Smart Cards and Win7 Live ID Sign-In Assistant 6.5 (beta)I stumbled on a beta for the new Windows Live Sign-In Assistant 6.5 Beta here:
Windows 7: Windows Live ID Sign-in Assistant 6.5 (Beta) released
I've been running Win7 for about a Month and I've been very happy with it. Since I have a personal interest in Authentication and Authorization technologies I decided to take a look at it. The main new feature the Sign-In Assistant has is allowing the sharing of one login across multiple computers to allow the one user's sign-in to tie the data on those computers together.
Once I installed and started up the Sign-In Assistant Options, I noticed support for Smart Cards - being that Smart Cards are ALSO of interest to me, I wanted to try it out.
I clicked the "Register your Smartcard" link under the "Enable Smart Card" checkbox shown above and it loaded the following web page:
Anything about that page make you nervous? Microsoft is ASKING for the Smart Card PIN on this web page. This is very very wrong...IF THE PIN is actually sent to the server, that's super bad; if it's just passed to a local ActiveX control used by the SignIn Assistant to work out a shared key with the server that's better, but not much. I haven't verified the specifics of how it works yet.
Reguardless, with the Web Page interface as it's currently designed, there's no way for a user to tell if the PIN is being handled on the local system only through an ActiveX control (which would be preferrable) or being sent up to the server.
Ideally, any actions that require the Smart Card should be triggered at the OS level and up through the Smart Card middleware via the CryptoServiceProvider that handles the Smart Card. Users will then get the familar local OS prompt for the SmartCard pin and not get used to putting their SmartCard PIN into a web site.
If they do send the pin up to the server, this is giving out your password. I'm not sure why the website required the Smart Card's pin, as any interactions requiring the Private Key on the SmartCard only happen on code running on the Client. The fact that Microsoft is asking for users PIN creates a very serious exposure to business as well as Governments.
Most computer users don't just go buy Smart Cards - they are from their employeer (Department of Defense, Microsoft, etc). What this means is that anyone who sees this feature and has a smart card might say - cool, i can use the same authentication method I use at work. All they need to is to remember the Pin for the smart card (and of course have have a reader avail - which most business laptops come with now) - if they are already at work using this feature, then the reader is readily available. If Microsoft's data is compromised an attacker would still require the physical smart card for any further attacks to work - either way, a determined individual could probably get a hold of that fairly easily.
Time permitting, I hope to look further into how this works to see what the actual exposure is. Additionally, it would be nice to hear from Microsoft on how this whole process actually functions under the covers.
UPDATE: On further investigation it appears that the Sign In Assistant installation is required to interact with the Smart Cards on that web page - this most likely means that the PIN is only handled locally. Still, putting the PIN into a web page is a bad practice to get users used to.