Microsoft aims to change authentication with Microsoft Passport
If you want to sign in on a web service currently you have to provide username and password to do so. This is neither convenient nor overly secure, considering that the server you communicate with has to store username and a hashed password for that.
Microsoft envisions Passport to change that by allowing users to sign in to applications and web services without passwords.
The system uses asymetric cryptography for that which uses key-pairs for authentication. The private key is stored on the device while the public key is used by applications and services for challenge-response authentication.
Passport uses Windows Hello, another new authentication service introduced in Windows 10 by Microsoft.
Windows Hello enables users of the operating system to sign in on the system using biometric information. The current version supports face recognition, iris scans and fingerprint scans for authentication.
According to Microsoft, there will be a fallback in place if the device that is being used does not support any of the biometric authentication features (which is the case if it has no cam or fingerprint reader).
This fallback uses a pin-based system for authentication which comes down to entering the pin to enable and use Microsoft Passport on a device.
So, what is positive about Microsoft Passport?
- Authentication does not rely on passwords anymore which means that online services and applications don't need to store the hashed password anymore on their servers.
- The system is convenient as passwords don't need to be remembered anymore.
- It is dead easy to use and has an error rate below 1 in 100,000.
- Spoofing seems out of the question according to Microsoft.
- It is opt-in. If you don't want to use it you don't have to.
- The data is only stored on the local device and shared with no one.
- The biometric signature is only used to unlock the device and the Passport feature, but never used to authenticate users over a network.
What are the concerns?
- Microsoft Passport will only work on sites and in applications supporting it. Microsoft mentioned that Microsoft Accounts and Azure will support passport and that companies are encouraged to add the feature to their applications or sites. It will only be successful if popular web properties implement the feature. Microsoft joined the FIDO (Fast Identity Online) Alliance to further that goal.
- Information about your fingerprint, iris or face are saved on the device. The past has shown that at least fingerprint authentication can be easily bypassed. See Spoofing fingerprints for information for example.
Now You: What's your take on Microsoft Passport?
Good luck changing your fingerprints or iris if the biometric file on your device has been hacked into.
Good point. I’d suppose you could disable the feature again.
The last time they tried MS Passport no one trusted them enough, to make it’s use widespread. I guess it will be the same this time.
I highly doubt that companies like Facebook, Google or Yahoo implement this in the near future if at all.
I completely agree. This will be another Microsoft standard that only Microsoft will use, then abandon after a year or two. It’ll leave customers who did convert to Passport in a lurch when it is abandoned. It is the Microsoft pattern.
“It is the Microsoft pattern”
It is actually a common pattern among many companies, because they all want to control a “universal” way of doing something, be it sign in, check out, or whatever.
Kind of surprised they are using the “passport” name again…
I highly disagree. If it was a standard that only Microsoft made then yes but it is a FIDO compliant standard. There are many large partners besides Microsoft that are a part of the FIDO alliance (including Google) http://fidoalliance.org/membership/members/ “Microsoft Passport” (yes they reused the name) will provide a way of interfacing with asymmetric encryption logins. My guess is other partners will also provide utilities to do the same. This forever changes the security landscape as now a hacker can’t just compromise a webserver and get thousands of usernames and passwords. Instead the would get Public Keys that are “useless” in spoofing the user as the Private Key is on the users device. Of course of your device is compromised that is a different story but now you don’t have to change your password every time twitter is hacked.
“It is opt-in. If you don’t want to use it you don’t have to.” – there was a time when Google wanted my phone number (for password restore feature ofc – they tried to convince me I’m so stupid I’ll forget it) so badly, I was locked on login screen and I couldn’t load mail interface without providing info. Luckily, I had also my account set up in Thunderbird so eventually I was able to check mail. They are still periodically nagging me for my phone number – at least now I can skip that.
Microsoft went same way around 2012 with Outlook.com; now it’s better but they still can lock your inbox for 7 days unless you provide phone number or additional mail address and code for verification.
Call me tinfoil-hat but I really don’t believe that such annoying “security” features are created and developed for security reasons but to force users to mindlessly provide additional info which could be used for “better” profiling and marketing actions; and yes, I do believe that phone number is a crucial personal information which should be shared with absolutely caution.
So, in other words, it’s optional till now or when they decide to change privacy policy to be more obtrusive because biometric data business is profitable.
“Information about your fingerprint, iris or face are saved on the device.” – that doesn’t mean some US gov’t agency wouldn’t force request to suck that data from our computers because “terrorism” or “paedophilia”.
People should be aware that corporations do not care about customers, their privacy but only money and new ways for their income – even in nasty ways.
Once your biometric file is hacked from your device, its available for use anywhere else. Good luck changing your fingerprints or iris for a different sign on.
I want to point out that your Biometric file is not used for authentication and would be useless on another device. Now your private encryption key on the other hand is an entirely different story.
Honestly I will probably never use the biometric features but I will use Microsoft Passport. It provides security on web servers as in they don’t have your Private Key just your Public Key (which everyone will have and can not be used to spoof you) so if they get into a webserver or compromise a service they can’t use your login info or spoof you. Now local security of your private key will be up to you but you will no longer have to worry about changing your password every time twitter get hacked.
Tin-foil-hat, that gated-apple asylum (insanelyapple) you checked yourself into is costing you privacy credibility.
Passport sounds like Mozilla’s Persona(https://www.mozilla.org/en-US/persona/)–without the trust and Big Brother Biometric data harvesting.
Instead of creating Passport, I wish that Microsoft would just lift the restriction on passwords more than 16 characters for outlook.com. Also, it doesn’t seem that Passport and a regular username/password be used at the same time, which is a dealbreaker for me, since I sometimes need to sign in on computers other than my personal one.
Also and more importantly, the unification of logins for different websites would, I think, contribute to data mining. If ESPN for example adopted Passport, Microsoft probably could (and if so would) link the two accounts together. It would be much more private to just use KeePass.