I Live Streamed My Microsoft Password to 5,000 Viewers–And I’m Not Scared

Scared KidDuring System Center Universe, I got to speak about Enterprise Mobility Suite. One of those nifty features in EMS is Multi-Factor Authentication (AKA Two-Factor Authentication). During my presentation, I intentionally fat fingered my password into my username field, why? To set up a scenario that would prove MFA’s value of course!

What did I expect? That at least some of you out there in viewer land would start hammering that account, and you didn’t disappoint! It took about thirty seconds during my presentation and my phone started vibrating like mad as the more devious among you tried to put in Johnny@joekuster.com / Password123. But since you were all connecting from an unknown device, it needed that additional factor for authentication.

When you configure your MFA options, you have the choice to use the typical SMS, phone call or app key, but you also have the option to configure the Microsoft Account App to dynamically prompt. Here is what that looks like:

Multifactor Authentication via Interactive Prompt

While you all were hammering on my phone, this screen popped up. In one click, I could have reported the fraudulent attempts, warned my Administrator about your IP, the misuse of my account and immediately forced a reset on my password. Cool stuff right?

All I had to do is hit verify when I logged in, and continue my live presentation and ignore the rest. I left it on for the rest of the day and only had a couple dozen hits on the account. I did eventually reset the password, but it was great to see this in action.

If you choose the other options, instead you’d get something like this:

Multifactor Authentication via App

Or
image

Or

Multifactor Authentication via Phone Call

 

So, this is great an all for my presentations, but the real world application is probably closer to to your users, specifically the probable Post-It Note with passwords. During my IT career I’ve found hundreds if not thousands of these in places ranging from HR departments, government to banks.

Post-It notes, losing your passwords since 1978

 

password taped under monitor

password taped under phone

password taped under mouse

image

Securing your password doesn't mean using tape