Anonymous

My feedback

  1. 14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous commented  · 

    Also, to enforce it at the user account level just like smart cards. MS could enable the configuration of where to point to in Administrative templates. Have one setting for onpremise and one for cloud.

    Anonymous supported this idea  · 
  2. 7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous supported this idea  · 
  3. 41 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous supported this idea  · 
  4. 21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous commented  · 

    This wouldn't meet binding requirements for MFA and it wouldn't work in a package as the QR codes are unique for each user as well as the QR code being time specific. Keep in mind, most automated software packages run as System or similar accounts on the device. Which would also cause binding issues/ challenges for the user as they never would be associated to the authenticator in the MFA system.

  5. 35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous supported this idea  · 
    Anonymous commented  · 

    I'd recommend implementing this so as to challenge the user for the PIN or Biometric used for the smartphone. Have the phone tell the app if the challenge was correctly answered or not. Do that for passcodes and Push Notifications. Also, tell the user what is prompting for the MFA challenge. If disapproving, give option to flag as fraudulent or accidental.

  6. 46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous commented  · 

    They need identity vetting implemented for those attributes. To include notifications to both current and previous contact information (e.g. email, phone, mailing address). We easily red teamed this were I worked. Essentially doing the same thing as the posters said. When XBox games have more security controks than a users account and their MFA, that's a problem.

  7. 28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous commented  · 

    I wouldn't recommend sms. It's essy to hack. Case in point when Reddit users using SMS as their "MFA" was hacked. By definition of NIST SP800-63B, it is considered Authenticator Assurance Level (AAL) 1, which is not MFA. It is Single Factor Authentication. AAL2 is required to be classified as MFA. Dependent on the data being protected, the AAL1 may be sufficient. Otherwise you need a more secure solution for the use case.

  8. 71 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous commented  · 

    There are significant security risks to this idea. You are logging on to said device with single factor and that is all that protects that MFA. As a result, malware can access it and use it without the end user being aware. This was demonstrated during a Black Hat conference a few years ago. This use case has also been classified as a high risk by auditing companies such as Mandiant.

Feedback and Knowledge Base