Microsoft takes aim at passwords
Microsoft says it is determined to solve the problem of ineffective authentication that relies on usernames and passwords
Microsoft is “hell bent” on solving the problem of ineffective authentication that relies on usernames and passwords, says Dustin Ingalls, group program manager for Windows security and identity.
“We have to solve this, ideally in a standard way across industry because the ecosystem will be better off if we can solve it for all devices and services users come across daily,” he told Computer Weekly.
Microsoft is tackling the problem in various ways, including a focus on support for biometric devices in Windows 8.1 and membership of the Fast IDentity Online (Fido) Alliance.
The Fido Alliance is an open-industry consortium delivering standards for simpler, stronger authentication, which in its first year has grown from six founding members to almost 100.
Microsoft joins other industry heavyweights in the alliance such as Google, Mastercard, PayPal, RSA, Lenovo and Dell.
“From a business objective standpoint, all the players are well aligned and agree that passwords have been problematic for a number of years and are well past their time,” said Ingalls.
There is general agreement in the technology industry, he said, that as a whole they need to get past this problem, but that it cannot be solved by any single player alone.
More on Fido Alliance
- I am not a dog, FIDO a new standard for user authentication
- PayPal CISO Michael Barrett bullish on password alternative standard
- IT industry group releases password-killing standard
- Forgot your password? FIDO Alliance works on authentication alternatives
- PayPal CISO hopes FIDO Alliance can help replace weak passwords
“The only way to solve this problem is to get all the major players at the same table and the Fido alliance has the potential of making that happen,” said Ingalls.
The shared aspiration of members is to enable an identity solution to get real users off passwords in a way that is just as easy to use, but far more secure.
Most players in technology industry want to get to a place where users of products and services are safe from identity theft, fraud and phishing.
Although there have been a few password alternatives for some time, Ingalls said the industry goal is to achieve this in a way that security is not compromised for the sake of convenience.
“Essentially, we have to find a way of putting the power of public-key infrastructure (PKI) asymetric keys in the hands of the everyday users of online services without needing separate cards or tokens,” he said.
Historically, PKI has been costly to implement and difficult to use. The most obvious way around this, said Ingalls, is using biometric devices such as easy-to-use fingerprint sensors built into devices.
“Usability is critical from the start according to the Fido Alliance principles, and Microsoft is looking to work with the alliance to achieve this objective,” he said.
Microsoft also sees the Fido Alliance as being a potential way of ensuring that any password alternatives will be available from all suppliers of products and services and not just some.
“Users will not adopt anything that is available only from a limited number of services, it has to be something that can be used across the board,” said Ingalls.
He believes the likelihood of success in finding an easy-to-use, secure alternative to passwords has never been greater because of the added impetus of pressure from the payment card industry.
At the same time, a wide variety of different players are working to solve the same problem, and Microsoft plans to lead the way in proving support from within its operating system.
A key element of Windows 8.1, said Ingalls, is the provision of a single, easy enrolment experience for users regardless of what biometric device is being used.
“This means developers of Windows apps, for example, can enable the use of biometrics using a simple application program interface (API),” said Ingalls.
“Windows 8.1 does all the work, all they have to do is call the API with a single line of code,” he said.
In February, the Fido Alliance published the draft technical specifications for its Online Security Transaction Protocol (OSTP).
The OSTP is aimed at helping companies eliminate passwords in favour of a much stronger multi-factor identity checks using a variety of alternatives.
These include biometrics, Trusted Platform Modules (TPMs), USB security tokens, embedded secure elements (eSEs) and smart cards.