SSO, Hello and PassPort – updates to Identity in Windows

From IIW

SSO, Hello, and Passport: Updates to Identity in Windows

Wednesday 1E

Convener: Eric Jia

Notes-taker(s): Nick Sawadsky

Tags for the session - technology discussed/ideas considered: Windows 10, Fido, OAuth, Passport, Windows Hello, Azure

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Principles

  • Passwords bad
  • Help user navigate through their multiple identities

Started out trying to solve own identity problem

Windows 8 added ability to login in to Windows with consumer identity

Enterprises didn’t like it - consumer data flowing into enterprise laptop, and vice versa

Windows 10 - update Windows to work with enterprises

  • Users can login with consumer identity or Azure AD

How do we handle the fact that user can have two different identities?

  • Don’t hide it, surface it

How do we deal with the fact that users use their personal device at work?

Even though logged in with Azure, should still be able to sign in to one of your other accounts

Application could conceivably leverage the fact that you are signed in on both home and work accounts

Passport, Fido and universal authentication - replace passwords completely, using public and private infrastructure

  • Relies on local user gesture and a key store
  • Log in with biometric (or fallback to PIN)
    • Unlocks the key store (“Fido container”)

Windows Hello: The biometrics that support Passport

  • Iris
  • Fingerprint
  • PIN (could be a simple 4-digit PIN, or a complex password)
  • Pluggable architecture for biometrics

How Passport works:

  • Hardware element: the secure container (a TPM). Stores keys for the different services you use.
    • Fido spec allows for a software-based container, and Windows 10 will support it as a fallback.
  • Local user gesture

Not every action you do in an application requires you to unlock the container

Any third party site, if they implement the Fido specifications, will support this

  • System to allow sign in with both Azure AD and consumer account
  • App requests token through broker
  • Broker launches the native plugin identity provider (could be Azure, could be Facebook)
  • Plugin returns a token to the broker, which returns it to the app
  • Similarities to NAPPS
  • Broker caches token for IdP so that it can be reused by other application