Friday, 2 September 2016

Do people still not understand "safe by default"?

So I've been on another Microsoft journey today. Journies that should be SOOOOO much quicker than they are due to ill thought-out documentation and unlayered documentation which means reading pages of stuff looking for things that might not be there because it's unclear what is going on.

I'm talking about multi-factor authentication (MFA), something that is a no-brainer for any admin accounts for cloud accounts.

Do this in AWS and its REALLY easy to find, setup and it works with Google Authenticator. On Azure? Nowhere near as useful.

Why? Because Microsoft do 3 sorts of MFA that are different but really similar: Office 365, Azure Administrators and a general systems for Azure AD users.

The first two are free - included in your subscription and the 3rd isn't. I wanted the second one only, to secure access to the portal.

Eventually after seeing a number of MS people confusingly pointing to links for the 3rd option which is much more involved I found a useful clue that if you use a Windows Live ID to access Azure (like I do) then you CAN'T set up the MFA that is part of Azure - wherever that is supposed to be done - and for reasons that are not really very clear. You have to set it up instead under

So off to there, download the Microsoft Authenticator app and enter my password on that (which actually enables 2-step implicitly, which I found slightly confusing). If you then go to "enable 2-step verification" on the web site, it doesn't seem to do anything, just takes you through some screens asking if you do certain things (which I don't).

Anyway, the main moan is about the screen that comes up when you try and login with your account:

You see the line that very helpfully says, "I sign in frequently on this device. Don't ask me to approve requests here". It is ALWAYS ticked by default. If you untick it, next time you login, it will be ticked.

Of course, the first time it happened, I wasn't reading this screen, I was clicking the approve button on the device, only to look up and see this checkbox just as the screen automatically navigated to the page I was going to. Too late to untick it.

Of course, I could not find any way to "un-remember" this selection anywhere, the only option seemed to be disabling 2-step and then enabling it again but the next time, I unticked the box, since I always want to use it with this email address but next time you login, it shows it ticked again.

Microsoft, and other companies, why do you KEEP getting these basics so wrong? Don't tick the box by default. If I want to tick it, I can and I'll not see the message again. If I forget to tick it, the next time it comes up, I can easily tick it and we're all good - this is just wrong - as if no-one thinks about these things in an objective way.

Which means that the award for the most recent example I have found of "unsafe by default" is Microsoft.

Sure, the attack vector is that someone would have to login from my device but for those of us in the corporate world, it is highly likely that an attacker would use my own device against my account and therefore this one poor decision has completely undermined 2-step security.

Post a Comment