News

Microsoft Unveils Windows 10 Security Features That Avoid Passwords

• By Kurt Mackie
• 03/17/2015

Microsoft today named two security features that will appear in Windows 10 that will diminish the importance of using passwords to ensure device security.

One of them, called "Windows Hello," is biometric security feature that will be built into Windows 10 devices that adds face and iris scanning as a method of verifying the user of a device. It also supports using a fingerprint to gain device access.

Windows Hello is a hardware-dependent feature that will be supported by the "Intel RealSense 3D Camera (F200)," according to Microsoft's announcement. Specialized hardware will be required to use this feature, such as a "fingerprint reader, illuminated IR sensor or other biometric sensors," the announcement explained.

Microsoft currently has a Windows Biometric Framework that supports biometrics for its Windows 8.1, Windows Server 2012 R2 and Windows Server 2012 operating system products. However, that framework just works with fingerprints in Windows 8.1. It doesn't work with face or iris scans.

Windows Hello uses infrared-sensing technology, developed via Microsoft Kinect technology, to further verify the identity of a user, according to a video accompanying Microsoft's announcement. This infrared-sensing technology provides an "antispoofing" capability. For instance, Microsoft claims in the video that a photo of a person can't be used to bypass a device's security.

Windows Hello will work with existing device fingerprint scanners, Microsoft claims. When released, Windows Hello will meet enterprise and government regulations, according to Microsoft's announcement.

The second security feature coming in Windows 10 uses the shop-worn Microsoft product name, "Passport," although, at this point, it's just a code name. This new Passport feature needs to be distinguished from "Microsoft Passport" (formerly known as "Windows Live"), which Microsoft renamed "Microsoft account." Microsoft account has become the system for logging into consumer Microsoft applications, as well Microsoft Web sites for accessing technical content, such as TechNet and MSDN. The new Passport feature for Windows 10 will be a way to access software-as-a-service apps without using passwords.

Passport for Windows 10 appears to be a set of APIs. Microsoft calls it a "programming system":

Passport is a code name for a programming system that IT managers, software developers and website authors can use to provide a more secure way of letting you sign-in to their sites or apps. Instead of using a shared or shareable secret like a password, Windows 10 helps to securely authenticate to applications, websites and networks on your behalf—without sending up a password. Thus, there is no shared password stored on their servers for a hacker to potentially compromise.

The FIDO Alliance supports standards for the "protocol used between the client and the online service," according to its spec description. It uses "standard public key encryption" in which the client establishes a public key with an online service. Once that's done, the online service sends a challenge to verify that the "client owns the "private key."

The Passport feature will work with "thousands of enterprise Azure Active Directory services at launch," Microsoft's announcement promised. And it apparently also will work with services and Web sites that support FIDO Alliance standards.

Both the Passport and Windows Hello features will be available via Windows 10 on an opt-in basis. Microsoft claims that the biometric data used with Windows Hello "is secured locally on the device and shared with no one but you." The company also claims that Passport data "is never used to authenticate you over the network." While those may be reassuring details to hear at this point, it's not clear how individual users could verify such claims.