Forum Discussion
MicrosoftDev channel update to 93.0.946.1 is live
josh_bodner Re: Device authentication before autofilling a password
There is a potential security flaw with this feature, at least on canary. On today's canary when I turn on device auth, it defaults to once per session with a non-default always option. The flaw is that if the authenticated user has performed auth, someone else can come along later and turn this feature off without another auth challenge. Dev differs in that the default change is an every minute option I don't see in canary but that still is flawed.
An attempt to turn this feature off should always trigger a challenge so that it can't be disabled without the consent of the authorized user. it does appear there is some other system wide setting that also affects this. if I wait a while, a sign in doesn't require a new challenge but turning off the feature does.
- josh_bodner
rshupak since it's been a few Canaries since you reported it, I just wanted to check back about the device auth setting. I checked with our passwords team, and they said that you should be getting the auth prompt every time you change that setting, so could you check what the current behavior you're seeing is?
