Microsoft launches cross-platform Password Manager!

[Furiku]

 

Summary

Not only does Bill Gates want to microchip you with vaccine, now old Bill wants all your passwords too!

Microsoft has launched their password managing solution as part of the Microsoft Authenticator which they have quite smartly opted to name simply as "Autofill".

 

You can now manage and automatically fill your passwords with this across PCs, browsers (edge, chrome) ,mobile devices.

 

 

Quotes

Quote

While this release enables autofill for passwords, we’re also actively working on securely bringing all your autofill information from Microsoft Edge to your mobile devices via the Authenticator app, including payment info, addresses and more. However, that’s just the first step. Our users interact with multiple apps and sites daily and need a secure way to autofill and save various types of data, from passwords to even free-form text. Online security will continue to be critical as individuals and organizations embrace remote work, and our mission with this offering is to help our customers securely and conveniently manage their sensitive data even as new security challenges emerge. We look forward to your feedback!

(PS. Resistance is futile, join the windows botnet. ) 

 

My thoughts

Curious to see if this will start to become heavily adopted  as "industry standard" over current options for password management as quite many organizations commonly use Microsoft authenticator to begin with for 2-factor authentication.

 

Sources

https://blogs.windows.com/windowsexperience/2021/02/05/simplify-and-secure-your-life-with-microsofts-autofill-solution-for-passwords/

[RejZoR]

Bitwarden. Small, powerful and not from a mega corp. Also Bitwarden was audited by 3rd party not long ago. And even allows you to run your own host.

Edited February 6, 2021 by RejZoR
Typos

[Eigenvektor]

There's also sysPass as another free and open source alternative.

 

39 minutes ago, Furiku said:

…as quite many organizations commonly use Microsoft authenticator to begin with for 2-factor authentication

~edit: If you don't trust Microsoft Authenticator you could use Google Authenticator. It generates time-based one-time passwords based on the same technology. So it doesn't have quite the same trust issues as password manager hosted by someone else might.

[captain_to_fire]

It's not for me as I'm now transitioning from Dashlane to 1Password, however this might be something my parents can use. It might be better if they've shown a documentation on how they secure it.

[leadeater]

21 minutes ago, Eigenvektor said:

If you don't trust Microsoft Authenticator you could use Google Authenticator. It generates time-based one-time passwords based on the same technology. So it doesn't have quite the same trust issues as password manager hosted by someone else might.

That's also how Microsoft Authenticator works, that's how 2FA works most commonly with App based second factors.

[Eigenvektor]

3 minutes ago, leadeater said:

That's also how Microsoft Authenticator works, that's how 2FA works most commonly with App based second factors.

I know. That's what I meant by "based on the same technology" (RFC6238 and RFC4226), meaning they are interchangeable.

 

Interestingly enough both apps now have the Internet permission on Android. I seem to remember that at least Google Authenticator didn't use to require this permission.

[leadeater]

1 minute ago, Eigenvektor said:

I know. That's what I meant by "based on the same technology" (RFC6238 and RFC4226), meaning they are interchangeable.

 

Interestingly enough both apps now have the Internet permission on Android. I seem to remember that at least Google Authenticator didn't use to require this permission.

Right, was just a little confusing with that last sentence as one time passwords aren't a replacement for first factor passwords so it's not like it hugely matters which you use for a 2FA purpose. However that does change if your 2FA App is also your first factor password manager, either it's just me or that seems a bit stupid and self defeating.

 

Say someone gets your phone and is able to unlock it or got it while unlocked, how convenient to have literally everything in a single place lol.

[Eigenvektor]

9 minutes ago, leadeater said:

Say someone gets your phone and is able to unlock it or got it while unlocked, how convenient to have literally everything in a single place lol.

Right. Having both on the same device kind of defeats the purpose of second factor Keeping your phone secured is definitely important in this case.

 

~edit: I get how my last sentence is somewhat confusing. What I meant is that using a 2FA app from a big corporation does not have the same trust issues as using their password manager. If they host your passwords, not only could they theoretically get access to your passwords, they are also a tempting target for hackers.

[Doobeedoo]

Well, interesting though. A bit surprised they haven't done so already. There's a decent amount of these apps to choose.

[Eigenvektor]

3 minutes ago, gabrielcarvfer said:

Internet permission? Technically, they do need network access to synchronize natural clock skewing. If they transmit more than that is a different story, but they already have they key anyways, so it wouldn't be necessary even if they wanted to invade all your stuff.

I'm assuming the (Android) device has a synchronized clock already, the app doesn't have to take care of that.

 

What do you mean by the have my keys already? The Authenticator can be used with a ton of service (like Amazon, AWS, PayPal, …). The service has the key, but Google does not (or shouldn't). I assume the apps have network access for e.g. backups.

[Eigenvektor]

9 minutes ago, gabrielcarvfer said:

If they have backups, it's useless since I've had to register everything again more than once.

I was thinking more along the line of giving you an option of creating a backup by connecting the app to some online service.

 

~edit: Looking at the app I can only see an option to export/import via QR code

[bcredeur97]

is this available for business/enterprise customers? Or just personal for now?

I ask this because this might be useful at work. would save some money over a third party passwd manager for everyone

[Vanderburg]

Why would anyone complain about this and not Keychain, or LastPass, etc? Why does it matter that it's Microsoft?