Microsoft: We're Developing Blockchain ID System Starting With Our Authenticator App (zdnet.com)

← Back to Stories (view on slashdot.org)

Microsoft: We're Developing Blockchain ID System Starting With Our Authenticator App (zdnet.com)

Posted by ryuzaki0 on Tuesday February 13, 2018 @02:45AM from the embracing-the-cool dept.

Microsoft has revealed its plans to use blockchain distributed-ledger technologies to securely store and manage digital identities, starting with an experiment using the Microsoft Authenticator app. From a report: Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps and services and having their identity data spread across multiple providers. It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. Instead, people could store, control and access their identity in an encrypted digital hub, Microsoft explained. To achieve this goal, Microsoft has for the past year been incubating ideas for using blockchain and other distributed ledger technologies to create new types of decentralized digital identities.

31 of 57 comments (clear)

Min score:

Reason:

Sort:

How do you know a trend is over? by Opportunist · 2018-02-13 02:57 · Score: 4, Funny

Either when mainstream media starts reporting about it or when MS starts to develop for it.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
ELI5 -- why are blockchains relevant here? by ctilsie242 · 2018-02-13 03:03 · Score: 4, Interesting

Blockchains are relevant for ledgers and logs (basically a secure utmp/wtmp). However, for authentication, it really doesn't help much.
Instead, MS would be better off designing an open protocol like RFC 6238 or RFC 4226, except using public/private keys as opposed to shared secrets, and having an open authenticator app for this.
1. Re:ELI5 -- why are blockchains relevant here? by 110010001000 · 2018-02-13 03:19 · Score: 2, Funny
  
  Ah, but Microsoft's version will include deep-learning neural network AI and will be used for next generation self-driving cars. I'm really excited about the potentional of this technology.
2. Re:ELI5 -- why are blockchains relevant here? by Korbeau · 2018-02-13 03:22 · Score: 3, Insightful
  
  From TFA: "Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps [...]"
  I believe the intend is more related to authorization (knowing the user has given or been granted access to X resource) than authentication (identifying the user) in this case. Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.
  Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased? If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake? How fast and reliably can you update data (revoke access for instance)?
  Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.
3. Re:ELI5 -- why are blockchains relevant here? by swb · 2018-02-13 04:19 · Score: 2
  
  Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.
  Isn't that kind of a problem? I think there's some security aspect to knowing who has access to what.
  I suppose this is where Microsoft hoarding the information comes in, preventing it from actually being "public query" data and requiring a bunch of subscriptions to MS data services.
  Regardless, this mostly just feels like another spin on locking in the authentication/signin market. Which is goofy because Microsoft will already wind up with a big chunk of the auth market anyway with AD/Azure.
4. Re:ELI5 -- why are blockchains relevant here? by war4peace · 2018-02-13 04:32 · Score: 1
  
  Who validates the new data that comes in?
  Answered in blockchain documentation.
  Shortly put: crowd effort does that. Many participants validate the data individually and independently.
  
  Does past records every get erased?
  Answered in blockchain documentation.
  Shortly put: NO.
  
  If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake?
  Answered in blockchain documentation.
  Shortly put: no entry is erroneous once confirmed. They're there forever.
  
  How fast and reliably can you update data (revoke access for instance)?
  It really depends on the implementation. The devil is in the details.
  
  Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.
  Answered in blockchain documentation.
  Shortly put: You think wrong.
  Man, you really need to RTFM. Seriously. Do it. It helps.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
5. Re:ELI5 -- why are blockchains relevant here? by Korbeau · 2018-02-13 06:23 · Score: 1
  
  > Who validates the new data that comes in?
  I'm basically wondering if anyone can create junk identities and junk providers and can associate any type of data to them, or if there are some kind of central authority around that. Nothing in the blockchain technology enforces the ledger to be fully public or the quorum to be fully open, and that any type of entry becomes valid. I find the article scarce on the topic.
  As for my other questions, they are rhetorical and express my concerns.
6. Re:ELI5 -- why are blockchains relevant here? by mysidia · 2018-02-13 07:26 · Score: 1
  
  Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased?
  Let's hope they think this through carefully AND the blockchain will only contain cryptographic data that can be used to PROOF information that was already exchanged outside the blockchain, and not actual personal info.
  If authorizations are being recorded, then authorizations SHOULD expire or have a periodic renewal requirement and a way of revoking.
  The relying party regarding an authorization is going to definitely need a way of verifying that the authorization could not have been created without a secret belonging to the user, and possibly a secret belonging to one or more notaries who will help confirm the nature of the process (Such as approval using a hardware authenticator to establish the user's intent to make the act).
7. Re:ELI5 -- why are blockchains relevant here? by swillden · 2018-02-13 07:55 · Score: 1
  
  Who validates the new data that comes in?
  Answered in blockchain documentation.
  Which blockchain documentation are you referring to?
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:ELI5 -- why are blockchains relevant here? by swillden · 2018-02-13 08:55 · Score: 1
  
  Does past records every get erased?
  I expect that the idea is to make it easy to create a large number of digital pseudonyms, each of which is used for only one purpose, and which the real owner can prove ownership of, but without revealing their true identity or enabling anyone to link back to it.
  So there's no need to erase records, instead if you have a pseudonymous identity you don't use any more, you just abandon it in place, destroying the credentials you use to prove ownership. It still exists, but has no connection to you.
  Of course this very neat theory (which has been discussed heavily in cryptography circles for decades) runs into some real challenges when you want to use these identities in practice. There are lots of cool ideas about how to use cryptographic protocols, possibly involving a trusted third party, to validate bits of information about you without identifying you, and even to create "conditional" links between pseudonyms and real identities. For example, maybe you could employ a trusted third party protocol to validate your creditworthiness, and give the lender a cryptographic token that enables them, with the assistance of the third party, or perhaps a court, to decrypt your real identity. That way, perhaps you could get a loan that isn't linked to your identity. (Note that one ugly element of this scenario is that the likely candidates for the trusted third party are the credit agencies, which have proven themselves to be anything but trustworthy.)
  Anyway, lots of interesting ideas in this space. No idea what the real-world implications might be. Governments would probably be terrified of having such systems become the norm, since it would make it really hard to track people.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
exactly by goombah99 · 2018-02-13 03:06 · Score: 1

If you have an authentication server why do you need or even want block chain. Furthermore if you want to distribute the authentication to many servers how do you control the authentication list if there's no proof of work. and if there's proof of work, then it gets expensive because that's why its called work

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:exactly by war4peace · 2018-02-13 04:25 · Score: 1
  
  I'm an amateur in the domain and even I see a huge lack of understanding in your post.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
2. Re:exactly by mysidia · 2018-02-13 07:20 · Score: 1
  
  If you have an authentication server why do you need or even want block chain.
  YOU have the ability to authenticate the user, BUT you want untrusted third parties who run their own servers to also have a means of authenticating the user WITHOUT asking your server.
  A distributed blockchain could provide the system where you approve a certain resource to authenticate as you by digitally signing a XML package containing the credential AND the supplicant's public key AND a list of privileges or permissions AND expiration date with your key.
  Then the supplicant can authenticate, and use their public key to decrypt a payload you have prepared for them.
3. Re:exactly by jhantin · 2018-02-13 12:45 · Score: 1
  
  If you have an authentication server why do you need or even want block chain.
  Seems like people are deafened by the clamor of buzzwords. Heard about the Certificate Transparency project? A certificate audit log is a Merkle tree that is appended to by adding a new root node of which the old root is a child, proving the history has not been tampered with. The end nodes of the Merkle tree are also digitally signed data structures. These two properties give the audit log the same data structure shape as a blockchain.
  
  Furthermore if you want to distribute the authentication to many servers how do you control the authentication list if there's no proof of work. and if there's proof of work, then it gets expensive because that's why its called work
  The entirety of the log is issued by a single entity, so each new root can simply be signed by the CA, and all the heavyweight Byzantine distributed consensus cruft such as proof of work that applications like Bitcoin use is completely irrelevant to this use case. Individual certificates can be verified by the embedded digital signature, issuance can be verified by consulting the (also signed) audit log.
  Note that this doesn't mean I think Microsoft's project referenced in TFA is necessarily a good idea. I don't know enough about it even after reading TFA to pass judgement on it. That may itself be an artifact of excessive buzzword density.
  
  --
  ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
4. Re:exactly by slashrio · 2018-02-13 13:21 · Score: 1
  
  Who are you?
  
  --
  "Trump!!", the new Godwin.
Pointless by NicknameUnavailable · 2018-02-13 03:24 · Score: 1

They're just going to have a master key or series of rotating side-channel attacks so nothing Microsoft-based can be trusted, this has been demonstrated without fail on a monthly basis for over 2 decades.
Buzzword compliant, but semi-interesting by ErichTheRed · 2018-02-13 03:34 · Score: 2

I wonder if Microsoft is trying to get around a scaling problem. If every company on Earth switches to Office 365, and they're basically forcing everyone this way, then they will control at least a portion of identity/login for most of the world. They're doing this with Azure AD right now, with every company either in a cloud-based or federated trust with their own tenant. I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials, but maybe the point of decentralizing it is actually to get the storage part off their hands while still controlling the process.
1. Re:Buzzword compliant, but semi-interesting by DigiShaman · 2018-02-13 04:32 · Score: 3, Insightful
  
  It's essentially Microsoft Passport 2.0, is it not?
  
  --
  Life is not for the lazy.
2. Re:Buzzword compliant, but semi-interesting by mysidia · 2018-02-13 07:31 · Score: 1
  
  I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials
  What makes you think Azure AD is designed that way, from MS... a company well-known for the InSecurity of their OS?
  Have you or someone you know audited the Azure AD software and protocol implementations from head to toe?
  What tells you that it would have been designed to ensure no single point of attack could leak all users' credentials?
Re:Blockchain as a buzz word by FatdogHaiku · 2018-02-13 03:51 · Score: 1

Cloud cloud cloud!!!
Blockchain blockchain blockchain!!!
Marketing departments are working overtime these days.
Just wait until they get to Cloudchain and Blockcloud !

--
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Embrace, extend, extinguish by rot26 · 2018-02-13 04:26 · Score: 1

Blockchain is the new cloud.

Not in what it does, just in the marketing sense, of course.

You know eventually technologies are going to be like medicines and domain names: all the good ones will have been taken and/or copyrighted, and we'll be left with nonsense terms created by marketing droids.

Microsoft Word 2^11, now with Incivek and Adcetris.

--

To ensure perfect aim, shoot first and call whatever you hit the target
Re:Don't give a shit by war4peace · 2018-02-13 04:27 · Score: 1

Translation:
"I am a retardo who disconsidered security questions back in the day and now I got the shaft. It's YOUR FAULT!!!111oneone"
You're welcome.

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
I fail to see how that improves privacy. by shess · 2018-02-13 04:33 · Score: 1

I can see how putting my info on a blockchain provides verification that I put my info on the blockchain. I can see how you could use encryption techniques to allow me to encode on the blockchain who can access my info. But I don't see how this causes those accessing my info to use appropriate security protocols to protect my info. At some point, they'll want access to my actual information, and once they have that, what prevents them from storing a copy for their convenient, or simply forwarding it to some third party that's paying them for information? Also, how does this help at all with apps asking for access to personal information that they have no need for?
People who write apps could already ask for minimal information, and they could already encrypt the info with something only I can provide to minimize their contact surface, they already could use best practices like salting their hashed password storage. For the most part, the problem isn't that they are trying really hard to do these things, and failing for technical reasons, the problem is that they aren't bothering to even try.
1. Re:I fail to see how that improves privacy. by DaveV1.0 · 2018-02-13 07:30 · Score: 1
  
  After ReadingTFA, it appears to be "OpenID + Blockchain for PII".
  The article states "people could store, control and access their identity in ... an encrypted identity datastore called an Identity Hub, a server called Universal DID Resolver that resolves DIDs across blockchains, and verifiable credentials." It's 'decentralized system trust is based on "attestations" or claims about parts of a person's identity that other entities endorse' and provide " access to a more precise set of attestations without having to process as much of a user's personally identifiable information."
  It looks to me like the goal is to move personally identifying information from dozens of apps and websites off to a centralized, encrypted store which will be matched with a blockchain token that allows limited access to the PII. My concern is that, while this decreases the locations PII is stored, it is, in effect, putting all one's eggs in one basket making that basket a huge target.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Walk before you run by simplypeachy · 2018-02-13 04:43 · Score: 1

You have got to be fucking kidding me. They restrict maximum password length way below sensible limits, can't seem to get their various assets to log me in correctly, first time. I've recently been bounced between various login screens, been literally typing in my user name and before I can press tab to move focus, the page is redirecting and some of what I wrote is lost or entered as entry into the password field. (None of this was a problem with my end - I tried various methods to see if I was going wrong somewhere). At the moment you have to try to understand what they're talking about when they ask "what sort of login you have, a workplace/organisation or your own?" I click the relevant option and find out it's the wrong one, but I was logged in anyway. Microsoft don't seem to have offered a functioning, reliable, consistent authentication interface for at least ten years.
How about you get the basics working first, before you start with dabbling with fads just to rise your share price?
Not needed by nospam007 · 2018-02-13 04:45 · Score: 1

"It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. "
That's why sensible people use all different fake indentities. Only my bank has my real name.
Amazon, etc all deliver their stuff to my cat.
Re:Blockchain as a buzz word by dysmal · 2018-02-13 05:28 · Score: 1

Cloud cloud cloud!!!
Blockchain blockchain blockchain!!!
Marketing departments are working overtime these days.
Just wait until they get to Cloudchain and Blockcloud !
Wake me when they get to BlockCloud!
Reckons? by sqorbit · 2018-02-13 06:05 · Score: 1

Did a major publication (ZDNet) really say "Microsoft reckons"? Are they roundin up the wagons and herdin the cattle too? I know journalism is pretty much a dead idea, but that is just completely lacking any attempt at professional writing.

--
Sent from my TARDIS
idiotic by slashmydots · 2018-02-13 06:40 · Score: 1

Here's how blockchains works: I can't falsify a transaction in the bitcoin blockchain without outprocessing the entire rest of the network. Think about why that might be a problem for Microsoft if they start their own blockchain. Hmmmm.
Still waiting... by CimmerianX · 2018-02-13 12:31 · Score: 1

Hey Microshat,
How about you start to support 2 factor authentication on windows and servers first before you start worrying about collecting all PII data?
Seriously, why do I need a 3rd party authenticator like RSA and and GINA replacement when 2 factor should be standard by now.
Re: Not all blockchains are distributed ledgers by Mirvnillith · 2018-02-13 18:32 · Score: 1

But, there IS trust. Implicit trust in that the miners donâ(TM)t have an agenda (or at least one that includes your transaction). And worse, you donâ(TM)t know who you are trusting and the âtargetâ of that trust changes with each transaction. To me this seems a bit naive, hoping that a crowd will balance out the egoism of the individuals but also knowing that power and control tend to centralise and corrupt.