Microsoft Moves Past Outdated Password Policies; DIDs instead?

Microsoft just announced they are dropping the password-expiration policies that require periodic password changes in Windows 10 version 1903 and Windows Server version 1903.  Microsoft explains in detail this new change and the rationale behind it, emphasizing that they support layered security and authentication protections beyond passwords but that they cannot express those protections in their baseline.  See Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903

Welcome Move

This is a most welcome step. Forcing users to change their passwords periodically works against security – it means consumers have to write them down to remember them and it does nothing to stop hackers from stealing current passwords.  Hackers generally use stolen passwords very quickly, and password complexity does little to prevent use of stolen passwords either, since hackers can just as easily capture or steal a complex password as they can a simple one.

The time has long passed for organizations to stop relying on interactive passwords that users have to enter altogether. Hopefully this move by Microsoft will help move the transition to more secure forms of authentication. Finally a big tech company (that manages much of our daily authentication) is using independent reasoned thinking rather than going along with the crowd mentality when the crowd’s less secure password management practices are – however counterintuitive – less secure.

Alternative Authentication Forms and Decentralized Identity (DID)

Biometrics on their own can also be hacked. So can One Time Passwords, especially those that use SMS and other authentication methods where man-in-the middle or man-in-the browser attacks are possible. What is more secure (and private) is another method Microsoft and many other organizations are starting to support – Decentralized Identities – where users control their own identity and authentication information.

Using this method, the user’s credential and identity data is maintained in a hardened enclave only accessible to the user using their own private key that is typically unlocked using the user’s private mobile phone and optionally another authentication factor. In the end, the consumer just gets a notice from the site they are trying to log into to confirm the log in on their mobile phone (or other device) by just clicking Yes (to the Login request) or additionally and optionally by using a biometric, e.g. a fingerprint or an iris scan.

The bottom line is there is layered user authentication and the user doesn’t have to remember or enter an insecure password. And most importantly the user owns their own secured credential and identity data and no one can access it without user permission.

Decentralized Identities – the path to Individual Control

DIDs are supported by many organizations today. Most – but not all – mega tech companies are joining the move to standardize DID technology.  (See Sovrin.org for examples and Figure 1 for reference Sovrin DID architecture).  The companies not joining are generally the ones that continue to earn a living by monetizing consumer data, largely through advertising and data resell activities.  Adding fuel to the fire, some of these companies have an abysmal record when it comes to securing consumer data.

Figure 1: Sovrin DID architecture

Hopefully consumers will start protesting the monetization of their data by adopting DID as an authentication mechanism. It’s certainly a chicken and egg problem but there is gradual adoption across sectors.  For example, even the Bitcoin network just started accepting DIDs (SEE URL), and   British Columbia in Canada has also implemented them for small business identification. See Microsoft Launches Decentralized Identity Tool on Bitcoin Blockchain

Web 3.0

For sure, I will gladly sign up for a DID as soon as someone asks me too. I really am at my limit in tolerating password management policies. And I’m even more tired of being subject to continuous massive data breaches that steal my most personal and sensitive information, just because I live and transact.

I don’t think anything else short of a massive re-architecting of the Web and how we manage identity data will solve all these problems of data breaches and consumer data monetization and abuse. Thankfully others like the Web 3 Foundation https://web3.foundation/ agree and hopefully will succeed in their progressive efforts, even if it takes many years to pull this off.