Why, in 2018, is Microsoft adding security questions to Windows 10?

mlnews

Attackers with admin control can abuse the feature to create a persistent backdoor.

Security questions—the annoying shared secrets used as a secondary form of authentication—have been around forever and are used by just about everyone to deal with users who forget their password. That’s starting to change as more enlightened services—most notably Google and Facebook—have recently phased out security questions after recognizing something then vice presidential candidate Sarah Palin learned the hard way in 2008: the answers are easy for hackers to guess.

Enter Microsoft, which earlier this year added a security questions feature to Windows 10. It allows users to set up a list of security questions that can be asked in the event they later forget a password to one of their administrative accounts. By answering questions such as “What was your first car?” the users can reset the forgotten password and regain control of the account. It didn’t take long for researchers to identify weaknesses in the newly introduced feature. They presented their findings today at the Black Hat Europe Security Conference in London.

More on how this can be used to build a durable back door on Ars Technica.

Dashrender

I don't see this being a real issue. Any decent domain setup will have the local accounts on the end user devices removed from the local admin, so the use of these reset passwords become moot.

scottalanmiller

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

I don't see this being a real issue. Any decent domain setup will have the local accounts on the end user devices removed from the local admin, so the use of these reset passwords become moot.

Right, but you have one huge flaw in that plan... the assumption of AD. Since AD isn't a given, nor a "good" way to do things, your assumtion fails for basic security. Sure, there is an option to fix this, but it's an add on, costly option. The system itself is insecure.

scottalanmiller

If you need to buy and configure a separate system to "fix" a known security hole, that's not a justification for bad security, that's a highlighting of how well known the problem is!

Dashrender

I guess I did read AD into the articles talking about corporate use.

I agree that the baseline setup is insecure. Adding reset questions for end users - just /sigh.

Obsolesce

@mlnews because home / non-domain users who forget their passwords need a way back in.

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

scottalanmiller

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

Correct, as a standard local account. The "normal" way. Most people don't use AD, even in business this is dropping off quickly. And lots of people don't want to deal with those ridiculous MS accounts that they try to ram down everyone's throats. And who knows how secure those are, anyway.

Dashrender

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

Correct, as a standard local account. The "normal" way. Most people don't use AD, even in business this is dropping off quickly. And lots of people don't want to deal with those ridiculous MS accounts that they try to ram down everyone's throats. And who knows how secure those are, anyway.

While I don't actually know specifically - I'd like to think they are at least as secure as Google's accounts are.

and Scott's correct - if you're using Windows 10 in any way other than on AD, the local admin account has these questions - the article seems to imply non admin accounts don't have these questions.

scottalanmiller

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

Correct, as a standard local account. The "normal" way. Most people don't use AD, even in business this is dropping off quickly. And lots of people don't want to deal with those ridiculous MS accounts that they try to ram down everyone's throats. And who knows how secure those are, anyway.

While I don't actually know specifically - I'd like to think they are at least as secure as Google's accounts are.

Maybe, but it's hard to take them seriously for account security, in the middle of discussing how they don't take account security seriously. Know what I mean?

Obsolesce

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

And lots of people don't want to deal with those ridiculous MS accounts that they try to ram down everyone's throats. And who knows how secure those are, anyway.

I use an outlook.com MS account for most things. 2FA via app notification. I also use that for my personal PC login. So, more secure than enterprise IMO (unless you're in one that actually uses 2FA with AD if you're only talking MS shops).

Dashrender

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

Correct, as a standard local account. The "normal" way. Most people don't use AD, even in business this is dropping off quickly. And lots of people don't want to deal with those ridiculous MS accounts that they try to ram down everyone's throats. And who knows how secure those are, anyway.

While I don't actually know specifically - I'd like to think they are at least as secure as Google's accounts are.

Maybe, but it's hard to take them seriously for account security, in the middle of discussing how they don't take account security seriously. Know what I mean?

/sigh - yeah I know...

At the same time - I totally understand why they did - as @Obsolesce just said - it's for users who can't be bothered to create the recovery USB key when they forget their password for the admin account.

Dashrender

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

And who knows how secure those are, anyway.

I use an outlook.com MS account for most things. 2FA via app notification. I also use that for my personal PC login. So, more secure than enterprise IMO (unless you're in one that actually uses 2FA with AD if you're only talking MS shops).

Do you get a 2FA prompt when logging into the desktop? I never did.

Obsolesce

This post is deleted!

Obsolesce

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

And who knows how secure those are, anyway.

I use an outlook.com MS account for most things. 2FA via app notification. I also use that for my personal PC login. So, more secure than enterprise IMO (unless you're in one that actually uses 2FA with AD if you're only talking MS shops).

Do you get a 2FA prompt when logging into the desktop? I never did.

No, but how is that less secure than a local account? They are both just a username and password, except one requires 2FA.

Edit: You can enable 2FA on your Win10 PC with outlook.com / MS account. I choose not to, willing to risk someone breaking into my house, stealing my encrypted PC, and guessing my password.

Dashrender

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

And who knows how secure those are, anyway.

I use an outlook.com MS account for most things. 2FA via app notification. I also use that for my personal PC login. So, more secure than enterprise IMO (unless you're in one that actually uses 2FA with AD if you're only talking MS shops).

Do you get a 2FA prompt when logging into the desktop? I never did.

No, but how is that less secure than a local account? They are both just a username and password, except one requires 2FA.

It's arguably less because the creds could be stolen from MS and your PC, where a local account could only be stolen from you PC. 2FA has nothing to do with that, from a logging onto the physical device at least.

Obsolesce

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

And who knows how secure those are, anyway.

I use an outlook.com MS account for most things. 2FA via app notification. I also use that for my personal PC login. So, more secure than enterprise IMO (unless you're in one that actually uses 2FA with AD if you're only talking MS shops).

Do you get a 2FA prompt when logging into the desktop? I never did.

No, but how is that less secure than a local account? They are both just a username and password, except one requires 2FA.

It's arguably less because the creds could be stolen from MS and your PC, where a local account could only be stolen from you PC. 2FA has nothing to do with that, from a logging onto the physical device at least.

My credentials aren't going to be stolen from MS... how would that even work? Credentials being stolen from the PC are no more likely than a local user account credentials being stolen from the PC. Or, maybe I will enable 2FA PC login.

scottalanmiller

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Dashrender said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@scottalanmiller said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

@Obsolesce said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

This only occurs, that I've seen, during OOBE when you set up the PC as a local, non-domain, non-Microsoft-Account, user.

Correct, as a standard local account. The "normal" way. Most people don't use AD, even in business this is dropping off quickly. And lots of people don't want to deal with those ridiculous MS accounts that they try to ram down everyone's throats. And who knows how secure those are, anyway.

While I don't actually know specifically - I'd like to think they are at least as secure as Google's accounts are.

Maybe, but it's hard to take them seriously for account security, in the middle of discussing how they don't take account security seriously. Know what I mean?

/sigh - yeah I know...

At the same time - I totally understand why they did - as @Obsolesce just said - it's for users who can't be bothered to create the recovery USB key when they forget their password for the admin account.

That's not what it is for. If they were doing it for that reason, it would be optional. Forcing it is logically only to put local accounts at risk to further an agenda of making people feel that they must use Microsoft's data collection services to log in.

Curtis

I never, ever answer security questions with real information.

scottalanmiller

@Curtis said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

I never, ever answer security questions with real information.

That's a good practice. Have your own secret code system.

Obsolesce

@Curtis said in Why, in 2018, is Microsoft adding security questions to Windows 10?:

I never, ever answer security questions with real information.

Real pros use their password as their security question answers.