Microsoft's Dream of Decentralized IDs Enters the Real World

The company will launch a public preview of its identification platform this spring—and has already tested it at the UK's National Health Service.
wallet
“Azure Active Directory verifiable credentials” is a mouthful, but it could be the future of how you confirm your identity.Photograph: Paul Linse/Getty Images

For years, tech companies have touted blockchain technology as a means to develop identity systems that are secure and decentralized. The goal is to build a platform that could store information about official data without holding the actual documents or details themselves. Instead of just storing a scan of your birth certificate, for example, a decentralized ID platform might store a validated token that confirms the information in it. Then when you get carded at a bar or need proof of citizenship, you could share those pre-verified credentials instead of the actual document or data. Microsoft has been one of the leaders of this pack—and is now detailing tangible progress toward its vision of a decentralized digital ID. 

At its Ignite conference today, Microsoft announced that it will launch a public preview of its “Azure Active Directory verifiable credentials” this spring. Think of the platform as a digital wallet like Apple Pay or Google Pay, but for identifiers rather than credit cards. Microsoft is starting with things like university transcripts, diplomas, and professional credentials, letting you add them to its Microsoft Authenticator app along with two-factor codes. It's already testing the platform at Keio University in Tokyo, with the government of Flanders in Belgium, and with the United Kingdom's National Health Service.

"If you have a decentralized identifier I can verify, say, where you went to school, and I don’t need you to send me all of the information," says Joy Chik, corporate vice president for Microsoft's cloud and enterprise identity division. “All I need is to get that digital credential and because it’s already been verified I can trust it." 

Microsoft will release a software development kit in the coming weeks that organizations can use to start building applications that issue and request credentials. And long-term, the company says, it hopes the system could be used around the world for everything from renting an apartment to establishing identity for refugees who are struggling without documents—a dream of virtually all decentralized identification efforts. 

In the NHS pilot, for example, health care providers can request access to professional certifications from existing NHS health care workers, who can in turn choose to allow that access, streamlining a process for transferring to another facility that previously required a much more involved back and forth. Under Microsoft's setup, you can also revoke access to your credentials if the recipient no longer needs access.

“In the NHS system, at each hospital health care workers go to, it used to take months of effort to verify their credentials before they could practice," Chik says. “Now it literally takes five minutes to be enrolled in the hospital and starting to treat patients."

A big hurdle to widespread adoption of a decentralized ID scheme has been interoperability. Having 10 competing frameworks out there wouldn't make things easier for anyone. Currently there are some potential competitors, like an offering from Mastercard that's still in testing. Microsoft's ubiquity potentially makes it a good candidate to rally a critical mass of users. With this in mind, the company developed Azure Active Directory verifiable credentials off of open authentication standards, like the World Wide Web Consortium's WebAuthn. That should make it easier for customers to adopt the platform, and for other tech giants to support its use in their products as well. Currently, Microsoft is working with digital identity partners Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, and Vu Security to pilot the platform, and Chik says the goal is to expand that list quickly over time.

"We believe that to do this right we need participation from the entire community. No one organization can do this," says Vasu Jakkal, corporate vice president of security, compliance, and identity at Microsoft. "One step at a time, we're moving toward this vision."

Verified, decentralized identities stored in Microsoft Authenticator. Users can grant or deny requests from organizations to view these credentials and they can also be revoked at any time.

Courtesy of Microsoft

Microsoft formally started its work on a decentralized identity scheme in 2017 and has slowly built out the infrastructure over the past few years. The system is based on the Bitcoin blockchain and uses an open protocol called Sidetree to add records of transactions—in this case, identity verifications—to the blockchain. Microsoft says Azure Active Directory verifiable credentials uses a custom but still open source implementation of Sidetree called Identity Overlay Network. Organizations will be able to run their own ION “node” to verify and store identifiers for their members, like citizens, students, or employees.

"We know it’s not going to happen overnight, but we think this is going to be compelling to both users and organizations," Microsoft's Chik says. “It’s not like every organization wants to be the custodian of personal information, but they need it to verify information or do business transactions. It becomes a liability and responsibility, but this would be an appealing option to organizations that just need the data to be verified."

Though Microsoft won't hold any user data directly as part of the decentralized identity scheme, the approach would potentially make Microsoft accounts even more valuable to attackers, who already covet them. The recent Solarwinds breach and associated hacking campaigns by suspected Russian actors underscore the challenges organizations face to implement Microsoft's existing identity management service securely. Hackers used their access to Solarwinds, a third-party IT services firm, to infiltrate targets. From there, in many cases, they manipulated flaws in how organizations had set up Microsoft's Active Directory to bore deeper into their Microsoft 365 email systems and Azure Cloud storage. The hackers also targeted Microsoft directly and viewed some of the company's closely guarded source code.

“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture,” George Kurtz, CEO of the threat intelligence firm CrowdStrike, told Congress in testimony last week, citing “the authentication architecture limitations” of Active Directory and Azure Active Directory.

Microsoft says that its new decentralized identity platform will be set up so that even if an account is compromised, attackers can't just start using your verified credentials to get a student discount on purchases or apply for a loan in your name.

“Beyond just controlling access, developers can further secure user data by encrypting that data using keys from their decentralized identifiers,"  a Microsoft spokesperson told WIRED in a statement. "Based on such an approach, a bad actor may gain access to a system or datastore but can’t decrypt the data without keys that reside with individual user."

In practice, this means that organizations implementing Azure Active Directory verifiable credentials can build their system to require extra authentication, like a physical token, to access your student transcript or professional accreditation verifications. The fact that each organization may have a slightly different implementation, though, could mean inconsistent protection. A long-discussed challenge of decentralized ID schemes is that they create the potential for new types of exposures even as they reduce others.

“Privacy, decentralization, and trustworthiness are very difficult to achieve at the same time. Blockchains make privacy difficult, decentralization makes it difficult to identify trustworthy credentials, and various chokepoints in the ecosystem might very well mean that access to these technologies ends up going through centralized portals,” says Emin Gün Sirer, a computer scientist and codirector of Cornell University’s Initiative for Cryptocurrencies and Contracts. "But more importantly, these technologies require a rethinking of the notion of identity. And it's here where most enterprises falter, as their business models are inherently tied to knowing and monetizing every bit of data about their users."

This doesn't mean a usable decentralized identity platform is impossible, Gün Sirer says. And a company like Microsoft is certainly in the position to drive mass adoption of a new technology. Decentralized ID services may be a tough sell, though, both to organizations that don't want to stop collecting data and those that wouldn't want to embrace another fundamental service driven by an already powerful player like Microsoft. 

"Properly implemented, decentralized digital identity solutions promise to provide more control to users," Gün Sirer says. "I just fundamentally doubt that the breakthrough we need can come from a centralized software vendor."


More Great WIRED Stories