So, if you have a Microsoft (or other?) account, you likely (hopefully) have 2-factor authentication enabled. If you don’t, go do that right now, then come back and read the rest of this.

One option you’re now able to do with a Microsoft account is passwordless login. So, there’s TECHNICALLY a password, but you don’t have to use it anymore because the actual method of authenticating is a push notification to a device you choose. It’s pretty neat, and it’s kinda the direction a lot of stuff is moving (“passwordless” is going to become a new buzzword. Mark my words). I’ve had this set up for a while, and it’s actually given me a little more control and visibility into authentication attempts to my account.

It’s no secret that account email addresses are likely compromised. This doesn’t mean that the bad actor can access your account, it just means they have your email (and likely a password of yours. Though if you use the same password for everything, go fix that now.). So having an email isn’t really that big a deal, usually, but it can become a big deal if the bad actor is able to leverage some internal workings (likely via compromised password) of Microsoft’s login system to get past the actual initial sign-on. If they make it past the initial sign-on, it goes to the 2-factor step next (if you have it enabled. If not, they’re in. End of story.), which is where that nifty passwordless thing comes in. If I receive a notification prompt from Microsoft Authenticator app that someone is attempting a sign-in, and I haven’t personally signed in, I know it’s a bad actor attempting to get access to my account. So I can just hit “deny” and that solves that.

There’s another layer to this though, because having that second layer only tells me about the successful attempts, it doesn’t give me any visibility to the unsuccessful attempts. Now, I know what you’re thinking “okay, why do you care about the unsuccessful ones?” well, short answer is I care because they’re still valuable metrics to see. But I work in security, so I’m likely a bit more inclined to look at the unsuccessful attempts and do some minimum OSINT investigation just to do it. One really neat thing you can see when viewing a successful or unsuccessful authentication is the account that was attempted against. This brings us to our next piece of the puzzle: aliases.

Microsoft (and other services) have allowed users to have aliases for a while. You can use an alias as just an email, you can use it to login (if enabled - more on this in a bit), you can basically use it as another identity that’s still tied to your main Microsoft account. Very useful. I mentioned this parenthetically earlier, there’s a section in Microsoft’s account settings under Security where you can manage what aliases can be used to login to your Microsoft account. The reason this section is so important is because you can get really clever with your security posture by using this to your advantage. Which is exactly what I did.

In this area you can disable logon for everything except a specific alias, but you can still use ANY of those aliases for signing up for sites and such. The neat thing though is that if someone tries to login to your Microsoft account with one of those aliases that is not enabled for logon, they will be met with an “account does not exist” error.

“So how did you do this though? How does this really even help your security posture?” well, simple: I made a new alias that is not tied to any site, and that I will not use for any sites, and I disabled login for every alias except that one. So when I login, which keep in mind I use the passwordless logon feature, I am able to logon under that alias, but because that alias is not used anywhere else online, it’s unlikely to be in any breach data. It’s not impossible, but it’s highly unlikely.

To summarize, if you have a Microsoft account, login, go to “Your Info” and select “Edit account info”. This is where you will select “add email” and you’ll use that to create an account alias. Be unique here. Don’t use something that is similar to the email you use everywhere else, that defeats the point of doing this because bad actors do sometimes try variations of a username. Once you do this, you’ll want to head over to “Security” and select “Manage how I sign in”. This is where you’re going to check your signin settings. If you haven’t done so, enable two-step verification. Under the “Additional security” section also enable “passwordless account”. Now, go back to the “Your Info” and “Edit account info” section, and make the alias you just created your primary. Below the list of aliases, click “Change sign-in preferences” and uncheck the box next to EVERY alias except your primary (by default the primary will be checked and will not be able to be unchecked, hence why we switched our primary earlier). At this point, you’re done. And more secure, hopefully. This won’t stop attempts to access your account if the actor has other ways of getting in for some reason, but if you’re just worried about the unsuccessful and the handful of successful sign-in but unsuccessful 2nd factor auth, this will stop those (assuming you don’t use this new alias elsewhere).