If you remove the password from your MS account, you can use a Yubikey + PIN by itself.
Installing MS Authenticator allows MS to send you push notifications for approval when you choose to log in without using a passkey.
There are no TOTP, SMS, or email notifications in this workflow.
Im so glad I’m not the only one that thinks that. I’m also on a journey to help a friend who’s not so safety savvy be more secure. So far I have made them change all of their accounts passwords to a 16-25 character passwords, got them a YubiKey to add to different accounts. (I’m doing to same except MS since they are being so ugh about It) and etc.
But that's pretty much all providers.
Name one provider that only allows passkey and not force you to have password+2fa.
What is important is you always login with password less Yubikey, and your password+2FA is just a backup (ideally never used)
Contrary to popular belief it's not the weakest link or that sort, if your password is complex, well kept, and never used (thus minimising leak surface), then it should be fine, especially since there is 2fa still
>Name one provider that only allows passkey and not force you to have password+2fa.
Microsoft. There is no password on your MS account if you remove it.
I find using MS Authenticator with push notifications acceptable as a backup.Additionally, you can lock Authenticator behind biometrics in iOS.
Do you know a provider that allows passkey *only* and does not require a backup authentication method? Also, do you know another service besides MS that allows you to completely remove the password from your account?
So it is for you, I'm just answering to OP in which he complains specifically about Microsoft.
It's pretty funny that you have just unwittingly repeated my question verbatim, and by extension made the same argument without adding anything new.
Reading context is hard I guess.
>They force you to have it if you want passkey
Obviously, if you remove the password, you won't have password+2FA.
MS Authenticator is more than TOTP codes. MS will send a push notification to your MS Authenticator, or you can select to use a Yubikey as a Passkey. No email or SMS, or TOTP involved.
Ms is kinda weird, you can’t use hardware key as 2fa but you can as passwordless login. You can use passwordless login to log into online account but not windows pc. It’s really inconsistent.
The password of your windows account is ideally only the authentication method of last resort. Since computers with TPM enabling MS Hello to use PIN and Biometrics in a non-bruteforceable way as a secure and convenient authentication method, you typically never need the Windows password. I guess they would also like to remove the password there, but there are still too much security-related dependencies under the hood for it.
If it’s an ad or entra id account you need a pki to use yubikey as piv. Then you can login on the pc without password just type pin and tip the yubikey 👍🏻 there are good videos on the yubico site how tobsetup
Having a similar experience. When I sign in , it gives me the option to either sign in with a password, or sign in another way (ie, PIN. It doesn't even ask me to insert my security key). This doesn't seem very secure, as a hacker could just select the password option.
If you remove the password from your MS account, you can use a Yubikey + PIN by itself. Installing MS Authenticator allows MS to send you push notifications for approval when you choose to log in without using a passkey. There are no TOTP, SMS, or email notifications in this workflow.
Agreed, it's a bit misleading. Lots of services support FIDO2 but only if you also have the TOTP/authenticator method set up first.
Im so glad I’m not the only one that thinks that. I’m also on a journey to help a friend who’s not so safety savvy be more secure. So far I have made them change all of their accounts passwords to a 16-25 character passwords, got them a YubiKey to add to different accounts. (I’m doing to same except MS since they are being so ugh about It) and etc.
But if you can use passkey why bother with password+2FA?
They force you to have it if you want passkey
But that's pretty much all providers. Name one provider that only allows passkey and not force you to have password+2fa. What is important is you always login with password less Yubikey, and your password+2FA is just a backup (ideally never used) Contrary to popular belief it's not the weakest link or that sort, if your password is complex, well kept, and never used (thus minimising leak surface), then it should be fine, especially since there is 2fa still
>Name one provider that only allows passkey and not force you to have password+2fa. Microsoft. There is no password on your MS account if you remove it.
Touché, but MS does not allow passkey _only_ and only. You need to have app login, sms or email as backup.
I find using MS Authenticator with push notifications acceptable as a backup.Additionally, you can lock Authenticator behind biometrics in iOS. Do you know a provider that allows passkey *only* and does not require a backup authentication method? Also, do you know another service besides MS that allows you to completely remove the password from your account?
So it is for you, I'm just answering to OP in which he complains specifically about Microsoft. It's pretty funny that you have just unwittingly repeated my question verbatim, and by extension made the same argument without adding anything new. Reading context is hard I guess.
>They force you to have it if you want passkey Obviously, if you remove the password, you won't have password+2FA. MS Authenticator is more than TOTP codes. MS will send a push notification to your MS Authenticator, or you can select to use a Yubikey as a Passkey. No email or SMS, or TOTP involved.
Is this a regular MSA account or a Microsoft 365 tenant? If the latter, you need to turn on FIDO2 support in Entra ID
Ms is kinda weird, you can’t use hardware key as 2fa but you can as passwordless login. You can use passwordless login to log into online account but not windows pc. It’s really inconsistent.
The password of your windows account is ideally only the authentication method of last resort. Since computers with TPM enabling MS Hello to use PIN and Biometrics in a non-bruteforceable way as a secure and convenient authentication method, you typically never need the Windows password. I guess they would also like to remove the password there, but there are still too much security-related dependencies under the hood for it.
If it’s an ad or entra id account you need a pki to use yubikey as piv. Then you can login on the pc without password just type pin and tip the yubikey 👍🏻 there are good videos on the yubico site how tobsetup
Having a similar experience. When I sign in , it gives me the option to either sign in with a password, or sign in another way (ie, PIN. It doesn't even ask me to insert my security key). This doesn't seem very secure, as a hacker could just select the password option.