Pin Bypass in Passwordless WebAuthn on Microsoft.com and Nextcloud
hwsecurity.devLooks like Microsoft doesn't understand the specification that they wrote down themselves: It is a bug if an attacker can take over my entire Microsoft account via NFC. I wonder if Microsoft can make amends for any damage it causes. Credit card companies can do this and that's why some NFC payments are only 1FA.
> We reported the issue to Microsoft. They did not consider it a vulnerability, but fixed it
Seems like Microsoft doesn't like to pay for a bug bounty
I agree that it's weird that they fixed it and didn't consider it a security issue.
For the user it looked like it would provide two-factor authentication since the PIN is requested, while in reality it's not verified. Thus, they only provided one-factor security.