News

Microsoft's Active Directory Team Taps Blockchain for Identity Security

• By Kurt Mackie
• February 15, 2018

The Microsoft team responsible for Active Directory development has been ramping up its use of blockchain in a bid to improve digital identity security.

According to a blog post this week by Alex Simons, director of program management for the Microsoft Identity Division, Microsoft's identity and access team has spent the past year "incubating a set of ideas for using blockchain (and other distributed ledger technologies) to create new types of digital identities."

The idea is to create so-called "decentralized IDs" (DIDs), which the team is working to bring into the current Microsoft Authenticator app. When that's done, the Microsoft Authenticator app will have the ability to "manage identity data and cryptographic keys." It'll actually separate those two aspects. Here's how Microsoft's announcement described how that will work:

In this design [for the Microsoft Authenticator app], only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can't see) encrypted using these cryptographic keys.

More details were outlined by team member Ankur Patel in the announcement. He described a few of Microsoft's ideas for enabling DIDs.

First, Microsoft sees blockchain's "technologies and protocols" as being "well suited" for enabling DIDs. Next, user privacy for DIDs can be ensured via "a secure digital hub (ID Hubs) that can interact with a user's data while honoring user privacy and control." This decentralized system will rely on attestations, which Microsoft defines as "claims that other entities endorse," to prove user identities. Application and service providers can leverage DIDs and ID Hubs for personalization purposes, while avoiding the legal compliance risks associated with storing customer data.

The underlying system has to be capable of scaling to meet global demand, and so Microsoft is working on "decentralized Layer 2 protocols" for public blockchains to help make that happen. The system also has to be accessible to everyone, and so Microsoft is aiming to address various "management challenges."

This future DID system also "must be built on standard, open source technologies," Microsoft's announcement declared. Key components to that end include:

• ID Hubs, an "encrypted identity datastore" GitHub project.
• Decentralized Identifiers document format, which is a Worldwide Web Consortium (W3C) spec.
• Verifiable Credentials document format for "encoding DID-based attestations," another W3C spec.
• Universal DID Resolver, a server that "resolves DIDs across blockchains."

Microsoft has been a member of the Decentralized Identity Foundation and joined the ID2020 Alliance last month to help devise a worldwide portable digital identity system. It has also been working with partners and policy-makers, including the United Nations, to help make it happen.

It's not news that Microsoft is betting on blockchain. It might be expected that a DID system based on distributed ledgers would erode Microsoft's heavy investments in Active Directory and Azure Active Directory. That idea, though, early on was discounted by Microsoft.

James Staten, chief strategist of the Enterprise and Cloud Division at Microsoft, explained it this way in this 2016 Redmond article: "If you look at how you log in and verify who you are with blockchain, you still use a public-private key model to do that and there's still a need for a verification element of the identity, and that's actually what Active Directory does very well."

Blockchain is typically thought of as a set of technologies that financial institutions are starting to investigate, and Microsoft is also involved on that front. Its Azure Marketplace, for instance, currently offers several ready-to-deploy distributed ledger options as part of its Azure Blockchain as a Service.