August 28, 2015

Windows 10 - Identity - Part 1

What is Identity Anyways?

Once upon a simpler time, an identity was a username and a password (u/p). Those were the days. You just created a u/p and, like everyone else, reused the same password for each site. Then the bad guys got smart – if I could break one password, I could probably get into all your accounts. Next came the rage of the password incrementers – oh you know who you are – you stick a number or letter at the end of your password so each site’s password is different by one thing. Then websites started making people change passwords every so often and the incrementers incremented again. Kid stuff to hack. Then came the password managers – KeyPass and LastPass being my personal favorites which I’ve used forever. KeyPass was awesome, secure but not very portable. LastPass is awesome, secure and portable but still a necessary evil. Better yet, the passwords it generated, while different for each site (if you let it) were still susceptible to dictionary attacks and the user experience wasn’t that great (pretty hard for my mom to pick it up, although she’s getting better). Part of the problem is the notion of u/p itself because every website or thing had different u/p requirements. The other part of the problem is that aside from attempting to prove you are who you say you are, it didn’t do much else.

Microsoft has long loathed the password. They have been at the front of things like biometric and pin/chip devices for security and identity. But with Windows 10, something new is finally here. Microsoft’s on a mission, a truly holy one if you ask me – they have publicly stated: we will end the scourge of the password. That in itself is a great and difficult endeavor which will lead to more secure systems – something I’ve already spoken about previously. But wait, there’s more! Security and identity go together. That’s what makes Windows 10 so special. In addition to securing the environment, Microsoft has also taken on common problems with identity that a simple u/p could not resolve – namely, an identity can and frequently is MORE than just a u/p. In identity parlance, these are called claims.

In a modern identity framework, you authenticate yourself against some system, and that security feature (like a pin/biometric or u/p with two factor authentication) also carries with it additional identity claims. The claim could be anything like membership in a list of groups, preferences on your system, encryption policies, location, state, and more. These extended attributes or claims need to be able to be handled seamlessly by the system – we call those systems the relying party. In Windows 10, Microsoft has baked these notions of true identity into the operating system and gone further to permit Windows 10 to support multiple identities at the same time! This isn’t just the ability for you to have more than one user logged in at once – that’s been around since forever. This is the ability to have multiple organization and personal identities active on an operating system for a single user! Think about it for a second – how many identities do you have? It’s probably hundreds: work, Gmail, Facebook, Twitter, Bank of America…the list can be quite extensive. And how should the OS respond to different identities based on different attributes? This isn’t about simply logging in to a computer with a Microsoft Account or a domain account. It’s about logging into these things as an OS specific action that allows it to provide additional services and resources BECAUSE you did so. This entails things like: OS level single sign on (SSO), multi-factor authentication support for SPECIFIC applications. Device encryption policies that apply to specific TYPES of devices or even applications and so much more. It doesn’t stop there – remember a minute ago when I said preferences? In Windows 10, your identity can carry preferences like: application installs, start menu configuration, desktop backgrounds, purchases and history, recent files accessed, etc. Truly impressive!

It’s a great opportunity to make the user experience more and better. The Microsoft Identity Platform, called Passport, is the gateway to many improvements in function, form and design that will usher in the death passwords and the enablement of a unified capability to present authentication and authorization claims to any system (if properly designed) in a meaningful and easy manner. In my next post, we’ll dive in more deeply into how/what/why.