Microsoft: We're Developing Blockchain ID System Starting With Our Authenticator App (zdnet.com) 57
Microsoft has revealed its plans to use blockchain distributed-ledger technologies to securely store and manage digital identities, starting with an experiment using the Microsoft Authenticator app. From a report: Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps and services and having their identity data spread across multiple providers. It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. Instead, people could store, control and access their identity in an encrypted digital hub, Microsoft explained. To achieve this goal, Microsoft has for the past year been incubating ideas for using blockchain and other distributed ledger technologies to create new types of decentralized digital identities.
exactly (Score:2)
If you have an authentication server why do you need or even want block chain. Furthermore if you want to distribute the authentication to many servers how do you control the authentication list if there's no proof of work. and if there's proof of work, then it gets expensive because that's why its called work
Re: (Score:2)
I'm an amateur in the domain and even I see a huge lack of understanding in your post.
Re: (Score:2)
If you have an authentication server why do you need or even want block chain.
YOU have the ability to authenticate the user, BUT you want untrusted third parties who run their own servers to also have a means of authenticating the user WITHOUT asking your server.
A distributed blockchain could provide the system where you approve a certain resource to authenticate as you by digitally signing a XML package containing the credential AND the supplicant's public key AND a list of privileges or permissio
Re: (Score:2)
Re: (Score:2)
Seems like people are deafened by the clamor of buzzwords. Heard about the Certificate Transparency project [certificat...arency.org]? A certificate audit log is a Merkle tree that is appended to by adding a new root node of which the old root is a child, proving the history has not been tampered with. The end nodes of the Merkle tree are also digitally signed data structures. These two properties give the audit log the same data structure shape as a block
Re: (Score:2)
Cloud cloud cloud!!!
Blockchain blockchain blockchain!!!
Marketing departments are working overtime these days.
Just wait until they get to Cloudchain and Blockcloud !
Re: (Score:2)
Cloud cloud cloud!!!
Blockchain blockchain blockchain!!!
Marketing departments are working overtime these days.
Just wait until they get to Cloudchain and Blockcloud !
Wake me when they get to BlockCloud!
Re: (Score:2)
Translation:
"I am a retardo who disconsidered security questions back in the day and now I got the shaft. It's YOUR FAULT!!!111oneone"
You're welcome.
How do you know a trend is over? (Score:5, Funny)
Either when mainstream media starts reporting about it or when MS starts to develop for it.
ELI5 -- why are blockchains relevant here? (Score:5, Interesting)
Blockchains are relevant for ledgers and logs (basically a secure utmp/wtmp). However, for authentication, it really doesn't help much.
Instead, MS would be better off designing an open protocol like RFC 6238 or RFC 4226, except using public/private keys as opposed to shared secrets, and having an open authenticator app for this.
Re: (Score:3, Funny)
Re:ELI5 -- why are blockchains relevant here? (Score:4, Insightful)
From TFA: "Microsoft reckons the technology holds promise as a superior alternative to people granting consent to dozens of apps [...]"
I believe the intend is more related to authorization (knowing the user has given or been granted access to X resource) than authentication (identifying the user) in this case. Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.
Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased? If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake? How fast and reliably can you update data (revoke access for instance)?
Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.
Re: (Score:3)
Instead of querying some local database or black box API, a public ledger is shared and can be queried by anyone.
Isn't that kind of a problem? I think there's some security aspect to knowing who has access to what.
I suppose this is where Microsoft hoarding the information comes in, preventing it from actually being "public query" data and requiring a bunch of subscriptions to MS data services.
Regardless, this mostly just feels like another spin on locking in the authentication/signin market. Which is goofy because Microsoft will already wind up with a big chunk of the auth market anyway with AD/Azure.
Re: (Score:2)
Who validates the new data that comes in?
Answered in blockchain documentation.
Shortly put: crowd effort does that. Many participants validate the data individually and independently.
Does past records every get erased?
Answered in blockchain documentation.
Shortly put: NO.
If entries prove to be erroneous after a few weeks after being added to the chain, how easily can you fix the mistake?
Answered in blockchain documentation.
Shortly put: no entry is erroneous once confirmed. They're there forever.
How fast and reliably can you update data (revoke access for instance)?
It really depends on the implementation. The devil is in the details.
Also, I think most implementation of such blockhain protocols do not store data directly in the public ledger but simply store hashes to external data entries, for which it's not clear who has the ownership and if they are publicly available or not.
Answered in blockchain documentation.
Shortly put: You think wrong.
Man, you really need to RTFM. Seriously. Do it. It helps.
Re: (Score:2)
> Who validates the new data that comes in?
I'm basically wondering if anyone can create junk identities and junk providers and can associate any type of data to them, or if there are some kind of central authority around that. Nothing in the blockchain technology enforces the ledger to be fully public or the quorum to be fully open, and that any type of entry becomes valid. I find the article scarce on the topic.
As for my other questions, they are rhetorical and express my concerns.
Re: (Score:2)
Who validates the new data that comes in?
Answered in blockchain documentation.
Which blockchain documentation are you referring to?
Re: (Score:2)
Storing identity information in a blockchain seems to be the hype in many sectors ... I find it kind of scary. Who validates the new data that comes in? Does past records every get erased?
Let's hope they think this through carefully AND the blockchain will only contain cryptographic data that can be used to PROOF information that was already exchanged outside the blockchain, and not actual personal info.
If authorizations are being recorded, then authorizations SHOULD expire or have a periodic renewa
Re: (Score:2)
Does past records every get erased?
I expect that the idea is to make it easy to create a large number of digital pseudonyms, each of which is used for only one purpose, and which the real owner can prove ownership of, but without revealing their true identity or enabling anyone to link back to it.
So there's no need to erase records, instead if you have a pseudonymous identity you don't use any more, you just abandon it in place, destroying the credentials you use to prove ownership. It still exists, but has no connection to you.
Of course
Re: Not all blockchains are distributed ledgers (Score:1)
Pointless (Score:1)
Buzzword compliant, but semi-interesting (Score:3)
I wonder if Microsoft is trying to get around a scaling problem. If every company on Earth switches to Office 365, and they're basically forcing everyone this way, then they will control at least a portion of identity/login for most of the world. They're doing this with Azure AD right now, with every company either in a cloud-based or federated trust with their own tenant. I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials, but maybe the point of decentralizing it is actually to get the storage part off their hands while still controlling the process.
Comment removed (Score:4, Insightful)
Re: (Score:2)
I'm sure Azure AD is designed in a way that there's no single point of attack that could leak all users' credentials
What makes you think Azure AD is designed that way, from MS... a company well-known for the InSecurity of their OS?
Have you or someone you know audited the Azure AD software and protocol implementations from head to toe?
What tells you that it would have been designed to ensure no single point of attack could leak all users' credentials?
Embrace, extend, extinguish (Score:1)
Not in what it does, just in the marketing sense, of course.
You know eventually technologies are going to be like medicines and domain names: all the good ones will have been taken and/or copyrighted, and we'll be left with nonsense terms created by marketing droids.
Microsoft Word 2^11, now with Incivek and Adcetris.
I fail to see how that improves privacy. (Score:2)
I can see how putting my info on a blockchain provides verification that I put my info on the blockchain. I can see how you could use encryption techniques to allow me to encode on the blockchain who can access my info. But I don't see how this causes those accessing my info to use appropriate security protocols to protect my info. At some point, they'll want access to my actual information, and once they have that, what prevents them from storing a copy for their convenient, or simply forwarding it to s
Re: (Score:2)
After ReadingTFA, it appears to be "OpenID + Blockchain for PII".
The article states "people could store, control and access their identity in ... an encrypted identity datastore called an Identity Hub, a server called Universal DID Resolver that resolves DIDs across blockchains, and verifiable credentials." It's 'decentralized system trust is based on "attestations" or claims about parts of a person's identity that other entities endorse' and provide " access to a more precise set of attestations without h
Walk before you run (Score:2)
You have got to be fucking kidding me. They restrict maximum password length way below sensible limits, can't seem to get their various assets to log me in correctly, first time. I've recently been bounced between various login screens, been literally typing in my user name and before I can press tab to move focus, the page is redirecting and some of what I wrote is lost or entered as entry into the password field. (None of this was a problem with my end - I tried various methods to see if I was going wrong
Not needed (Score:2)
"It highlights that with the existing model people don't have control over their identity data and are left exposed to data breaches and identity theft. "
That's why sensible people use all different fake indentities. Only my bank has my real name.
Amazon, etc all deliver their stuff to my cat.
Reckons? (Score:2)
idiotic (Score:2)
Still waiting... (Score:2)
Hey Microshat,
How about you start to support 2 factor authentication on windows and servers first before you start worrying about collecting all PII data?
Seriously, why do I need a 3rd party authenticator like RSA and and GINA replacement when 2 factor should be standard by now.