Microsoft Passport

[destrekor]

Is this something, combined with Windows Hello or a pin, that is applicable to an all-consumer individual? I see it touted for enterprise and for students and those who work at home, but what about individual users? One location said Microsoft Accounts can be tied into Passport as the initial authentication, and for two-factor authent using Windows Hello (3D Face, or Fingerprint) or a pin can be setup, alongside the Public/Private key pair.

The intent is for additional websites to join in and support this, especially if they already support FIDO. So, am I understanding correctly that essentially a Microsoft Account could become a sort of SSO around the web? Do you need to enter your Microsoft Account and then utilize the Passport sign-on procedure? If you are on a device that you have you setup as a holder of your Private key, do you ever need to enter anything other than your second factor (such as Pin) when using that device? As in, never typing user name or your Microsoft account password? Say Yahoo joins in, can you navigate to yahoo and login immediately just by acknowledging the Passport key and then typing the Pin or using your biometric choice?

Is Passport baked into Windows 10 and available for the standard consumer?

Do you think this will go anywhere (Microsoft has seemingly tried for the SSO approach across the web for ages with the original Passport Network being a prime example), now that they are strongly focusing in on FIDO integration?


Am I completely reading this all wrong and it is not at all applicable to standard users? I don't think that's the case, but I could be wrong. I love the idea and trust the Public/Private key pair system far more than passwords, it makes website breaches less of an issue. A breach of your computer and an ability to decrypt the private key or catch the decryption in process during the pin entry... that could be a way in, but I haven't heard of this...yet?

 

[KillerBee]

in the end I'm sure there will still be people using pin# 1234
I finally broke down and created an actual microsoft account vs. a local account on Win10 to see what I was missing - meh - went back to a local account.

 

[destrekor]

in the end I'm sure there will still be people using pin# 1234
I finally broke down and created an actual microsoft account vs. a local account on Win10 to see what I was missing - meh - went back to a local account.

It's only really handy if you have multiple devices from which you want to use Microsoft services.

I sync OneNote on my phone (Android), and access OneDrive from my phone as well as from many other systems. It's nice being able to sync as much as I do.

When I get a good NAS setup, I might start to rely on my own "cloud" solution, but no matter what, they are always going to be less reliable than major hosted solutions. My local ISP could have an issue, the cable modem could lock up, my router at home might crash, etc etc etc.

I use a lot of what Android offers, and Gmail, Google Calendar, and Google Keep, but for everything else, I'm basically on Microsoft's system.

If you don't really do much with Microsoft services, of course it isn't really of any benefit.


As for Passport and the idea of pins - you miss the point. Pins, by their very nature, are very insecure on their own. Most pin systems require somewhere between 4-8 numerical characters. Those are far, far easier to crack than passwords, where the characters can be of any type and can be more complex.

However, the Pin is only the tool that helps encrypt/decrypt the public/private key pair. Private keys are the ones that are used for digital signatures (with public being the one that verifies the integrity of the private key signature). Private keys are local only: in the case of smart cards, that private key never truly leaves the chip on the card, and without the physical card and then the required pin, it is quite essentially unbreakable.

That is why military, government, and high-security places rely entirely on physical devices like smart cards.

As for Passport, it may simply turn the local device itself into the equivalent of a smart card. So just like maintaining physical security over your personal smart card is an absolute must to maintain the integrity of the system, so too will absolute control over your personal device that serves in its place. If your desktop, laptop, tablet, or mobile phone are now the security device, you log in by accessing such a service, it looks for the signature verification match between public and private key, which can only be initialized with the entry of the pin. So having the pin is useless unless you can get your hands on the physical device that holds the private key.

 

[KillerBee]

You definitely have a good understanding of it all...I was referring to the new Win10 option of just putting in a pin# to access a laptop vs. a password (no 2 factor type stuff involved - unless having the laptop in your possession counts as the other factor - besides the easy pin#)

 

[destrekor]

You definitely have a good understanding of it all...I was referring to the new Win10 option of just putting in a pin# to access a laptop vs. a password (no 2 factor type stuff involved - unless having the laptop in your possession counts as the other factor - besides the easy pin#)

Ah, I always use the Pin option. But I really only deal with desktops for Windows. My macbook I keep my password for the laptop and also enable encryption. My parents' cheap laptop I put a pin on it because they'll never remember their Microsoft account password, and I want to sync their laptop and desktop now that both are capable (desktop was Windows 7 previously, laptop was bought with 8.1) on Windows 10. But they take the laptop out of their house maybe once a year at most.