Solved Do you consider login with Microsoft account to PC safe?

zebanovich

Thread Starter
Joined
Mar 2, 2019
Messages
1,311
I'm doing some tests with MS account and would like to ask for your opinion regarding using
MS account to log in to local computer as opposed to using local account.

I always used local account but see that there are many great benefits of using online account.

Any kind of criticism regarding MS account is welcome because it will help to try to demystify it.
Why do you consider using MS account better than local account?
What should I keep in mind to stay safe with MS account? and what could happen if I made some
well known mistake?

What additional attack surface do I introduce to my computer if I switch to MS account and what
to do about it?

Are there any known technical issues since this method to log in is still new? and what to keep in mind
to prevent technical problems?

Are there any privacy concerns (excluding Microsoft collecting data)?

To summarize my question:
1. Security implications
2. Technical issues
3. Privacy

Anything not mentioned that you consider relevant is welcome too!
 

Gr3iz

Mark
Trusted Advisor
Spam Fighter
Joined
Mar 9, 2009
Messages
108,761
I've always used a local account as well. One benefit I could possibly see would be if one forgot one's password. It's probably easier to reset a password through MS than trying to hack into your PC ... Maybe? ;-)
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
37,698
I just had to use my son's login on a microsoft site and I forgot his password, but I was able to use his PIN instead. Plus the account holds the information for the Windows activation, and bitlocker information (if applicable)
 

Goddess-Bastet

Virginia
Joined
Apr 26, 2019
Messages
453
Microsoft account with 2-step authentication + the MS authenticator app for me.
My license is connected to the account so can change PC easily.
I can log in to the PC with a PIN or Fingerprint.
No-one can access the account due to the 2-step authentication: Even if they had my username & password.
A local account password can be bypassed/removed with software or a cmd.
 

zebanovich

Thread Starter
Joined
Mar 2, 2019
Messages
1,311
Thank you for replies!

4 confusions/issues so far:

Microsoft account with 2-step authentication + the MS authenticator app for me.
It looks like 2-step verification is not that great feature, because I've setup an alternate email for 2F, and as soon as I receive verification code, I'm no longer asked to verify my login which kinds of defeats 2 factor authentication.

2F authentication should require 2 steps to login, not 2 steps now and then just one step for each next login.
Is that the case with mobile number and authenticator app too?

Second issue is that if you lose internet connection (ex. for few days) then you also lose access to PC.
PIN solves this problem obviously but it looks like the PIN also introduces another problem,
If I change MS password on one device, I'll still be able to log into another device with PIN even though the password was changed?

3rd confusion is that there doesn't seem to be a way to see synced data, I assumed to see it in MS account, ex. bookmarks, extensions.
So far only activity is visible, but no actual data used for sync.
Am I missing something?

And finally, the ubiquitous fact that if your PC get's compromised then MS account is at stake too, someone stealing accounts only needs to ensure 24h had passed to deauthorize all devices.
If the user doesn't figure that out inside 24h since deauthorization his account is lost.
If only 2F authentication would ask me each time for verification (regardless of anything) that would make the account almost impossible to steal.
 

Goddess-Bastet

Virginia
Joined
Apr 26, 2019
Messages
453
There’s usually an option to ‘trust this device’ if this is left unticked you’ll be asked again to provide confirmation via Authenticator app.
If someone accessed your MS account& you had 2-factor authentication then you’d receive a notification in the app asking for confirmation it was you. Choosing no would prevent access. If anyone stole your pc then they could just clean install Windows.
You can still log in with a PIN as this is device specific.
The MS Authenticator allows you to log in with the account & does save the codes, if you change or add one though they don’t sync to other devices, I have to delete the app on my iPad & reinstall it to sync changes made on my iPhone. I have requested this feature.
 
Joined
Aug 2, 2010
Messages
167
I've used a local account from the start, but for programs like Onenote, I had to log in using those to sync. For anything else, like Outlook online, I logged in using the browser.
 

zebanovich

Thread Starter
Joined
Mar 2, 2019
Messages
1,311
Thank you for all the inputs, after some time testing and with the valuable feedback here I have decided to not enable MS account on PC.

The reasons are:
1. Not willing to share mobile phone number or ID to make 2F authentication work,
if it's not possible with just an alternate email to force 2F every time then it's not secure enough.
2. Not being able to investigate and manage synced data, just activity log is present to user,
If I can't exactly see what is being collected then it's not acceptable.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
37,698
IMO an alternate email is not better than authentication app... and I thought they stopped with phone calls for 2FA?

But, I understand what you are looking to do (y)
 

zebanovich

Thread Starter
Joined
Mar 2, 2019
Messages
1,311
IMO an alternate email is not better than authentication app
Maybe, but your phone can get lost or stolen the same way as if somebody hacks your alternate email.

However alternate email is still much more secure and affordable because:
For alternate email you can have yet another alternate email for the very same email which is then 3F authentication.

Another good reason is that your alternate mail can be used only for Microsoft account, after all email accounts are free, while mobile phones are not, so if you want to have separate phone that will serve only for MS authentication you'll have to buy it and use only for that in safe place.

With alternate email, you can double your protection by using it only on dedicated phone, in which case if the phone is stolen or broken, you just have to login to alternate email on another device, In which case the person stealing your phone won't be able to access alternate email because the email is 2F protected anyway.
In other words there is no way to be hacked since you can setup XF authentication with X amount of alternate emails, doing this with phones is not affordable for anyone.

That's just for security part, the privacy part of mobile phone is straightforward, why would anyone be able to learn your phone number and thus be able to identify you? that's not the case with alternate emails :)
 

Johnny b

John
Joined
Nov 6, 2016
Messages
7,863
While my OS of choice is no longer MS, I did do a test drive of Win 10 Pro.
I set it up with a local account simply because I didn't want to share a potential gateway into my computer by anyone other than myself.

But...that's me :D
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top