Microsoft to abandon passwords but for what authentication?
During a security panel at CEBIT Detlef Eckert, Microsoft’s Senior Director for Trustworthy Computing, commented that Longhorn would abandon passwords in favor of two factor authentication. As reported on Vnunet.com, Microsoft’s new operating system was making the move to “bring the level of trust business needs.” While the panel generally agreed better digital identity was needed, even two factor authentication still leaves some bases uncovered.
Cryptography guru Bruce Schneier raised some concern over whether faith in two factor authentication would leave other vulnerabilities. Specifically citing the man in the middle and trojan attacks, Schneier did agree that two factor was better than simple passwords. His concern was that the implementation cost for remote internet authentication would not be justified by long term fraud reduction.
For local authentication, which covers much of what Microsoft operating systems do today, two factor authentication is a boost. As Microsoft continues to move into the broader realm of identity management many people will be concerned about their intentions. Two factor authentication generally requires more robust provisioning and management which may explain Microsoft’s intention to move their Identity Server into the default server package. Robust existing efforts like SAML and the Liberty Alliance should be concerned by the new competition. Organizations and users also need to pay close attention to how Microsoft and others position to control their identity platforms.
Comments
RSS feed for comments on this post.
The URI to TrackBack this entry is: http://www.identityinitiative.com/modules/wordpress/wp-trackback.php/5
Leave a Comment
Line and paragraph breaks automatic, website trumps email, HTML allowed: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <code> <em> <i> <strike> <strong>
Slashdotting in progress!
Comment by First post! — 3/16/2005 @ 2:47 pm
i love m$ its the best thing in the world its not like everone in the world can use linux those that cant use ms and even those that can usually go to m$
that right!
Comment by nope — 3/16/2005 @ 3:39 pm
The first question to ask Microsoft.
Will you be releasing this authentication scheme for use with all competing platforms INCLUDING Open Source.
If their answer is No then consider this a move to block compeitors from being able to work seamlessly with the upcoming range of Microsoft products.
Comment by Anonymous — 3/16/2005 @ 3:46 pm
I bet Microsoft will release certain aspects as part of the development tools. The real trouble lays in the \"gatekeeper\” side more than the implementation. The sheer bulk of the MS user base could make Microsoft the arbirter of which authentication devices are deployed.
Comment by Bret Tobey — 3/16/2005 @ 3:52 pm
Hm. I can\’t spot much flaming or whining. Except in the comment above ofcourse hehe
Comment by Anonymous — 3/16/2005 @ 10:55 pm
Let\’s hope that this is not just another M$ scheme to try to take over the world. It would be nice to think that their motives really are in the best interest of the users and not the stock holders. We will see if this are proprietary elements in their use of open standards like X.509.
Comment by Anonymous — 3/29/2005 @ 8:14 pm