
    I only have the Windows Phone 7.5 version (so it's possible this compatibility has been removed now), but my old phone still let me login to my Google account when I tested it just now with the Microsoft Authenticator I have.
    As far as I know you can't get Google verifications to work in latest Microsoft Authenticator app in Windows Phone 8 or Windows 10 Mobile, but in all honesty I have to say I haven't even tried it.

    Kari
      My ComputerSystem Spec
  2.    19 Jan 2017 #32
    Join Date : Jan 2014
    Posts : 1,393
    Windows 10 Pro (32-bit) 16299.15

    Quote Originally Posted by Kari View Post
    As far as I know you can't get Google verifications to work in latest Microsoft Authenticator app in Windows Phone 8 or Windows 10 Mobile, but in all honesty I have to say I haven't even tried it.
    I think the one I use is probably this Authenticator
    For my phone, the Azure authenticator and this app are separate - I understand Microsoft has merged the two into one with the latest app.

    I don't know if this means they've changed the algorithm for non-Azure accounts, but given the Microsoft accounts can also use both the old and presumably the new app, one would imagine it's the same algorithm as before, which would suggest it might work with Google?

    Edit: This suggests the new MS Authenticator should still work with Google, Facebook etc.
    Big Changes Coming to Microsoft Authenticator Apps - Thurrott.com
    UPDATE: It's great news. Microsoft tells me that its new Authenticator apps will in fact work with any online account that supports MFA.

    @Alex_A_Simons: @thurrott Just read your article. Microsoft Authenticators will support OATH at GA! I use with Facebook & Google all the time now.
      My ComputerSystem Spec
  3.    19 Jan 2017 #33
    Join Date : Apr 2015
    Posts : 12,848
    W10Prox64

    I think this is a good discussion/topic, and sorry to see Kari has unsubscribed....

    Just thinking out loud:
    If someone were a victim of a MIM (man-in-the-middle) attack, stealing the active cookie session, I think it's then possible to spoof the session, and access an account (even one that's protected with 2FA), at least long enough to do some major damage. I'm not sure exactly how it's done, but it appears to be possible (in my mind).

    Just food for thought...
      My ComputerSystem Spec
  4.    20 Jan 2017 #34
    Join Date : Oct 2014
    Posts : 2,467
    W10 Pro + W10 Preview

    Quote Originally Posted by simrick View Post
    I think this is a good discussion/topic, and sorry to see Kari has unsubscribed....

    Just thinking out loud:
    If someone were a victim of a MIM (man-in-the-middle) attack, stealing the active cookie session, I think it's then possible to spoof the session, and access an account (even one that's protected with 2FA), at least long enough to do some major damage. I'm not sure exactly how it's done, but it appears to be possible (in my mind).
    Just food for thought...
    If its done from an unrecognised computer....it would require phone code authentication.
      My ComputersSystem Spec
  5.    20 Jan 2017 #35
    Join Date : Oct 2014
    Trnava
    Posts : 2,871
    Windows 10.4 Home 1709 x64

    Quote Originally Posted by Kari View Post
    authentication when set up correctly does never mean you lose access to your emails and / or account.
    I did and consequences were severe for me. 2FA is great, in theory, just like relying on AV to detect malware.

    Quote Originally Posted by Kari View Post
    One personal recommendation to you, polite and in all friendliness: It is never a good idea to post anything that could be taken as advice on subjects you know nothing about.
    That is exactly why I have posted it, people should know about the risks. I have seen too many people to loose access to their emails, even business, because they have followed the common advise and decided to use it. The only advice I could have offered them was to think twice about using it again. Nothing is perfect.

    It is called 2FA for a reason, you need to provide 2 authentications to access your email, if you lose either, you are damned. If you could gain access with just one, then it would be pointless, it is fairly simple to understand.

    Quote Originally Posted by Kari View Post
    Not using Two-Step Authentication (also known as Two Factor Authentication, TSA, 2FA) to protect your online accounts is not only dangerous but also extremely stupid in todays online world full of scammers trying to get in to your accounts.
    Do you realize, that in many countries, you can get a replaced phone number without providing ID? Not to mention, that faking a phone number to get SMS has been POC way too many times.

    Quote Originally Posted by AndreTen View Post
    Picture is in the first post..
    Quote Originally Posted by AndreTen View Post

    That does not show the important part, since some browsers shows the certificate on the right side.
    Last edited by TairikuOkami; 20 Jan 2017 at 08:24.
      My ComputerSystem Spec
  6.    20 Jan 2017 #36
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,984
    Windows 10 (Pro and Insider Pro)
    Thread Starter

    Quote Originally Posted by TairikuOkami View Post
    I did and consequences were severe for me. 2FA is great, in theory, just like relying on AV to detect malware.


    That is exactly why I have posted it, people should know about the risks. I have seen too many people to loose access to their emails, even business, because they have followed the common advise and decided to use it. The only advice I could have offered them was to think twice about using it again. Nothing is perfect.

    It is called 2FA for a reason, you need to provide 2 authentications to access your email, if you lose either, you are damned. If you could gain access with just one, then it would be pointless, it is fairly simple to understand.


    Do you realize, that in many countries, you can get a replaced phone number without providing ID? Not to mention, that faking a phone number to get SMS has been POC way too many times.


    That does not show the important part, since some browsers shows the certificate on the right side.
    You didn't check the link I posted in the first post. Here is part of it

    This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

    There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.
    As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘https://accounts.google.com….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.
    You are probably thinking you’re too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it. There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.
    How to protect yourself

    When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

    Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.
    Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.
    Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.
    There is also news on ghaks.net
      My ComputerSystem Spec
  7.    20 Jan 2017 #37
    Join Date : Oct 2014
    Trnava
    Posts : 2,871
    Windows 10.4 Home 1709 x64

    Quote Originally Posted by AndreTen View Post
    There is also news on ghaks.net
    That is, what I was looking for, thanks.
      My ComputerSystem Spec

 
Page 4 of 4 FirstFirst ... 234


Similar Threads
Thread Forum
Good email reader for Gmail
Does anyone know of a Good email reader for Gmail that will basically sort by sender and then by date for that sender either ascending or descending date. And then also when you delete, it would actually delete the message, it would put it in trash...
Browsers and Email
New Flash Player Zero-Day in The Wild
A new flaw in latest version of Flash to be patched next week. On my systems I use the free version of Malwarebytes Anti-Exploit to protect my systems. I guess we will see another updated from MS also. ...
Windows 10 News
Didn't take long - MSDN ISO's out in the wild !!!
Hi there Well I suppose it had to happen - the MSDN RTM ISO's are out in the wild already !!! -- but I'd imagine these have their own keys so presumably won't be "Activateable" if you use these to update an existing installation and you aren't an...
General Support
Java zero-day security flaw exploited in the wild
Java zero-day security flaw exploited in the wild | ZDNet
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:38.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums