Microsoft have updated their development blog with a fresh post today.
The title of the post is “Protecting your digital identity“.
Dustin Ingalls, the author of this post, is a group program manager on the security and identity team.
Microsoft start the article with a detailed, lengthy explanation about the problems with passwords and authentication today.
Then they describe some of the solutions that Windows 8 will bring:
Windows 8 simplifies the task of managing unique and complex passwords in two important ways.
The first is by providing a way to automatically store and retrieve multiple account names and passwords for all the websites and applications you use, and do so in a protected manner. Internet Explorer 10 uses the credentials that we store to remember names and passwords for websites you visit (if you choose).
In addition, anyone building a Metro style app can use a direct API to securely store and retrieve credentials for that app. (It is important to note that IE respects instructions from websites about saving your credentials – some websites specifically request that passwords not be saved.)
The second important investment in this area was covered in an earlier post by Katie Frigon, Signing into Windows 8 with a Windows Live ID. One of the great things you get when you sign in to Windows with your Windows Live ID is the ability to sync the credentials you’ve stored to all of the Windows 8 PCs that you register as your “Trusted PCs.”
When you store credentials in conjunction with signing in to Windows with your Windows Live ID, Windows enables you to set your password for each account to something that is both complex and unique; since Windows 8 will automatically submit the credential on your behalf, you’ll never need to remember it yourself.
If you need to see the actual password at some point later, you can view it in the Windows 8 credential manager shown here, from any of your Trusted PCs.
Microsoft also talk about the benefits of signing in with a Live ID.
It is worth reiterating that signing in to your PC with a Windows Live ID, in addition to making sign-in easier, also offers improved sign-in security and gives you a clear path to recovery if you forget your Windows password. With a local password, if you forget your password, you’re in a tough spot – if you didn’t create a password recovery USB stick, you’re stuck rebuilding your machine from scratch.
However, if you sign in to your PC with a Windows Live ID, you can reset your password from another PC. If your Windows Live ID password was stolen somehow, you still have the benefit of a number of Windows Live safety features that are designed to detect compromise and limit your account usage until you can successfully prove that you are the rightful owner of your account and recover your account.
The account recovery workflow leverages two-factor authentication features (secondary account proofs) that you set up earlier, such as a mobile phone number or secondary email address (if you haven’t already set these up, we’ll ask you for them the first time you use your Windows Live ID with Windows 8).
Also, even if your Windows Live ID is in a compromised state, you will still have full access to your PC since Windows will cache your last “known good” sign-in password (encrypted, of course) and allow you to use that to continue to sign in.
The also introduce a few new features coming in Windows 8, starting with the Windows 8 Key Storage Provider:
Windows 8 includes a new Key Storage Provider (KSP), which provides easy, convenient use of the Trusted Platform Module (TPM) as a way of strongly protecting private keys.
A TPM is a trusted execution environment found on many business-class PCs today (and we expect much broader availability of TPMs when Windows 8 ships), which enables a PC to securely store cryptographic keys.
Metro-style apps have APIs that make it easy to automatically enroll and manage keys on your behalf. The Windows Dev Center provides a sample banking app that shows developers how to use this API.
They also have a new enterprise solution for businesses with smart cards:
For organizations and businesses that already use smart cards, we’ve implemented a new feature that overlays the TPM KSP feature and enables the TPM to function as a “virtual smart card.”
This solution is more convenient and economical because you don’t need a physical smart card reader, but deployment is also easier because the virtual smart card functionality works with existing smart card applications and management solutions.
The virtual smart card feature can be used in place of existing smart cards with any application or solution that is smart card compatible – no server- or application-side changes are required.
Also, Windows 8 continues to support cards compliant with the Personal Identity Verification (PIV) standard or the Generic Identity Device Specification (GIDS) standard. By using these standards, deployment of smart cards is made much easier in Windows 8.
All of these options are available for signing in to Windows (on domain-joined PCs), apps, websites – anything that was previously accessible using a physical smart card.
It’s an impressive article. You should check it out. Also, the following is a video that they posted online…