Home
About
About UsProcessFAQsCrankyGnome Blog
Solutions
ServicesWeb securitySecurity Credit Card and PCI Merchant ServicesBoring things we support
Industries
Contact
Careers
FREE CONSULTATION
Home
About
About UsProcessFAQsCrankyGnome Blog
Solutions
ServicesWeb securitySecurity Credit Card and PCI Merchant ServicesBoring things we support
Industries
Contact
Careers
FREE CONSULTATION

Microsoft Authenticator in 2024

Cranky Gnome

July 31, 2024

Microsoft Authenticator in 2024

Did you just get Microsoft Authenticator?

Warning: This is a Cranky Gnome post and may be dripping with too much sarcasm.  Viewer discretion is advised.

Congratulations, and welcome to 2016!  Too bad it's too late at this point.

Why did I just get this?

Microsoft has decided that enough is enough and is strongly nudging companies to implement security policies that have already been in action for people who have taken cybersecurity seriously for at least a decade.  One of these things is implementing rules that require more than just a password to log in.  This is called Multi-Factor Authentication or MFA for short. If your IT provider just hooked you up with Microsoft Authenticator, they are slow to the MFA train and had to force it on you like a teenager forced to clean his room.

Geek Gnome Warning: Multi-Factor Authentication technically means more than one type of authentication.  These are typically in the classes of "Something you know" (e.g. passwords), "Something you are" (e.g. fingerprints), "Something you have" (e.g. a certificate or something on your phone), etc.  Using two things you have (such as an SMS code and Microsoft authenticator on your phone) is technically still one factor.

To make things more complicated, standards like the Payment Card Industry Data Security Standard (PCI-DSS), which applies to ANY company that accepts credit card payments, require that both factors (like a password and code from an app on your phone) be completed before the user is told that one of them failed.  If they are told that one of them fails before asking for the second, then it's just two separate authentications. This is why you might see "Two Step Authentication" instead of MFA.

What threat does it address?

Back in the olden days, like early 2023, most attacks on systems that used usernames and passwords happened in one of two ways:

  1. Reused Passwords
    Using passwords for the same email address on another site that was breached. For example, if your work email address was the same as your LinkedIn email, bad guys would use the password that was leaked as part of the LinkedIn breach to try to break into your work email.  If they were the same, the bad guys would get in.

  2. Phishing
    Back then, it was tough to use MFA as part of a phishing attack.  Sometimes, they could forward codes from Google Authenticator and quickly enter them.  However, it wasn't usually effective.  Microsoft Authenticator didn't have codes, so they usually didn't work for this sort of attack.

So, if we jump into our time machine, enforcing the use of Microsoft Authenticator instead, or in addition to, a password was a great idea. Sadly, it's now 2024 and times, they are a changing.

But I'm safe now, right?

No. this is why I'm so cranky.

Since 2023, we've been seeing an increase in attacks called "session hijacking" that can use phishing techniques to take over Microsoft 365 sessions if you use Microsoft Authenticator to log in. So you're safe if you're living in the teens, but you aren't now, are you?

What can I do?

Of course, Sales Gnome would say to use CyberGnome for IT support and security so you don't fall behind. However, Generous Gnome will give you this hint for free.

  • Use Passkeys to log in (these typically use a fingerprint or PIN on a Windows computer) or a USB device that you touch to log in.  These use a different way of talking back and forth to your computer to log in, which isn't currently vulnerable to the same kind of session-hijacking attack.  

I prefer the USB drives because they aren't tied to one computer and are a bit more flexible.  Most people with modern computers will use the USB C version; however, if you have older computers, you might want to use the USB A version.  Here are some Amazon links to buy them:

  1. USB-C (new computers) brand name $75: https://amzn.to/3LNiPUo

  2. USB-A (older computers) brand name $67: https://amzn.to/4d3Y1nM

  3. USB-C discount brand $27: https://amzn.to/3Aeufhm

  4. USB-A discount brand $25: https://amzn.to/3LOuQsW

If you're reading this post and thinking Oh Crap, I'm confused, and it sounds like my current IT help is only doing the minimum, feel free to give CyberGnome a call at 403-288-5623  or fill out our contact form.

Don't worry about getting contacted by the Cranky Gnome; we only let him write cranky blog posts in his cave. The CyberGnome is very friendly and has a lot of fun fixing these problems for clients.  You can summon the happy gnomes here.

<All Posts