back to article Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments

Hybrid environments can now join the preview party for FIDO2 support in Azure Active Directory. Microsoft has a bit of a thing about passwordless authentication. Back in 2004, then-chairman Bill Gates predicted the death of passwords because humans are terrible at managing them. Anyone born around then will be turning 16 …

  1. ds6 Bronze badge
    Boffin

    Next up, flying elephants

    Nice, I JUST bought 2 FIDO2 keys yesterday. Thanks for being telepathic, vultures.

  2. Robert Helpmann??
    Coat

    How's It Hanging?

    ...dropped and dangling dongles.

    Hey! Hey! That's totally NSFW!

    1. DJO Silver badge

      Re: How's It Hanging?

      Depends where you work.

  3. GnuTzu

    Infrastructure

    Any commentary out there that is reasonably intelligent yet paranoid (short of the full-blown tin-foil hat variety) on this?

    I've had a look at the sponsors of this project, and my spidy sense is tingling. The technology claims: "The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device."

    Given the industry motivation for super cookies and other technologies designed to circumvent our efforts to not be tracked, I should wonder what kind of profiling might be in the future that would make their claim a blatant and utter lie.

    1. Chris G Silver badge

      Re: Infrastructure

      Simply the fact that it depends on cloudy Azure is enough to keep me away from it.

      If you you can't remember all your passwords, write mnemonic notes and keep them in your underwear.

      1. GnuTzu
        Thumb Up

        Re: Infrastructure

        Yes, some of us do have ways to manage passwords reasonably. If we don't get options, as some now offer, then this becomes a Harrison Bergeron issue. In fact, that would be another clue something fishy is going on, forcing everyone onto a platform designed for those who do a bad job of managing passwords.

    2. Buzzword

      Re: Infrastructure

      This particular article is about enterprise scenarios, where it's perfectly reasonable to be able to track users (i.e. employees) activity on enterprise systems.

      On the broader question of whether FIDO tokens can behave like super-cookies, the answer is no. Your sign-in key for e.g. Google will be completely separate from your sign-in key for Microsoft. Neither company can access the other's keys - that's part of the WebAuthn spec.

      1. GnuTzu
        Thumb Up

        Re: Infrastructure

        That clarifies FIDO's claim nicely. Thank you. And, from a professional perspective, you're first point is well taken. Yet, my alter ego will be keeping an eye out for any emergent dysfunction. Funny how I end up supporting these things in the work place and railing against any emergent dysfunction elsewhere. Such is half a matter of professionalism and half a matter of having no choice but to support brands that I wouldn't have in my home due to their monopolistic control.

        1. ds6 Bronze badge
          Big Brother

          Re: Infrastructure

          Working in the industry, I herald how great Azure and VMware are, but in private, I damn them to eternal hellfire for being huge PPI-vaccuuming monolithic monopolies.

          I feel like I have two personalities. Or that I've joined the Bad Guys(tm) and am just being hypocritical.

    3. phuzz Silver badge

      Re: Infrastructure

      The specifications are open, so if you're curious you can check up on them.

      As for being used as a super-cookie, well, I suppose if you login using (eg) Google, and use that authentication to log in to a bunch of other sites, then Google may well be able to track which sites you've logged into. The solution to this is of course, not to login using Google.

      So in general, it looks like the end user gets to decide who gets their login data.

  4. Richard Boyce

    Get rid of the commercial middlemen

    FIDO is designed to require a commercial middleman. Then there's SQRL, which is (at long last) ready, unencumbered by IP rights, and gives no one secrets to keep. See grc.com/sqrl .

    This is now supported by an increasing number of clients and platforms. What is really needed is for a major company to decide that it there is an indirect business benefit to endorse and use such a solution. Word of mouth, technical excellence, and use on private intranets is not sufficient.

    1. Buzzword

      Re: Get rid of the commercial middlemen

      Can you point to one company that actually uses SQRL?

    2. GnuTzu

      Re: Get rid of the commercial middlemen

      Thank you for answering my previous question. However, I fear your second point is in peril, given the list of sponsors that I found at the FIDO2 web site. This tends to cement what my spidy sense had warned of--that they fully intend to build an infrastructure controlled purely in the commercial space, leading to gawd knows what other kinds of evil. Oh wait, they're claiming not to be evil--even to prevent evil. Where have we heard that kind of thing before? I wonder if one might find a hint on their sponsor page.

      1. ds6 Bronze badge

        Re: Get rid of the commercial middlemen

        Read the FIDO2 spec and you will see it is not inherently evil. It is perfectly workable by corporations, businesses, and end users without compromising security. It is not designed to track you and is not really capable of doing so. All communication is voluntary and E2E—no middleman, unless the the service you signed up with decides to use another service to authenticate you, but FIDO2/WebAuthn is simple and well supported enough that it should not need such a thing. Whether or not that will change in the future is up for debate, but if FIDO/U2F is still supported by the spec despite being obsoleted, I think there's hope FIDO2 will be supported for a long time coming.

        There are plenty of other authentication modes and open source libraries/example code that you can choose from if FIDO2 isn't your cup of tea, including OTP-HMAC which is also widely supported.

        But like others have said, this article is about Azure, which is already fundamentally compromised in the sense that your data is no longer in your own datacenter. The argument on whether or not FIDO2 is respecting of your privacy etc. is moot when the whole platform may or may not and there's no 100% sure way to know.

    3. Trixr

      Re: Get rid of the commercial middlemen

      Well, if you're already signed up to Azure, your IT is already owned by corporate middlemen.

      For private stuff, sure, if there's a viable alternative, use that. But that's not what this article is about - it's about hybrid AD-Azure environments.

    4. ds6 Bronze badge
      Paris Hilton

      Re: Get rid of the commercial middlemen

      How is FIDO (the spec, not the people behind it) "[...] designed to require a commercial middleman"?

  5. Anonymous Coward
    Anonymous Coward

    Follow the money

    Mandatory added cost for authentication, under the guise of security.

    Password free back doors with cloned/god tokens for the MSS, HCHQ, NSA's of the world.

    -Passwords for ever! my data is not yours.

  6. Temmokan

    Lost dongle vs. lost password

    Looks like replacing a lost dongle may be way much longer than replacing a lost password.

  7. 0laf Silver badge
    WTF?

    That's lovely the option for FIDO2 etc will potentially make life easier.

    But on the samer note how about enabling all the features in Sharepoint without the need to keep regressing to fucking IE11 because some features still need ActiveX.

    I can see requests for this going back 3yr, how about a bit of effort on this?

    1. Anonymous Coward
      Anonymous Coward

      Hey you cattle, you are here for your milk and meat, not to criticize the potholes in the stable floor!

    2. ds6 Bronze badge

      Or how hybrid Exchange environments require IE or else the embedded frames will not work?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021