Lawsuit could put kink in Microsoft's push for cloud security

A lawsuit could put a crimp in Microsoft's reported plans to implement two-factor authentication for users of its consumer cloud services.

Two-factor authentication--which supplements a user's password with a PIN or code generated by a local application or sent by a cloud provider to a user's device, typically a cell phone--has been adopted by large cloud-service providers as a means of better securing online accounts.

Now, a patent lawsuit filed by New Jersey-based StrikeForce challenges two-factor authentication technology used by PhoneFactor, a company acquired by Microsoft last October.

The lawsuit could affect the security of all users of Microsoft's consumer cloud services, such as SkyDrive and Outlook.com, as well as users of other services that use two-factor authentication, such as Google and Dropbox.

Details

According to a statement by StrikeForce, PhoneFactor's authentication technology infringes a patent issued to StrikeForce in 2011 for "several key technologies underlying a multichannel security system for granting and denying access to a host computer in response to a demand from an access-seeking individual and computer."

StrikeForce declined to comment further to PCWorld on the lawsuit but, in a FAQon the litigation posted on its website, it claimed its ProtectID Authentication Product "offers 2-factor 'Out-of-Band' authentication across many methods and devices for cyber security protection."

"Methods that are used include, for example, receiving a call and entering a PIN number or One-Time Password (OTP) on a phone-type device," it added.

Microsoft, in an email, declined to comment on the lawsuit.

When Microsoft purchased PhoneFactor last year, Corporate Vice President Bharat Shah observed in a statement, "The acquisition of PhoneFactor will help Microsoft bring effective and easy-to-use multifactor authentication to our cloud services and on-premises applications."

Earlier this week, it was reported that Microsoft was readying a roll out of two-factor authentication for its consumer cloud services. "Unfortunately we do not yet know the timing of the release of this new feature, but rest assured that it will be coming soon," according to LiveSide, which focuses on news and information about the Microsoft cloud.

"They're taking the technology they got from PhoneFactor, embedding it, and turning it into a part of their services which, for security-conscious users, is a good direction," Wes Miller, a research analyst with Directions on Microsoft in Kirkland, Wash. told CSO Online earlier this week.

Microsoft also declined comment on the LiveSide report. "Security and privacy is a priority for Microsoft. However, we have nothing new to share at this time," a Microsoft spokesperson said in an email.

Wider impact?

Although StrikeForce's lawsuit is aimed at Microsoft, other companies may also find themselves in the crosshairs of patent litigation.

"StrikeForce will aggressively protect its patent," CEO Mark L. Kay said in a statement. "Therefore, we have filed today our first lawsuit designed to protect this critical StrikeForce asset, which is definitely increasing in importance with consistently troubling news about cyber-attacks and cyber thefts."