Two days ago, MS announced what it calls an “Identity Bounty” program. This program seeks to help strengthen and protect digital identity information by paying developers or researchers to disclose identity-related vulnerabilities and exploits they find privately to Microsoft first and foremost. They will be allowed (encouraged, even) to make their findings public as soon as Microsoft can formulate a fix or workaround to mitigate or nullify their discoveries. It applies both to the company’s consumer (Microsoft Account) and enterprise (Azure Active Directory) solutions. This offer ranges from $500 to $100K depending on the severity of the vulnerabilities and/or exploits reported to the bounty program.
It covers a whole raft of technologies including strong authentication, secure sign-on, sessions, API-level security, infrastructure security, and more. It applies not just to Microsoft technologies, but also to standards from the OpenID Foundation (makers of OpenID and the related OAuth standards). Microsoft wants to make sure that its methods for authentication, identity management, and access control are as safe and secure as possible. The bounty program is just one way to help put some money where their commitments already lie. And support for open standards actually makes for more secure technologies, as any number of security experts will be happy to inform you. Thus, Microsoft’s support for OpenID and OAuth is not just well-intentioned, it also reflects prevailing wisdom on how to ensure the most secure technologies.
Where Does Microsoft Authenticator Fit In?
MS Authenticator is an app that works with Windows Phone (for you stalward hold-outs), iOS and Android. It helps to add an extra layer of security for both consumer (Microsoft Account) and work/school accounts (domains registered with Azure Active Directory). The app offers notifications of unauthorized access, flags potentially fraudulent transactions, and more, and provides the ability to validate (verify) or repudiate (deny) such transactions on your smartphone. It makes deliberate use of two-factor authentication technology to demand a second form of verification (usually via smartphone) when you login to a device with a username and password, PIN, or biometric marker of some kind. Read more about it in the Microsoft Azure pages at “Get started with the Microsoft Authenticator app” online.
It’s encouraging to see Microsoft lining up with other big companies, such as AT&T, Cisco, Intel, Netgear, Samsung, and Google, and the majority of security outfits (Avast, AVG, Bitdefender, Sophos, and so forth) to pay bounties for security bugs found. In fact, MS also has other bounty programs for cloud services, .NET and .ASP, Office, Edge, Windows Insider Preview, Defender, mitigation bypass, and more. See this CRN slideshowfor the Top 25 Bug Bounty Programs, as of February 2018. For truly gifted security researchers and white hat hackers, there’s enough opportunity in these programs for them to make very good livings. For the rest of us, it’s another way that MS and other companies can attempt to keep the bad guys at bay.
Author: Ed Tittel
Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.