The security protocol that is currently running on Windows Phone 8 is “many, many years old” and includes bugs that “didn’t exist in Microsoft accounts in [desktop] Windows,” the principal program manager for the Windows Phone security and identity team has admitted.
Speaking at Microsoft’s Build 2014 conference in San Francisco today, Geir Olsen said that, for the soon-to-launch Windows Phone 8.1 platform, Microsoft has taken radical action to replace its aged, incumbent security stack, which has been in place since the Windows Mobile days.
“We literally threw out the old stack and put the new one in, and took what we had in Windows 8 and Windows 8.1, and trimmed away some additional legacy. So now we have the latest Microsoft account stack,” Olsen explained.
Olsen admitted that Microsoft account support on phones was “a version of the Microsoft account protocol and stack that is many, many years old”.
“It was basically forked many years ago for Windows Mobile, and we carried it forward. And that means that the protocol was old, it had bugs that didn’t exist in Microsoft accounts in Windows. In Windows Phone 8.1, our goal was to throw out the old and converge with Windows on their stack.”
Microsoft is basing security for Windows 8.1 on the single sign-on routines it already has in place with Windows 8 and 8.1, in which a user’s system account is linked directly with their Microsoft account – the new name for what used to be called a “Windows Live ID”. The Microsoft account is then the sign-in destination, and can sync data with other devices through the cloud, This, explained Olsen, more easily centralises Microsoft’s direct control over security by utilising the cloud.
“All the user experiences that come with Microsoft accounts like sign-in pages and interrupt pages – that show to the user what’s wrong with the account – is now hosted in the cloud, letting us revolve security around the Microsoft account without waiting for a client update,” said Olsen.
“We can improve security almost overnight by pushing out a cloud change.”
But Build delegates were not so easily convinced, with one asking Olsen how Microsoft can be so sure that user data stored in the cloud can be properly protected from rogue apps.
“People need to use the right security on the Microsoft account itself,” suggested Olsen, reminding people to enable two-factor authentication for Microsoft accounts – which can be activated in user settings – in order to protect system logon.
Defending Microsoft’s own protection and non-sharing of data, Olsen admitted that “some of the things that [Microsoft] does as a company are disclosed. It might be in a very fine print, but it’s disclosed”.
But protection from others, he said, “is down to how well you’ve protected yourself with two-factor authentication and a password”.
“It’s remarkable how quickly people can dismiss a dialogue box. So if the app seems greedy, just say no and don’t take the app,” he concluded.
When quizzed about the ability of third-party Windows 8.1 devices to properly protect users, Olsen replied that Windows security teams still consider partners their “biggest weakness”.”Since we shipped Windows Phone 7, our biggest weakness has been our partners, from a security perspective,” said Olsen, perhaps referring to Windows Phone 7-based Samsung devices with lax security.
“A pillar of the security model is OEM trust. We have a pretty locked-down OS – everybody says that. Because we do, that sometimes causes the OEMs problems. So because we haven’t done a good enough job opening things for them, they create generic bypass mechanisms.”
Olsen appealed to Build delegates to help Microsoft keep its mobile software security strong by generating better APIs for cryptography and certificates on the platform.
“We need your help to extend [our progress in platform security] to applications. We’ve been lacking since Windows Phone 7 in good APIs for crypto and certificates. We’ve heard you over and over again, and finally in 8.1 we are on a par with what’s overall for Windows.”