SSO, Hello and PassPort – updates to Identity in Windows
SSO, Hello, and Passport: Updates to Identity in Windows
Wednesday 1E
Convener: Eric Jia
Notes-taker(s): Nick Sawadsky
Tags for the session - technology discussed/ideas considered: Windows 10, Fido, OAuth, Passport, Windows Hello, Azure
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Principles
- Passwords bad
- Help user navigate through their multiple identities
Started out trying to solve own identity problem
Windows 8 added ability to login in to Windows with consumer identity
Enterprises didn’t like it - consumer data flowing into enterprise laptop, and vice versa
Windows 10 - update Windows to work with enterprises
- Users can login with consumer identity or Azure AD
How do we handle the fact that user can have two different identities?
- Don’t hide it, surface it
How do we deal with the fact that users use their personal device at work?
Even though logged in with Azure, should still be able to sign in to one of your other accounts
Application could conceivably leverage the fact that you are signed in on both home and work accounts
Passport, Fido and universal authentication - replace passwords completely, using public and private infrastructure
- Relies on local user gesture and a key store
- Log in with biometric (or fallback to PIN)
- Unlocks the key store (“Fido container”)
Windows Hello: The biometrics that support Passport
- Iris
- Fingerprint
- PIN (could be a simple 4-digit PIN, or a complex password)
- Pluggable architecture for biometrics
How Passport works:
- Hardware element: the secure container (a TPM). Stores keys for the different services you use.
- Fido spec allows for a software-based container, and Windows 10 will support it as a fallback.
- Local user gesture
Not every action you do in an application requires you to unlock the container
Any third party site, if they implement the Fido specifications, will support this
- System to allow sign in with both Azure AD and consumer account
- App requests token through broker
- Broker launches the native plugin identity provider (could be Azure, could be Facebook)
- Plugin returns a token to the broker, which returns it to the app
- Similarities to NAPPS
- Broker caches token for IdP so that it can be reused by other application