Root Causes 278: Microsoft on Certificates and FIDO

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We have been discussing in a few episodes the concept, the open standard called FIDO – F-I-D-O or WebAuthn, which is a variant, a subset of FIDO and by way of example, if you want some background if you look at our Episode 231 that’s a great place to learn about FIDO. And we just want to return to that because I think that recently there was a public perspective from Microsoft or at least from a pretty senior Microsoft Executive on FIDO and digital certificates and all the rest. What’s the background on this, Jason?

• 

  Jason Soroko

  The background is basically the Microsoft Executive in question was a Product Manager over there and basically made some statements to a technical journalist about the fact that they’re very serious in obviously their uptake of FIDO. So is Apple and others. It’s actually really interesting to see how this passwordless authentication technology has now been really well-adopted and is going to be well-adopted by all the major operating system vendors and I think that that is a good thing.

• 

  Tim Callan

  I mean one of the things, I think we talked about this before, was exactly that. Critical mass is so important to this kind of thing and if I can rely on the fact that – I’m gonna make up this number – 99% of the devices that want to connect to my public-facing website are going to be supporting this standard, then it makes it much, much, much easier for me to allocate the resources to develop to that standard and then so you start to imagine a world where all the devices can use FIDO or WebAuthn and all the sites can use WebAuthn and all of the sudden it’s just ubiquitous. 100%.

• 

  Jason Soroko

  Exactly. So, this article out of Bank Info Security – I believe it was January 17, 2023. Michael Novinson.

• 

  Tim Callan

  Headline reads: Microsoft Exec on Why FIDO Authentication Beats Certificates. If you want to look that up.

• 

  Jason Soroko

  And isn’t that interesting because there’s a subtitle which I think would have been the better title. Which is: Microsoft’s Libby Brown on How FIDO Passwordless Authentication Cuts Complications. I think that would have been the good title.

• 

  Tim Callan

  With cuts complications being the key there, right?

• 

  Jason Soroko

  Absolutely. And it does. I want to address the two things there about cutting complications but cutting complications for whom and the title that they ultimately chose which was why FIDO Authentication Beats Certificates. I just want to address those two things.

  So cutting complications. So, Tim, as you know, it’s tough out there to get from legacy passwords to passwordless.

  And one of the great ways that you can beat that is to change the operating system so that you are no longer having to build software that sits on top of the operating system. In other words, multi-factor authentication.

  MFA was a gigantic band-aid that was used for years and years and we’re not here to say that was a bad, bad road to take. It was probably the only road to take. But as we’ve said many times on this podcast, not all multi-factor authentication are created equal and some are downright weak. And we’ve seen a lot of problems and you and I, Tim, have reported - -

• 

  Tim Callan

  And even the best of them are imperfect.

• 

  Jason Soroko

  Very true. It’s very true.

  So if you actually have deep support for passwordless authentication down in the operating system level – that’s awesome. Two problems there is you do still have to build your software that will hook into it. In other words, just because Microsoft or Apple has chosen to adopt FIDO standards does mean that your application is going to use them. So, in other words, legacy apps are still hanging out in the wind.

  And the other thing you have got to deal with is FIDO is really absolutely ideal for business to consumer level passwordless authentication, Tim. That’s a really important point I want to make.

• 

  Tim Callan

  And not only that, FIDO is ideal for business consumer and is the first ideal solution ever in human history. So, it’s not just that business consumer is great with FIDO, it’s like there isn’t anything else that’s great. Everything else is bad.

• 

  Jason Soroko

  I would say that there have been some extremely clever things that have come up in the last few years that could compete, but I would say that you can see the way the world is going and it’s because FIDO is a well thought out standard. The big vendors are now gonna be adopting it. It’s gonna be the way to go probably for B2C and, as I say, that’s not a bad thing at all.

  The reason why it’s great for B2C, Tim, is because you don’t need all of that centralized technology that goes with certificates. FIDO, of course, the basis of it in terms of identity is cryptographic key pair. It’s not a certificate. It’s a cryptographic key pair. That can be stored in a lot of different places. It can be stored in one of the most popular places to put it is in a YubiKey hardware token. We’ve all seen that. But, also, it took a long, long time for secure elements on mobile devices and laptops to be ubiquitously available. I mean it took until Windows 11 before Microsoft said it had to be there.

  In terms of all the motherboard makers. So, this marriage of hardware and software had to happen. That’s why it took this long to get here. But now that all of this is in place, you can actually have a scheme, a protocol, which actually does the key pair generation at the device. And so, therefore, it doesn’t require this centralization creation of a certificate and that makes it great for B2C when you don’t completely control all the people who will be authenticating. That’s the big point.

• 

  Tim Callan

  Because it’s happening on these devices that are very well-engineered by the people who are creating them, there’s a high degree of confidence that the private key is secure, it’s stored in a secure place. It’s not gonna get out. It’s not gonna be stolen. You can feel good about that aspect of things when the ordinary consumer would never have the knowledge to get that right. You just build a fool-proof system to do it for them.

• 

  Jason Soroko

  That’s it, Tim. Exactly. So, in other words, I like that subtitle, FIDO Passwordless Authentication Cuts Complications. And it should have actually said cuts complications for business to consumer authentication. Of course, they wanted a shorter title but that’s the way I would have written it.

  So to compare and contrast, let’s talk about beating certificates. Well, you definitely don’t beat certificates in terms of business to business and business to employee authentication. And absolutely not with respect to other types of device authentication as well. And so, therefore, somebody who might not – listen to 200x podcasts of this - -

  If you haven’t been up on the industry and you just read that title, you might think, oh geez, FIDO is gonna take over everything.

  And I gotta tell you, that’s just simply not true. I think Bank Info Security went a little far. They were trying to be provocative with their title and that’s great. That’s great. I don’t even think Libby herself, Libby Brown from Microsoft was really implying we are getting rid of certificates for everything. Because I tell you something right now, Microsoft is making enormous investments in certificate-based authentication. Make no mistake. And that includes their Azure platform and everywhere else Microsoft exists, which is a big, big world when you add it all up.

• 

  Tim Callan

  I agree with you. And yet at the same, and all of that taken as you said it, Jason, I 100% agree with you. I still think it’s very good and important to acknowledge that in that B2C web property scenario that Microsoft is all in on FIDO and that’s really important. Because Microsoft still controls the biggest user-base of consumers in the world.

• 

  Jason Soroko

  Let’s think about that new way to log into Windows. Windows Flow and Microsoft has done an enormous amount of work there and I’ve been involved quite a bit with bring your own certificate schemes for things such as Windows Hello for Business and, Microsoft, of course, showing a lot of examples how to hook up Active Directory certificate services and of course, bring your own certificate schemes with other PKI systems. And for the vast majority of Windows users who are in enterprise environments actually utilizing a certificate, it’s a great idea. And I can tell you that that enormous amount of work that went into having a safe place to put credentials, those secure elements on mobile devices, laptops, etc., that same work applies just as well to a certificate as it does to a crypto key. And so, in other words, all boats are floating upwards when it comes to stronger forms of authentication. I just gotta say that centralized authentication still makes an enormous amount of sense and, Tim, you and I have done endless numbers of podcasts about the benefits of certificates and revocation and renewals and all the things that come with having that defined life span that don’t have to have the heavyweight layout of a policy engine, which is what drives a crypto key. So, in other words, there is a place for both certificates as well as crypto key schemes.

  But B2C, geez, I gotta say FIDO seems to be pulling ahead here and good for them.

• 

  Tim Callan

  Agreed on all of that. It’s good to see Apple was really kind of the first mover in the WebAuthn space, or the first major mover, probably the first mover, first I was aware of, but we all expected Microsoft to be every bit as committed, and, seeing that level of commitment isn’t really surprising but, again, it’s good. It’s what we want, and we are glad to see that confirmed.

• 

  Jason Soroko

  Absolutely. I also can’t wait to see more of what Apple does. Apple has also had a lot of talk lately about FIDO and how they are gonna be implementing that and as that comes up, we will be keeping track but anyway, Tim, that’s it. I just wanted to call out that specific article and flesh out what some of the nuances there.