Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Microsoft AI

Microsoft: We're Developing Blockchain ID System Starting With Our Authenticator App (zdnet.com) 57

Microsoft has revealed its plans to use blockchain distributed-ledger technologies to securely store and manage digital identities, starting with an experiment using the Microsoft Authenticator app. From a report: Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps and services and having their identity data spread across multiple providers. It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. Instead, people could store, control and access their identity in an encrypted digital hub, Microsoft explained. To achieve this goal, Microsoft has for the past year been incubating ideas for using blockchain and other distributed ledger technologies to create new types of decentralized digital identities.
This discussion has been archived. No new comments can be posted.

Microsoft: We're Developing Blockchain ID System Starting With Our Authenticator App

Comments Filter:
  • by Opportunist ( 166417 ) on Tuesday February 13, 2018 @10:57AM (#56115419)

    Either when mainstream media starts reporting about it or when MS starts to develop for it.

  • by ctilsie242 ( 4841247 ) on Tuesday February 13, 2018 @11:03AM (#56115455)

    Blockchains are relevant for ledgers and logs (basically a secure utmp/wtmp). However, for authentication, it really doesn't help much.

    Instead, MS would be better off designing an open protocol like RFC 6238 or RFC 4226, except using public/private keys as opposed to shared secrets, and having an open authenticator app for this.

    • Re: (Score:3, Funny)

      Ah, but Microsoft's version will include deep-learning neural network AI and will be used for next generation self-driving cars. I'm really excited about the potentional of this technology.
    • by Korbeau ( 913903 ) on Tuesday February 13, 2018 @11:22AM (#56115585)

      From TFA: "Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps [...]"

      I believe the intend is more related to authorization (knowing the user has given or been granted access to X resource) than authentication (identifying the user) in this case. Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.

      Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased? If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake? How fast and reliably can you update data (revoke access for instance)?

      Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.

      • by swb ( 14022 )

        Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.

        Isn't that kind of a problem? I think there's some security aspect to knowing who has access to what.

        I suppose this is where Microsoft hoarding the information comes in, preventing it from actually being "public query" data and requiring a bunch of subscriptions to MS data services.

        Regardless, this mostly just feels like another spin on locking in the authentication/signin market. Which is goofy because Microsoft will already wind up with a big chunk of the auth market anyway with AD/Azure.

      • Who validates the new data that comes in?

        Answered in blockchain documentation.
        Shortly put: crowd effort does that. Many participants validate the data individually and independently.

        Does past records every get erased?

        Answered in blockchain documentation.
        Shortly put: NO.

        If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake?

        Answered in blockchain documentation.
        Shortly put: no entry is erroneous once confirmed. They're there forever.

        How fast and reliably can you update data (revoke access for instance)?

        It really depends on the implementation. The devil is in the details.

        Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.

        Answered in blockchain documentation.
        Shortly put: You think wrong.

        Man, you really need to RTFM. Seriously. Do it. It helps.

        • by Korbeau ( 913903 )

          > Who validates the new data that comes in?

          I'm basically wondering if anyone can create junk identities and junk providers and can associate any type of data to them, or if there are some kind of central authority around that. Nothing in the blockchain technology enforces the ledger to be fully public or the quorum to be fully open, and that any type of entry becomes valid. I find the article scarce on the topic.

          As for my other questions, they are rhetorical and express my concerns.

        • Who validates the new data that comes in?

          Answered in blockchain documentation.

          Which blockchain documentation are you referring to?

      • by mysidia ( 191772 )

        Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased?

        Let's hope they think this through carefully AND the blockchain will only contain cryptographic data that can be used to PROOF information that was already exchanged outside the blockchain, and not actual personal info.

        If authorizations are being recorded, then authorizations SHOULD expire or have a periodic renewa

      • Does past records every get erased?

        I expect that the idea is to make it easy to create a large number of digital pseudonyms, each of which is used for only one purpose, and which the real owner can prove ownership of, but without revealing their true identity or enabling anyone to link back to it.

        So there's no need to erase records, instead if you have a pseudonymous identity you don't use any more, you just abandon it in place, destroying the credentials you use to prove ownership. It still exists, but has no connection to you.

        Of course

  • They're just going to have a master key or series of rotating side-channel attacks so nothing Microsoft-based can be trusted, this has been demonstrated without fail on a monthly basis for over 2 decades.
  • by ErichTheRed ( 39327 ) on Tuesday February 13, 2018 @11:34AM (#56115685)

    I wonder if Microsoft is trying to get around a scaling problem. If every company on Earth switches to Office 365, and they're basically forcing everyone this way, then they will control at least a portion of identity/login for most of the world. They're doing this with Azure AD right now, with every company either in a cloud-based or federated trust with their own tenant. I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials, but maybe the point of decentralizing it is actually to get the storage part off their hands while still controlling the process.

    • by DigiShaman ( 671371 ) on Tuesday February 13, 2018 @12:32PM (#56116063) Homepage

      It's essentially Microsoft Passport 2.0, is it not?

    • by mysidia ( 191772 )

      I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials

      What makes you think Azure AD is designed that way, from MS... a company well-known for the InSecurity of their OS?
      Have you or someone you know audited the Azure AD software and protocol implementations from head to toe?

      What tells you that it would have been designed to ensure no single point of attack could leak all users' credentials?

  • Blockchain is the new cloud.

    Not in what it does, just in the marketing sense, of course.

    You know eventually technologies are going to be like medicines and domain names: all the good ones will have been taken and/or copyrighted, and we'll be left with nonsense terms created by marketing droids.

    Microsoft Word 2^11, now with Incivek and Adcetris.
  • I can see how putting my info on a blockchain provides verification that I put my info on the blockchain. I can see how you could use encryption techniques to allow me to encode on the blockchain who can access my info. But I don't see how this causes those accessing my info to use appropriate security protocols to protect my info. At some point, they'll want access to my actual information, and once they have that, what prevents them from storing a copy for their convenient, or simply forwarding it to s

    • After ReadingTFA, it appears to be "OpenID + Blockchain for PII".

      The article states "people could store, control and access their identity in ... an encrypted identity datastore called an Identity Hub, a server called Universal DID Resolver that resolves DIDs across blockchains, and verifiable credentials." It's 'decentralized system trust is based on "attestations" or claims about parts of a person's identity that other entities endorse' and provide " access to a more precise set of attestations without h

  • You have got to be fucking kidding me. They restrict maximum password length way below sensible limits, can't seem to get their various assets to log me in correctly, first time. I've recently been bounced between various login screens, been literally typing in my user name and before I can press tab to move focus, the page is redirecting and some of what I wrote is lost or entered as entry into the password field. (None of this was a problem with my end - I tried various methods to see if I was going wrong

  • "It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. "

    That's why sensible people use all different fake indentities. Only my bank has my real name.

    Amazon, etc all deliver their stuff to my cat.

  • Did a major publication (ZDNet) really say "Microsoft reckons"? Are they roundin up the wagons and herdin the cattle too? I know journalism is pretty much a dead idea, but that is just completely lacking any attempt at professional writing.
  • Here's how blockchains works: I can't falsify a transaction in the bitcoin blockchain without outprocessing the entire rest of the network. Think about why that might be a problem for Microsoft if they start their own blockchain. Hmmmm.
  • Hey Microshat,
    How about you start to support 2 factor authentication on windows and servers first before you start worrying about collecting all PII data?

    Seriously, why do I need a 3rd party authenticator like RSA and and GINA replacement when 2 factor should be standard by now.

"Well, social relevance is a schtick, like mysteries, social relevance, science fiction..." -- Art Spiegelman

Working...