Microsoft recently released a statement announcing that its forthcoming revamp of Windows will be compliant with FIDO’s specifications for advanced authentication.
The FIDO (Faster IDentity Online) alliance was formed in 2012 with the lofty aim of “developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.
The alliance welcomed Microsoft in late 2013, by which time it already counted Google, PayPal and MasterCard among its members. The group launched its first set of specifications just a couple of months ago, in December 2014.
These specifications aimed to pin down how various types of passwordless and second-factor technologies – ranging from smartphone fingerprint readers to USB dongles – will interact with the various sites and services which want to use them to better identify their users.
Now Microsoft has stepped up to the plate and promised to make its glitzy new version of Windows compliant with those specifications, allowing all the devices and software already built along the lines provided by the spec to simply plug in and work when the new platform is released.
Or has it?
You would certainly think that from the headline of the Microsoft blog post making the announcement:
Microsoft Announces FIDO Support Coming to Windows 10
And also from most of the coverage the announcement has received, reveling in the prospect of a future free from the shackles of complexity, length and odd characters that current password systems keep us tangled up in.
Something in the wording of the Microsoft blog post doesn’t sit quite right though; it seems a little misaligned with this joyous feeling.
It doesn’t exactly say “Yea, for we have looked upon the FIDO specification and seen that it is the way and the truth, and we shall follow that way”.
Rather it reads as follows:
Microsoft has contributed design inputs to the Fast IDentity Online (FIDO) Alliance, to be incorporated within FIDO 2.0 Technical Specifications.
And a little later:
Our current implementation in the Windows 10 Technical Preview reflects our inputs into the FIDO 2.0 Specification Technical Working Group
Now this may be overly sceptical, but that sounds a lot more like “Yea, we have developed our Windows 10, and we have gone to FIDO, and we have said look, this is how we’re going to do it, so please rewrite your specification to fit our way of doing things.”
This may be quite wrong of course; it could be that the 1.0 specification just needs a few minor tweaks, and that all those developers of products and websites and other in-betweeny things, the ones who have been beavering away over the last few months to make sure they fit in nicely with those (still pretty new) 1.0 specifications, are all OK and their work is done.
On the other hand, it could mean that something didn’t sit nicely with the way Windows 10 was rolling along, and that there need to be some big changes made in the spec, which may well mean some headaches and extra work to do for everyone else.
That’s the beauty of being a multi-hundredweight gorilla – once you’ve set your mind to something, it’s pretty easy to get everyone else to agree to your way.
Perhaps coincidentally, FIDO recently reorganised its management, with Microsoft Group Program Manager Dustin Ingalls taking the reins as president.
Windows 10 will be released – according to those in the know – some time later in 2015, maybe around September. And it seems like it will almost certainly have some some sort of “password replacement solution”.
Which, potential implementation headaches aside, will surely be a good thing.
In the interests of neutrality, it’s worth pointing out that other password-killing initiatives are also available.
LindaB
And what if you are not able, or not allowed, to be on line? Or don’t want to be ‘tied’ to on line methods?
I already dislike the concept of everything being ‘connected’ or not being allowed to live a life unconnected. I don’t like the insecure ‘cloud’ concept where I have no control over security and not being able to access my data when and were I want (such as on a train in a tunnel). Why can’t I store my data for immediate access on my own hardware?
I have looked at the preview version of W10 and do not like it – the design concept is wrong. It’s too much like W8.1 with more unwanted junk in the way of productivity.
Michael
This is a severe privacy violation. Microsoft will fail ultimately with Windows 10. Thats’s a fact. Everyone stand up against this. I will not be upgrading to Windows 10 ever because of this. My new OS will be Linux.
Joseph
FIDO is for hardware tokens only, and no, it is not “passwordless” because when you inevitably loose your USB dongle thingy (or you’re at work where they do not let you plug those in), you need your password to bypass the thingy… which kinda renders the entire idea moot: what’s the point of a secure thingy, if you only need your password to bypass the secure thingy.
The trouble with putting lots of high-paying people onto a design committee, is that you end up with a committee-designed pile of junk that’s hog-tied into the products those people want to sell [in this case, it’s Yubico things, anyone remember Mt.Gox? Never mind the millions their pointless junk failed to save over there…]
Aamir Lehri
This will fail Micsrosoft