Microsoft Identity Division Embracing Blockchain for Decentralized IDs
The Microsoft Identity Division, which is responsible for Active Directory developments, is embracing blockchain technologies to improve digital identity security and increase overall control by end users.
Alex Simons, director of program management for the Microsoft Identity Division, indicated in an announcement this week that, for the past year, the Microsoft identity and access team responsible for Active Directory solutions has been "incubating a set of ideas for using blockchain (and other distributed ledger technologies) to create new types of digital identities." The idea is to create so-called "decentralized IDs" (DIDs).
One aspect that the team is working on is bringing this DID technology to the current Microsoft Authenticator app. When that's done, the Microsoft Authenticator app will have the ability to "manage identity data and cryptographic keys." It'll actually separate those two aspects. Here's how Microsoft's announcement described how that will work:
In this design [for the Microsoft Authenticator app], only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can't see) encrypted using these cryptographic keys.
More details were outlined by team member Ankur Patel in the announcement. He described a few of Microsoft's ideas for enabling DIDs.
First, Microsoft sees blockchain's "technologies and protocols" as being "well suited" for enabling DIDs. Next, user privacy for DIDs can be ensured via "a secure digital hub (ID Hubs) that can interact with a user's data while honoring user privacy and control." This decentralized system will rely on attestations, which Microsoft defines as "claims that other entities endorse," to prove user identities. Application and service providers can leverage DIDs and ID Hubs for personalization purposes, while avoiding the legal compliance risks associated with storing customer data.
The underlying system has to be capable of scaling to meet global demand, and so Microsoft is working on "decentralized Layer 2 protocols" for public blockchains to help make that happen. The system also has to be accessible to everyone, and so Microsoft is aiming to address various "management challenges."
This future DID system also "must be built on standard, open source technologies," Microsoft's announcement declared. Key components to that end include:
Microsoft has been a member of the Decentralized Identity Foundation and joined the ID2020 Alliance last month to help devise a worldwide portable digital identity system. It has also been working with partners and policy-makers, including the United Nations, to help make it happen.
It's not news that Microsoft is betting on blockchain, as reporting by Redmond's Jeffrey Schwartz has shown. It might be expected that a DID system based on distributed ledgers would erode Microsoft's heavy investments in Active Directory and Azure Active Directory. That idea, though, early on was discounted by Microsoft.
James Staten, chief strategist of the Enterprise and Cloud Division at Microsoft, explained it this way in this 2016 Redmond article: "If you look at how you log in and verify who you are with blockchain, you still use a public-private key model to do that and there's still a need for a verification element of the identity, and that's actually what Active Directory does very well."
Blockchain is typically thought of as a set of technologies that financial institutions are starting to investigate, and Microsoft is also involved on that front. Its Azure Marketplace, for instance, currently offers several ready-to-deploy distributed ledger options as part of its Azure Blockchain as a Service.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.