Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments Hybrid environments can now join the preview party for FIDO2 support in Azure Active Directory. Microsoft has a bit of a thing about passwordless authentication. Back in 2004, then-chairman Bill Gates predicted the death of passwords because humans are terrible at managing them. Anyone born around then will be turning 16 …
Any commentary out there that is reasonably intelligent yet paranoid (short of the full-blown tin-foil hat variety) on this?
I've had a look at the sponsors of this project, and my spidy sense is tingling. The technology claims: "The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device."
Given the industry motivation for super cookies and other technologies designed to circumvent our efforts to not be tracked, I should wonder what kind of profiling might be in the future that would make their claim a blatant and utter lie.
Yes, some of us do have ways to manage passwords reasonably. If we don't get options, as some now offer, then this becomes a Harrison Bergeron issue. In fact, that would be another clue something fishy is going on, forcing everyone onto a platform designed for those who do a bad job of managing passwords.
This particular article is about enterprise scenarios, where it's perfectly reasonable to be able to track users (i.e. employees) activity on enterprise systems.
On the broader question of whether FIDO tokens can behave like super-cookies, the answer is no. Your sign-in key for e.g. Google will be completely separate from your sign-in key for Microsoft. Neither company can access the other's keys - that's part of the WebAuthn spec.
That clarifies FIDO's claim nicely. Thank you. And, from a professional perspective, you're first point is well taken. Yet, my alter ego will be keeping an eye out for any emergent dysfunction. Funny how I end up supporting these things in the work place and railing against any emergent dysfunction elsewhere. Such is half a matter of professionalism and half a matter of having no choice but to support brands that I wouldn't have in my home due to their monopolistic control.
Working in the industry, I herald how great Azure and VMware are, but in private, I damn them to eternal hellfire for being huge PPI-vaccuuming monolithic monopolies.
I feel like I have two personalities. Or that I've joined the Bad Guys(tm) and am just being hypocritical.
The specifications are open, so if you're curious you can check up on them.
As for being used as a super-cookie, well, I suppose if you login using (eg) Google, and use that authentication to log in to a bunch of other sites, then Google may well be able to track which sites you've logged into. The solution to this is of course, not to login using Google.
So in general, it looks like the end user gets to decide who gets their login data.
FIDO is designed to require a commercial middleman. Then there's SQRL, which is (at long last) ready, unencumbered by IP rights, and gives no one secrets to keep. See grc.com/sqrl .
This is now supported by an increasing number of clients and platforms. What is really needed is for a major company to decide that it there is an indirect business benefit to endorse and use such a solution. Word of mouth, technical excellence, and use on private intranets is not sufficient.
Thank you for answering my previous question. However, I fear your second point is in peril, given the list of sponsors that I found at the FIDO2 web site. This tends to cement what my spidy sense had warned of--that they fully intend to build an infrastructure controlled purely in the commercial space, leading to gawd knows what other kinds of evil. Oh wait, they're claiming not to be evil--even to prevent evil. Where have we heard that kind of thing before? I wonder if one might find a hint on their sponsor page.
Read the FIDO2 spec and you will see it is not inherently evil. It is perfectly workable by corporations, businesses, and end users without compromising security. It is not designed to track you and is not really capable of doing so. All communication is voluntary and E2E—no middleman, unless the the service you signed up with decides to use another service to authenticate you, but FIDO2/WebAuthn is simple and well supported enough that it should not need such a thing. Whether or not that will change in the future is up for debate, but if FIDO/U2F is still supported by the spec despite being obsoleted, I think there's hope FIDO2 will be supported for a long time coming.
There are plenty of other authentication modes and open source libraries/example code that you can choose from if FIDO2 isn't your cup of tea, including OTP-HMAC which is also widely supported.
But like others have said, this article is about Azure, which is already fundamentally compromised in the sense that your data is no longer in your own datacenter. The argument on whether or not FIDO2 is respecting of your privacy etc. is moot when the whole platform may or may not and there's no 100% sure way to know.
That's lovely the option for FIDO2 etc will potentially make life easier.
But on the samer note how about enabling all the features in Sharepoint without the need to keep regressing to fucking IE11 because some features still need ActiveX.
I can see requests for this going back 3yr, how about a bit of effort on this?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
