One password to bring them all and on Windows 8 bind them
Microsoft has long looked lovingly at identity, and providing the "one" that binds consumers and businesses to Windows. Users benefit by being freed from managing multiple identities and passwords across the web and, presumably, by improved privacy and security as a result. Microsoft gains by controlling a master identity system that keeps some of its core technologies relevant.
But Microsoft couldn't bring a single-identity system to market during the last decade. Privacy groups filed complaints about Passport, leading to a Federal Trade Commission investigation and later a settlement. Soon after, Microsoft settled its US antitrust case, agreeing to five years government oversight that instead went on for nearly 10. But Federal and state watchdogs left in September, and as I explained then Microsoft is freer to integrate stuff into Windows. Today, Dustin Ingalls, Windows Security & Identity, explains exactly how Windows 8 will tackle the identity problem.
Luckily for Microsoft, during its lost decade of government oversight, no single ID system emerged. OpenID isn't it, as many open-source supporters had hoped. But Apple and Google are leading candidates -- the one leveraging from iTunes/iCloud IDs and the other Gmail profiles connected to dozens of services, respectively. So Microsoft can't move fast enough to take its leading asset, Windows Live ID, and bind it to the operating system in a compelling and useful way. Ingallis rightly lays it out -- using Windows 8 and Live IDs to reduce the burden of managing identities and passwords and improving privacy and security in the process.
"Our research has shown us that the average person using a PC in the United States typically has about 25 online accounts", he explains. "That's a lot to keep track of. In fact, the data also shows that the number of unique passwords across those 25 accounts is only about six. For folks who spend time thinking about security, that's a worrisome finding".
Some of these services are really frustrating. Several I use limit passwords to eight characters and prohibit security-enhancing special characters, like % or #. My typical password, and they all vary in length, is minimum a dozen characters, unless restricted by the service provider.
"Password reuse is very useful to hackers", Ingallis rightly observes. "They know that if they can learn your password for one site, it’s highly likely that you use the same password on other sites. Even worse, an attacker can often use your sign-in information to reset the password for other accounts where the password actually is different".
He then goes to state all the different reasons why the existing password-model is deficient. Then explains:
Windows 8 simplifies the task of managing unique and complex passwords in two important ways. The first is by providing a way to automatically store and retrieve multiple account names and passwords for all the websites and applications you use, and do so in a protected manner. Internet Explorer 10 uses the credentials that we store to remember names and passwords for websites you visit (if you choose). In addition, anyone building a Metro style app can use a direct API to securely store and retrieve credentials for that app. (It is important to note that IE respects instructions from websites about saving your credentials – some websites specifically request that passwords not be saved.)...
One of the great things you get when you sign in to Windows with your Windows Live ID is the ability to sync the credentials you’ve stored to all of the Windows 8 PCs that you register as your 'Trusted PCs'. When you store credentials in conjunction with signing in to Windows with your Windows Live ID, Windows enables you to set your password for each account to something that is both complex and unique; since Windows 8 will automatically submit the credential on your behalf, you’ll never need to remember it yourself. If you need to see the actual password at some point later, you can view it in the credential manager shown here, from any of your Trusted PCs.
Google offers an optional two-factor authentication that I would use if it worked right. But Google's mechanism isn't automatic for all its services and requires special setup for applications. Simply stated: It's a pain in the ass. From that perspective, among others, I see sense in Microsoft making authentication a core part of the operating system.
That's not really new, in a sense, as Windows Vista, 7 and Server 2008 support TPM -- Trusted Platform Module -- which requires supporting hardware to dynamically create encryption keys. Microsoft plans to improve Windows 8 TPM support in a variety of ways that will benefit businesses, particularly. Like Windows Live ID, there is unique benefit for developers creating Metro-style apps, which, Ingallis says, "have APIs that make it easy to automatically enroll and manage keys on your behalf".
Microsoft will take a very OS-centric approach to identity when Windows 8 ships. But as more business-to-business, business-to-consumer, business-to-employee and consumer-to-consumer transactions take place, there's reason to ask whether Windows, or any other PC operating system, really is the best identity hub. After all, more of us use cloud-connected mobile devices every day.