New
#51
Spot on!
and, I see that you agree with me about a ton of hay wintering a cow.
Spot on!
and, I see that you agree with me about a ton of hay wintering a cow.
But, when used as a login to Windows on a computer (which is all a local account can do) neither can a Microsoft Account!
With the exception that the very first time you login you need to provide a 2-step code, but the problem is it never seems to ask again for a 2-step code.
In the scenario that an attacker has access to my laptop and knows my password, then assuming I've logged in once, the 2-step verification provides no more security, except that the attacker might have access to more things with a Microsoft Account, such as easy access to email.
Sadly the 2-step verification doesn't seem to protect in this scenario.
You'll note who asked the first question on that tutorial.
Here's the thing - I'm actually quite a fan of 2-step verification, and if it asked me for a 2-step password when I logged into Windows (at least sometimes, or gave me a checkbox to not remember the device) then there would be an advantage over a local account. Hence my question on that tutorial. But as it is, 2-step verification is a bit pointless as far as logging into a computer is concerned, because it remembers the device, seemingly for ever, and an old-fashioned 1-step password is all you need to login.
Incidentally this page says:... but I just tried logging back in to the test account I set up in Feb 2014 in Windows 8 when I was working through that tutorial. I haven't logged into that account on that computer for ages (certainly more than 2 months) but it still didn't ask me for an authenticator code.If you don't sign in to a particular trusted device at least once every two months, we'll automatically remove it from your Microsoft account. This helps keep your account secure in the event that a trusted device is lost or stolen without you realising it. You can always trust a device again later.
Fair point - you can see who's logged in - although it's unhelpful that the MS Account suggests you logged into Internet Explorer when all you've done is log into a PC - that log could be clearer.
In general, my suspicion is that MS accounts have more ways to go wrong than a local one. I'm still not convinced that I should change my policy of keeping an admin-level local account on each device for maintenance and recovery purposes.
Sure and I said this from the perspective that someone who uses MS Account needs to be more careful by setting up a two-step verification. I didn't mean that local accounts are more secure than MS accounts. It's exactly the opposite as you said. But if someone uses MS account he/she needs to enable the two-step verification or setup a very strong password because an MS account includes all of your MS ...Account. :) It's not just an unvalued account like a local is.
So today I tried to log into my Windows 8.1 tablet using an MS Account which I'd previously set up.
But it wouldn't let me.
It said it was offline (true enough, but that shouldn't be a show-stopper on a mobile device which only connects via WiFi that might not be there) and that I should enter the last password used to log into my PC. But even entering the correct password for that account (which I'm pretty sure hasn't changed since I set up the account on the tablet) it still wouldn't let me in. The only way I could get in was with my local account. A little later, and after I'd connected to WiFi and logged in and out again on the MS Account, it was happy to connect when offline (using the same password), but this sort of flakiness is not what you want in a user login.
I know it's Windows 8.1 rather than Windows 10, but this just adds to my belief that Microsoft Accounts are more likely to fail and can't be relied on as the sole login method.
I don't know how I did it but my MS account password and my Gmail password are different. I think it was in February I changed my password for my Gmail. I still log in to my MS account with the old Gmail password. I wonder if that's why MS won't send my security code to my Gmail address any more. I have to have it sent to my cellphone.
The standard rule applies; if you want something to be secure, don't send it over a network.
There is a downside with a local account. If you want applications like Calendar to work, you need a MS account.