Is it more secure to use Yubikeys (FIDO2 with PIN) as the only login method, or is it good to also have Microsoft Authenticator? I know that FIDO2 is more secure in general but Authenticator uses push notifications to notify if login methods are added, making it faster to know if someone compromised the account and is trying to take over it. Is this worth considering or is it better to simply go all in with FIDO2?
For the love of all that is private and secure, please do not use MSFT Authenticator. Use Ente Auth or Proton Authenticator though I prefer and like Ente better.
I don’t rely on security keys exclusively because you can always lose your back ups too. Personally, everything is in my password manager but you can always save your TOTP stuff in one of those two apps.
1 Like
I know that FIDO2 is more secure in general but Authenticator uses push notifications to notify if login methods are added, making it faster to know if someone compromised the account and is trying to take over it.
- If you use FIDO2 via a hardware backed key like the Yubikey it is impossible (if it is implemented the right way) to compromise your account from a normal login, without having the physical Yubikey connected to the device of the attacker.
- The only thing that bypasses FIDO2 are session tokens. If the attacker gets to your session tokens, this means he has compromised one or more devices that you use. In addition, you also do not get a notification when somebody logs in with a session token or removes session tokens.
- Push-MFA via app can be used to phish targets. The attacker phishs the e-mail + password via phishing site and directly uses it to login on his device on the real website which triggers a push MFA request. You than press the MFA accept button on the app and the attacker has compromised your account.¹
So I do not see any benefit in using Push-MFA over FIDO2 hardware backed MFA.
1: I assumed that MShit Authenticator would already support Push MFA outside Entra environments, however this is false and outside Entra it is the classic TOTP MFA, which is even worse regarding usability and security.
Thanks for the answers. It seems like using only Yubikeys is the better option.
I was thinking of using four Yubikeys, two at home and two at separate locations far away from here, the probability of losing all four at once would be extremely low.
This sounds interesting, can you explain more? For example, if I log in to Outlook in a browser, is a session token created for the browser, and when I log out it gets erased? What about the Outlook Android app, you only have to log in once and you remain logged in, does this mean that the session token is permanent and someone can steal it to access the account from other devices?
For example, if I log in to Outlook in a browser, is a session token created for the browser, and when I log out it gets erased?
Yes
What about the Outlook Android app, you only have to log in once and you remain logged in, does this mean that the session token is permanent and someone can steal it to access the account from other devices?
Yes, however you would need to root your device or get some APT malware on it. Due to the strict isolation in android I would not know any way to steal a session token.