Kevin Beaumont2d ago

I'm... not sure Microsoft have thought through the consequences of bolting cloud authentication into the Windows authentication stack.

Have a compromised cloud account password -> user (or attacker) enables passwordless -> keep logging in with compromised password via RDP forever, no MFA
https://infosec.exchange/@wdormann/114433140605981140

Will Dormann (@wdormann@infosec.exchange)

Attached: 2 images @GossiTheDog@cyberplace.social @mttaggart Thanks. Yes, you can still RDP in with the old password after the account has been switched to passwordless. No Microsoft Authenticator required.

Infosec Exchange
Show threadKevin Beaumont

Context: https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios

https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/

Passwordless is a new find on top.

Windows Logon Scenarios

Learn about common Windows logon and sign-in scenarios.

May 1 at 3:03pmWeb
Show threadyoung man yells at the cloud2d ago
@GossiTheDog Passwordless sounds like a speedrunning strat
Show threadPeter2d ago
@GossiTheDog
😮🤔
Show threadSam Bowne 2d ago
@phpete @GossiTheDog I tried clearing cached credentials, and that did not stop the old password from working
https://samsclass.info/123/proj14/H540.htm
H 540: RDP and Old Passwords (15 pts)