Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: We're Developing Blockchain ID System Starting With Our Authenticator App (zdnet.com)

Posted by ryuzaki0 on from the embracing-the-cool dept.

Microsoft has revealed its plans to use blockchain distributed-ledger technologies to securely store and manage digital identities, starting with an experiment using the Microsoft Authenticator app. From a report: Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps and services and having their identity data spread across multiple providers. It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. Instead, people could store, control and access their identity in an encrypted digital hub, Microsoft explained. To achieve this goal, Microsoft has for the past year been incubating ideas for using blockchain and other distributed ledger technologies to create new types of decentralized digital identities.

57 comments

  1. Blockchain as a buzz word by Anonymous Coward · · Score: 0

    Cloud cloud cloud!!!

    Blockchain blockchain blockchain!!!

    Marketing departments are working overtime these days.

    1. Re:Blockchain as a buzz word by Anonymous Coward · · Score: 0

      Can you hear that? It's the cry of obsolescence.

    2. Re:Blockchain as a buzz word by FatdogHaiku · · Score: 1

      Cloud cloud cloud!!!

      Blockchain blockchain blockchain!!!

      Marketing departments are working overtime these days.

      Just wait until they get to Cloudchain and Blockcloud !

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    3. Re:Blockchain as a buzz word by dysmal · · Score: 1

      Cloud cloud cloud!!!

      Blockchain blockchain blockchain!!!

      Marketing departments are working overtime these days.

      Just wait until they get to Cloudchain and Blockcloud !

      Wake me when they get to BlockCloud!

  2. Don't give a shit by Anonymous Coward · · Score: 0

    Your account processes are the WORST. Tried to login to my old Skype account, after being unable to answer the vast majority of your questions and failing to recover my account I vowed never to use any of your shitty services again. Sorry, there's no way I can remember the subjects of emails I sent years ago.

    1. Re:Don't give a shit by war4peace · · Score: 1

      Translation:
      "I am a retardo who disconsidered security questions back in the day and now I got the shaft. It's YOUR FAULT!!!111oneone"

      You're welcome.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  3. How do you know a trend is over? by Opportunist · · Score: 4, Funny

    Either when mainstream media starts reporting about it or when MS starts to develop for it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. ELI5 -- why are blockchains relevant here? by ctilsie242 · · Score: 4, Interesting

    Blockchains are relevant for ledgers and logs (basically a secure utmp/wtmp). However, for authentication, it really doesn't help much.

    Instead, MS would be better off designing an open protocol like RFC 6238 or RFC 4226, except using public/private keys as opposed to shared secrets, and having an open authenticator app for this.

    1. Re:ELI5 -- why are blockchains relevant here? by 110010001000 · · Score: 2, Funny

      Ah, but Microsoft's version will include deep-learning neural network AI and will be used for next generation self-driving cars. I'm really excited about the potentional of this technology.

    2. Re:ELI5 -- why are blockchains relevant here? by Korbeau · · Score: 3, Insightful

      From TFA: "Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps [...]"

      I believe the intend is more related to authorization (knowing the user has given or been granted access to X resource) than authentication (identifying the user) in this case. Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.

      Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased? If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake? How fast and reliably can you update data (revoke access for instance)?

      Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.

    3. Re:ELI5 -- why are blockchains relevant here? by swb · · Score: 2

      Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.

      Isn't that kind of a problem? I think there's some security aspect to knowing who has access to what.

      I suppose this is where Microsoft hoarding the information comes in, preventing it from actually being "public query" data and requiring a bunch of subscriptions to MS data services.

      Regardless, this mostly just feels like another spin on locking in the authentication/signin market. Which is goofy because Microsoft will already wind up with a big chunk of the auth market anyway with AD/Azure.

    4. Re:ELI5 -- why are blockchains relevant here? by war4peace · · Score: 1

      Who validates the new data that comes in?

      Answered in blockchain documentation.
      Shortly put: crowd effort does that. Many participants validate the data individually and independently.

      Does past records every get erased?

      Answered in blockchain documentation.
      Shortly put: NO.

      If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake?

      Answered in blockchain documentation.
      Shortly put: no entry is erroneous once confirmed. They're there forever.

      How fast and reliably can you update data (revoke access for instance)?

      It really depends on the implementation. The devil is in the details.

      Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.

      Answered in blockchain documentation.
      Shortly put: You think wrong.

      Man, you really need to RTFM. Seriously. Do it. It helps.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    5. Re:ELI5 -- why are blockchains relevant here? by Anonymous Coward · · Score: 0

      Shortly put: no entry is erroneous once confirmed. They're there forever.

      So this is illegal under Europe's GDPR.

    6. Re:ELI5 -- why are blockchains relevant here? by Anonymous Coward · · Score: 0

      I'm personally a fan of Secure Remote Password, have used it a number of times in different situations. Seems to work quite well.

    7. Re:ELI5 -- why are blockchains relevant here? by Korbeau · · Score: 1

      > Who validates the new data that comes in?

      I'm basically wondering if anyone can create junk identities and junk providers and can associate any type of data to them, or if there are some kind of central authority around that. Nothing in the blockchain technology enforces the ledger to be fully public or the quorum to be fully open, and that any type of entry becomes valid. I find the article scarce on the topic.

      As for my other questions, they are rhetorical and express my concerns.

    8. Re:ELI5 -- why are blockchains relevant here? by mysidia · · Score: 1

      Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased?

      Let's hope they think this through carefully AND the blockchain will only contain cryptographic data that can be used to PROOF information that was already exchanged outside the blockchain, and not actual personal info.

      If authorizations are being recorded, then authorizations SHOULD expire or have a periodic renewal requirement and a way of revoking.
      The relying party regarding an authorization is going to definitely need a way of verifying that the authorization could not have been created without a secret belonging to the user, and possibly a secret belonging to one or more notaries who will help confirm the nature of the process (Such as approval using a hardware authenticator to establish the user's intent to make the act).

    9. Re:ELI5 -- why are blockchains relevant here? by swillden · · Score: 1

      Who validates the new data that comes in?

      Answered in blockchain documentation.

      Which blockchain documentation are you referring to?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re: ELI5 -- why are blockchains relevant here? by Anonymous Coward · · Score: 0

      He doesn't fucking know. He's a block chain fanboy, shilling all up and down this forum.

    11. Re: ELI5 -- why are blockchains relevant here? by Anonymous Coward · · Score: 0

      Yep. Plus blockchains are expensive and inefficient. Time people wake up to alternatives like DAGs that are free of fees and miners.

    12. Re:ELI5 -- why are blockchains relevant here? by swillden · · Score: 1

      Does past records every get erased?

      I expect that the idea is to make it easy to create a large number of digital pseudonyms, each of which is used for only one purpose, and which the real owner can prove ownership of, but without revealing their true identity or enabling anyone to link back to it.

      So there's no need to erase records, instead if you have a pseudonymous identity you don't use any more, you just abandon it in place, destroying the credentials you use to prove ownership. It still exists, but has no connection to you.

      Of course this very neat theory (which has been discussed heavily in cryptography circles for decades) runs into some real challenges when you want to use these identities in practice. There are lots of cool ideas about how to use cryptographic protocols, possibly involving a trusted third party, to validate bits of information about you without identifying you, and even to create "conditional" links between pseudonyms and real identities. For example, maybe you could employ a trusted third party protocol to validate your creditworthiness, and give the lender a cryptographic token that enables them, with the assistance of the third party, or perhaps a court, to decrypt your real identity. That way, perhaps you could get a loan that isn't linked to your identity. (Note that one ugly element of this scenario is that the likely candidates for the trusted third party are the credit agencies, which have proven themselves to be anything but trustworthy.)

      Anyway, lots of interesting ideas in this space. No idea what the real-world implications might be. Governments would probably be terrified of having such systems become the norm, since it would make it really hard to track people.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    13. Re:ELI5 -- why are blockchains relevant here? by Anonymous Coward · · Score: 0

      Someone read too much nVidia market material

  5. exactly by goombah99 · · Score: 1

    If you have an authentication server why do you need or even want block chain. Furthermore if you want to distribute the authentication to many servers how do you control the authentication list if there's no proof of work. and if there's proof of work, then it gets expensive because that's why its called work

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:exactly by war4peace · · Score: 1

      I'm an amateur in the domain and even I see a huge lack of understanding in your post.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    2. Re:exactly by mysidia · · Score: 1

      If you have an authentication server why do you need or even want block chain.

      YOU have the ability to authenticate the user, BUT you want untrusted third parties who run their own servers to also have a means of authenticating the user WITHOUT asking your server.

      A distributed blockchain could provide the system where you approve a certain resource to authenticate as you by digitally signing a XML package containing the credential AND the supplicant's public key AND a list of privileges or permissions AND expiration date with your key.

      Then the supplicant can authenticate, and use their public key to decrypt a payload you have prepared for them.

    3. Re:exactly by Anonymous Coward · · Score: 0

      I see you stopped reading after the first sentence of what I wrote.

    4. Re:exactly by jhantin · · Score: 1

      If you have an authentication server why do you need or even want block chain.

      Seems like people are deafened by the clamor of buzzwords. Heard about the Certificate Transparency project? A certificate audit log is a Merkle tree that is appended to by adding a new root node of which the old root is a child, proving the history has not been tampered with. The end nodes of the Merkle tree are also digitally signed data structures. These two properties give the audit log the same data structure shape as a blockchain.

      Furthermore if you want to distribute the authentication to many servers how do you control the authentication list if there's no proof of work. and if there's proof of work, then it gets expensive because that's why its called work

      The entirety of the log is issued by a single entity, so each new root can simply be signed by the CA, and all the heavyweight Byzantine distributed consensus cruft such as proof of work that applications like Bitcoin use is completely irrelevant to this use case. Individual certificates can be verified by the embedded digital signature, issuance can be verified by consulting the (also signed) audit log.

      Note that this doesn't mean I think Microsoft's project referenced in TFA is necessarily a good idea. I don't know enough about it even after reading TFA to pass judgement on it. That may itself be an artifact of excessive buzzword density.

      --
      ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
    5. Re:exactly by slashrio · · Score: 1

      Who are you?

      --
      "Trump!!", the new Godwin.
  6. Mockchain by Anonymous Coward · · Score: 0

    So instead of safeguarding our own digital identities, we'll put them in "The Digital Hub" where everyone in the world will have access to them. And instead of storing them in a single file, they'll be attached to a chain with everyone else's, where the entire chain has to be accessed with every transaction, and will also grow by one link with every transaction, until it's a massive unwieldy monster that needs a city's worth of electricity just to process.

    What a joke. This is what happens when middle managers get hold of buzzwords like "blockchain".

  7. "Just Fucking Trust Us" by Anonymous Coward · · Score: 0

    Thanks, Nadella, but no, thanks.

  8. Blockchain is awesome... by Anonymous Coward · · Score: 0

    ... because it's a new word.

  9. Not all blockchains are distributed ledgers by Anonymous Coward · · Score: 0

    Every MBA seems to have wet dreams about blockchains, but the actual innovation isn't the blockchain. That existed long ago. The new thing about Bitcoin is how it made a distributed ledger based on a blockchain. "Mining", the so-called work-proof, is the actual innovation behind Bitcoin that enables a tamper-proof distributed ledger without trust and central authority.

    1. Re: Not all blockchains are distributed ledgers by Mirvnillith · · Score: 1

      But, there IS trust. Implicit trust in that the miners donâ(TM)t have an agenda (or at least one that includes your transaction). And worse, you donâ(TM)t know who you are trusting and the âtargetâ of that trust changes with each transaction. To me this seems a bit naive, hoping that a crowd will balance out the egoism of the individuals but also knowing that power and control tend to centralise and corrupt.

  10. Pointless by NicknameUnavailable · · Score: 1

    They're just going to have a master key or series of rotating side-channel attacks so nothing Microsoft-based can be trusted, this has been demonstrated without fail on a monthly basis for over 2 decades.

  11. Don't buy one penny of this piss lemonade by Anonymous Coward · · Score: 0

    These lying sacks are not out to help you, you are their product, cattle. The idea they would work in anyones best interest except their own is laughable.

    My guess? They will talk a big game, but if you look under the hook which they will conveniently make impossible, you'd see a whole lot of smoke and mirror and bullshit.

    Microsoft are Liars(tm)

    Same organization has repeatedly been sued by multiple world governments and tracks and collects data in a way that puts facebook to shame. I wouldn't trust them with a ball of yarn.

  12. ^ this. by Anonymous Coward · · Score: 0

    Literally my first thought regarding this, followed by one of the other threads above about using public private keys and just using the blockchain as a utmp/wtmp/authentication logging solution (where it WOULD be good in a corporate environment if you needed all access attempts verifiably logged, and assuming the majority of the network wasn't compromised/compromisable.

  13. Buzzword compliant, but semi-interesting by ErichTheRed · · Score: 2

    I wonder if Microsoft is trying to get around a scaling problem. If every company on Earth switches to Office 365, and they're basically forcing everyone this way, then they will control at least a portion of identity/login for most of the world. They're doing this with Azure AD right now, with every company either in a cloud-based or federated trust with their own tenant. I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials, but maybe the point of decentralizing it is actually to get the storage part off their hands while still controlling the process.

    1. Re:Buzzword compliant, but semi-interesting by Anonymous Coward · · Score: 0

      There are at least three startups doing the same thing with "identities" and "blockchain". So the only thing redmond have going for them is that you already know their name.

    2. Re:Buzzword compliant, but semi-interesting by DigiShaman · · Score: 3, Insightful

      It's essentially Microsoft Passport 2.0, is it not?

      --
      Life is not for the lazy.
    3. Re:Buzzword compliant, but semi-interesting by mysidia · · Score: 1

      I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials

      What makes you think Azure AD is designed that way, from MS... a company well-known for the InSecurity of their OS?
      Have you or someone you know audited the Azure AD software and protocol implementations from head to toe?

      What tells you that it would have been designed to ensure no single point of attack could leak all users' credentials?

    4. Re:Buzzword compliant, but semi-interesting by Anonymous Coward · · Score: 0

      and they have millions of users they can force over to this when they want. and products in the wild where they can enforce the usage of their new account blockchain.

  14. store and manage digital identities by Anonymous Coward · · Score: 0

    UGH!

  15. Hard to know what they're talking about by Anonymous Coward · · Score: 0

    Identity and access management is the proverbial elephant being described by blind men. What we need is an article with a motivating scenario that their new service supposedly addresses, with technical detail. Not just a lot of buzzwords and happy talk.

  16. Why do they say "using blockchain" ? by Anonymous Coward · · Score: 0

    Using *which* blockchain? The original blockchain refers to Bitcoin. Are Microsoft credentials now stored on the Bitcoin blockchain? Do they mean "using a blockchain-like distributed ledger" ?

    They keep saying "blockchain" like there's only one. Do they intend to push marketing of the phrase "blockchain" until people have no idea whether it refers to Bitcoin or their stupid Microsoft account? Does microsoft intend to 'steal' the notion and apply to something that doesn't even make sense - like "dot Net" ? Remember their appropriation of ".NET" for their stupid, post Active-X/COM shitware that destroyed a whole TLD?

  17. Embrace, extend, extinguish by rot26 · · Score: 1

    Blockchain is the new cloud.

    Not in what it does, just in the marketing sense, of course.

    You know eventually technologies are going to be like medicines and domain names: all the good ones will have been taken and/or copyrighted, and we'll be left with nonsense terms created by marketing droids.

    Microsoft Word 2^11, now with Incivek and Adcetris.

    --



    To ensure perfect aim, shoot first and call whatever you hit the target
    1. Re:Embrace, extend, extinguish by Anonymous Coward · · Score: 0

      You know eventually technologies are going to be like medicines and domain names: all the good ones will have been taken and/or copyrighted, and we'll be left with nonsense terms created by marketing droids.

      Eventually? We past that point a long time ago.

  18. I fail to see how that improves privacy. by shess · · Score: 1

    I can see how putting my info on a blockchain provides verification that I put my info on the blockchain. I can see how you could use encryption techniques to allow me to encode on the blockchain who can access my info. But I don't see how this causes those accessing my info to use appropriate security protocols to protect my info. At some point, they'll want access to my actual information, and once they have that, what prevents them from storing a copy for their convenient, or simply forwarding it to some third party that's paying them for information? Also, how does this help at all with apps asking for access to personal information that they have no need for?

    People who write apps could already ask for minimal information, and they could already encrypt the info with something only I can provide to minimize their contact surface, they already could use best practices like salting their hashed password storage. For the most part, the problem isn't that they are trying really hard to do these things, and failing for technical reasons, the problem is that they aren't bothering to even try.

    1. Re:I fail to see how that improves privacy. by DaveV1.0 · · Score: 1

      After ReadingTFA, it appears to be "OpenID + Blockchain for PII".

      The article states "people could store, control and access their identity in ... an encrypted identity datastore called an Identity Hub, a server called Universal DID Resolver that resolves DIDs across blockchains, and verifiable credentials." It's 'decentralized system trust is based on "attestations" or claims about parts of a person's identity that other entities endorse' and provide " access to a more precise set of attestations without having to process as much of a user's personally identifiable information."

      It looks to me like the goal is to move personally identifying information from dozens of apps and websites off to a centralized, encrypted store which will be matched with a blockchain token that allows limited access to the PII. My concern is that, while this decreases the locations PII is stored, it is, in effect, putting all one's eggs in one basket making that basket a huge target.

      --
      There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
  19. Walk before you run by simplypeachy · · Score: 1

    You have got to be fucking kidding me. They restrict maximum password length way below sensible limits, can't seem to get their various assets to log me in correctly, first time. I've recently been bounced between various login screens, been literally typing in my user name and before I can press tab to move focus, the page is redirecting and some of what I wrote is lost or entered as entry into the password field. (None of this was a problem with my end - I tried various methods to see if I was going wrong somewhere). At the moment you have to try to understand what they're talking about when they ask "what sort of login you have, a workplace/organisation or your own?" I click the relevant option and find out it's the wrong one, but I was logged in anyway. Microsoft don't seem to have offered a functioning, reliable, consistent authentication interface for at least ten years.

    How about you get the basics working first, before you start with dabbling with fads just to rise your share price?

  20. Not needed by nospam007 · · Score: 1

    "It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. "

    That's why sensible people use all different fake indentities. Only my bank has my real name.

    Amazon, etc all deliver their stuff to my cat.

  21. Yeah, right ... by Anonymous Coward · · Score: 0

    Instead, people could store, control and access their identity in an encrypted digital hub

    That Microsoft controls.

    Fuck that, I'm not letting MS be the central authentication mechanism on the web, they can kiss my ass.

  22. old parables by Anonymous Coward · · Score: 0

    what was the one with all the eggs in one basket?

    Seems like it would make for a really juicy target for some foreign government agency to try and compromise.

  23. Reckons? by sqorbit · · Score: 1

    Did a major publication (ZDNet) really say "Microsoft reckons"? Are they roundin up the wagons and herdin the cattle too? I know journalism is pretty much a dead idea, but that is just completely lacking any attempt at professional writing.

    --
    Sent from my TARDIS
    1. Re:Reckons? by Anonymous Coward · · Score: 0

      HOO-WEEEE! giddyup lil doggies! Micrasoff gone git R dun, ah-ah-ah do declare!

  24. idiotic by slashmydots · · Score: 1

    Here's how blockchains works: I can't falsify a transaction in the bitcoin blockchain without outprocessing the entire rest of the network. Think about why that might be a problem for Microsoft if they start their own blockchain. Hmmmm.

  25. Morning Glory by Anonymous Coward · · Score: 0

    Should have known! When Microsoft wakes with morning glory msmash is there to beat it.

  26. Still waiting... by CimmerianX · · Score: 1

    Hey Microshat,
    How about you start to support 2 factor authentication on windows and servers first before you start worrying about collecting all PII data?

    Seriously, why do I need a 3rd party authenticator like RSA and and GINA replacement when 2 factor should be standard by now.