Microsoft Aims to Change Authentication with Microsoft Passport

The trick is to protect access from unauthorized access, while still allowing authorized users to log-in without too many hassles and complications. I’ve yet to see a commercial security/authentication strategy that can successfully accomplish both of those goals.

If you want to sign in on a web service currently you have to provide username and password to do so. This is neither convenient nor overly secure, considering that the server you communicate with has to store username and a hashed password for that. Microsoft envisions Passport to change that by allowing users to sign in to applications and web services without passwords.

The system uses asymetric cryptography for that which uses key-pairs for authentication. The private key is stored on the device while the public key is used by applications and services for challenge-response authentication.

Passport uses Windows Hello, another new authentication service introduced in Windows 10 by Microsoft.

Windows Hello enables users of the operating system to sign in on the system using biometric information. The current version supports face recognition, iris scans and fingerprint scans for authentication.

microsoft passport

According to Microsoft, there will be a fallback in place if the device that is being used does not support any of the biometric authentication features (which is the case if it has no cam or fingerprint reader).

This fallback uses a pin-based system for authentication which comes down to entering the pin to enable and use Microsoft Passport on a device.

So, what is positive about Microsoft Passport?

  1. Authentication does not rely on passwords anymore which means that online services and applications don’t need to store the hashed password anymore on their servers.
  2. The system is convenient as passwords don’t need to be remembered anymore.
  3. It is dead easy to use and has an error rate below 1 in 100,000.
  4. Spoofing seems out of the question according to Microsoft.
  5. It is opt-in. If you don’t want to use it you don’t have to.
  6. The data is only stored on the local device and shared with no one.
  7. The biometric signature is only used to unlock the device and the Passport feature, but never used to authenticate users over a network.

What are the concerns?

  1. Microsoft Passport will only work on sites and in applications supporting it. Microsoft mentioned that Microsoft Accounts and Azure will support passport and that companies are encouraged to add the feature to their applications or sites. It will only be successful if popular web properties implement the feature. Microsoft joined the FIDO (Fast Identity Online) Alliance to further that goal.
  2. Information about your fingerprint, iris or face are saved on the device. The past has shown that at least fingerprint authentication can be easily bypassed. See Spoofing fingerprints for information for example.

Link to Original Content

Tags: , , ,

Comments are closed.