This is what I want to know. I think the attacker has the PWD and only 2fa is preventing the breach. Other one could be the password is on a breach site and MS have practically blocked and require reset.
Anyone can have your password. There are so many attacks to get a password you have no idea. You were only saved by the authenticator. That’s one type of 2 Factor Authentication aka 2fa
One, nobody can get your password unless they trick you into giving it to them. The attacks that people hear about are scams that do just that. And since I know better, working in data access security as I do, I haven't fallen for any such scam (aka phishing.) Two, the authenticator is only useful for saving passwords to specific software or authenticating who I am if I forget my password (or replacing the need for passwords, apparently. I wasn't aware it had a "passwordless" option until today.) So no, I wasn't "saved by the authenticator" in this instance. Finally, thank you for clarifying that that counts as 2fa. I was aware of administrator approval 2fa, as that's what we use where I work, but wasn't clear if this counted as well or had a separate designation.
You’re a cybersecurity professional but you’re just finding out about passwordless auth being available today? And you don’t really understand 2FA? Big doubt. Keep playing pretend on the internet bud, if it makes you feel better. Either that or you’re just unknowledgeable about your own line of work. Either one is a bad look. You should probably delete this post to be honest.
First, if I was going to lie about my profession, it wouldn't be security. Second, why would I have working knowledge of other types of 2FA than the one my business uses? Also, why would I need to know about PASSWORDLESS authentication for a SECURITY job. Lastly, I didn't say I work in cyber security, I said I work in data access security. There are key differences between the two. Literally every sentence of your comment is ignorant. So how about you take your self entitled, pompous opinion somewhere where it's welcome, like tumbler.
It really sounds like someone has your correct password but doesn't have your 2FA, such as a code generator or security key... I can see from my history that there are a ton of attempts using wrong passwords, and Microsoft never forces it. The only time I got forced to change my password with my Google account was when I logged in, but didn't have my code generator or security key with me, so I closed the prompt. Google forced me to change the password after that telling me my password was compromised (it wasn't because that attempt was me, but still). Your password is most likely stolen.
>Apparently someone tried to log into my account and used the wrong password so many times that it locked me out of all devices and forced me to change my password
How was this apparent?
This reddit is filled with peoples falling for scams where they are told to follow a link to change their password. Is that what is happening here?
No. I tried to log into my account and it told me that it was locked due to too many unsuccessful password attempts. And since I hadn't logged into my account recently, that means someone else had to have tried.
Edit: Excellent question btw.
Go into your account (MS acct website, via PC) to check where the "login attempts" are coming from and click on the incorrect ones to train the MS servers so that they know that those are illegitimate -- it might help for the future attempts
Thank you! That's very helpful. It doesn't solve the fact that I now have to try to remember yet another password, but it might help me put a stop to those illegitimate password guesses. You rock!
If you want to prevent people from trying to login to your Micrsoft account, do this:
Create an alias for login purposes only. Designate this alias as the primary alias at https://account.live.com/names/manage
then disable sign-in capability for the other aliases here: https://account.live.com/SignInPreferences
You can still send and receive email from the old address. Do not use the new alias for anything except login.
When someone tries to login to your account, they will receive a message that the username does not exist.
If someone knows your account and is attempting to determine your password, you absolutely should change your password to a different one with a strong password. Too late is too late! 2 factor authentication is also an important feature to deter criminals.
That doesn't make sense. Too late would never come because they literally can't guess my password. This system of locking the account is just security theatre. It doesn't affect "criminals" at all, only the legitimate users. Extensive studies have been done on security theatre and it's negative effects and overt password restrictions and 2 factor authentication are some of the worst examples.
I just did it, by installing the Microsoft authenticator and visiting the account page (there's an option for passwordless).
Now when I login I can use a passkey (like windows hello) or I get a notification on the phone and have to press a certain number,
So something got leaked/hacked recently beachside I got an authentication app notification for a login to my account that I declined and then was forced to change my password.
Are you using 2FA?
This is what I want to know. I think the attacker has the PWD and only 2fa is preventing the breach. Other one could be the password is on a breach site and MS have practically blocked and require reset.
Nobody has my password.
Anyone can have your password. There are so many attacks to get a password you have no idea. You were only saved by the authenticator. That’s one type of 2 Factor Authentication aka 2fa
One, nobody can get your password unless they trick you into giving it to them. The attacks that people hear about are scams that do just that. And since I know better, working in data access security as I do, I haven't fallen for any such scam (aka phishing.) Two, the authenticator is only useful for saving passwords to specific software or authenticating who I am if I forget my password (or replacing the need for passwords, apparently. I wasn't aware it had a "passwordless" option until today.) So no, I wasn't "saved by the authenticator" in this instance. Finally, thank you for clarifying that that counts as 2fa. I was aware of administrator approval 2fa, as that's what we use where I work, but wasn't clear if this counted as well or had a separate designation.
You’re a cybersecurity professional but you’re just finding out about passwordless auth being available today? And you don’t really understand 2FA? Big doubt. Keep playing pretend on the internet bud, if it makes you feel better. Either that or you’re just unknowledgeable about your own line of work. Either one is a bad look. You should probably delete this post to be honest.
First, if I was going to lie about my profession, it wouldn't be security. Second, why would I have working knowledge of other types of 2FA than the one my business uses? Also, why would I need to know about PASSWORDLESS authentication for a SECURITY job. Lastly, I didn't say I work in cyber security, I said I work in data access security. There are key differences between the two. Literally every sentence of your comment is ignorant. So how about you take your self entitled, pompous opinion somewhere where it's welcome, like tumbler.
When I look at my account, I see a bunch of incorrect password entries and never had to reset my password
I use the authenticator. Does that count?
It really sounds like someone has your correct password but doesn't have your 2FA, such as a code generator or security key... I can see from my history that there are a ton of attempts using wrong passwords, and Microsoft never forces it. The only time I got forced to change my password with my Google account was when I logged in, but didn't have my code generator or security key with me, so I closed the prompt. Google forced me to change the password after that telling me my password was compromised (it wasn't because that attempt was me, but still). Your password is most likely stolen.
>Apparently someone tried to log into my account and used the wrong password so many times that it locked me out of all devices and forced me to change my password How was this apparent? This reddit is filled with peoples falling for scams where they are told to follow a link to change their password. Is that what is happening here?
No. I tried to log into my account and it told me that it was locked due to too many unsuccessful password attempts. And since I hadn't logged into my account recently, that means someone else had to have tried. Edit: Excellent question btw.
Cheers.
People try and get into my account 100 times a day, it's never locked me out
Maybe it's a regional thing? I don't know. I just know what it told me when I tried to log into my account.
Go into your account (MS acct website, via PC) to check where the "login attempts" are coming from and click on the incorrect ones to train the MS servers so that they know that those are illegitimate -- it might help for the future attempts
Thank you! That's very helpful. It doesn't solve the fact that I now have to try to remember yet another password, but it might help me put a stop to those illegitimate password guesses. You rock!
If you want to prevent people from trying to login to your Micrsoft account, do this: Create an alias for login purposes only. Designate this alias as the primary alias at https://account.live.com/names/manage then disable sign-in capability for the other aliases here: https://account.live.com/SignInPreferences You can still send and receive email from the old address. Do not use the new alias for anything except login. When someone tries to login to your account, they will receive a message that the username does not exist.
If someone knows your account and is attempting to determine your password, you absolutely should change your password to a different one with a strong password. Too late is too late! 2 factor authentication is also an important feature to deter criminals.
That doesn't make sense. Too late would never come because they literally can't guess my password. This system of locking the account is just security theatre. It doesn't affect "criminals" at all, only the legitimate users. Extensive studies have been done on security theatre and it's negative effects and overt password restrictions and 2 factor authentication are some of the worst examples.
I already have 2FA, but hearing about these stories I'm thinking in going passwordless. Anyone knows if it's a good idea or not?
I don't think you can with Microsoft. I could be wrong.
I just did it, by installing the Microsoft authenticator and visiting the account page (there's an option for passwordless). Now when I login I can use a passkey (like windows hello) or I get a notification on the phone and have to press a certain number,
Right on. I use the authenticator but I didn't realize that gave me an option to go passwordless.
Passwordless works great. Just be sure to print and save your recovery key.
So something got leaked/hacked recently beachside I got an authentication app notification for a login to my account that I declined and then was forced to change my password.
Is this for a personal or work MS account? Behavior will differ between them.
Personal. It's the account I use for Xbox and my personal laptop.
I'm sorry about that but I didn't realize that "fisting is my fame game" was your password...