In-Depth

Ditch Passwords in Windows 10 with Windows Hello

As passwords become more ineffective, Microsoft is betting Windows 10 will up the ante on security Windows Hello and Passport, which aim to bring biometric authentication to the mainstream.

The days of passwords as the first line of protection against unauthorized access to systems are on the cusp of coming to an end. The most pervasive form of locking access to systems for decades, passwords were a flawed method of security from their inception. Even strong passwords are easy to crack and still in 2015, despite all of the high-profile breaches, people remain cavalier about the passwords they use. The most common passwords are "123456" and "password" to safeguard crucial personal and enterprise systems, according to this year's annual "Worst Password" list from SplashData Inc., which provides a number of tools to help manage passwords. Alarmingly, the report found those two passwords alone came from more than 3 million leaked passwords last year.

The simplest solution to avoiding the password security quagmire is to just cut them loose. That's exactly the direction Microsoft is going when it releases Windows 10 later this year. Microsoft is hoping that enterprises will say good-bye to passwords with Windows Hello, a biometric approach to system security access, combined with a new authentication tool in the OS called Passport.

Microsoft revealed it will offer Windows Hello in the new client OS in March at its Windows Hardware Engineering Conference (WinHEC) in Shenzhen, China. Windows Hello will let users log into their systems from multiple input methods including fingerprint, iris and facial recognition, and provide what it said is true "enterprise-grade" two-factor authentication. How easy it will be to pry people away from the comfort of their passwords remains to be seen, but if a sizeable number of the 1.5 billion Windows users upgrade to the new OS -- coupled with a swath of biometric authentication hardware built into new systems -- passwords could go the way of the floppy disk.

"We have a huge problem with user names and passwords, and it's not just they get stolen and phished and everything else," said Scott Charney, corporate vice president for Microsoft Trustworthy Computing, in his annual keynote address at the April 2015 RSA Conference in San Francisco. "People reuse them everywhere, so if you lose it in one place, you've lost it in a lot of places. We all we need to move to a different system."

A Major Initiative

Windows Hello and supporting technologies such as Passport is the different system to which Charney was referring and it could be the most ambitious effort yet by Microsoft to bring biometrics into the mainstream of everyday authentication. "Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all," said Joe Belfiore, corporate vice president of the Microsoft Operating Systems group, in a March 2015 blog post announcing Windows Hello.

As the release date of Windows 10 edges toward this summer, Microsoft took to its two major conferences, Build and Ignite, to make the case for why the future of identity security lies with its biometrics technology. At last month's Ignite keynote, Belfiore promised that Windows Hello is something both IT and end users will embrace. "They're going to love it because this is a security system that's going to smile and wink at them, take steps away and give them a flexible way to move documents around, while protecting your company's data."

And it takes no time at all to get logged in. Demonstrating just how fast Windows Hello can recognize a user and log in via the facial-recognition app, Belfiore pulled off a black cloth covering a camera attached to a PC and Windows 10 authorized and unlocked access within three seconds, which gained applause from the packed attendance hall.

"Now that is [a] natural interaction on a PC delivering better security," said Belfiore. "I didn't have a password I had to write down somewhere, it's not a password you have to store in your network that could get stolen, and it's going to help with the problem of data leakage, and it's going to delight end users."

While "delighting" end users is a nice bonus, the focus of Windows Hello is on providing a more secure world. During a late-April Build 2015 session in San Francisco, Anoosh Saboori, senior program manager for the Windows Security team, said his team approached Windows Hello with the goal of providing a system that works with the most stringent of security requirements found in industries like government, defense, finance and health. The Windows Security team's goal was to meet the false acceptance rate (FAR) of such industries (the chance of a random user being able to be authenticated as the intended user), which they achieved. Windows Hello features a FAR rating of 1/100,000 and a false rejection rate (when an authorized user is incorrectly rejected access) of 2 percent to 4 percent. In the rare occurrences that a false rejection occurs, users will have to input a four-digit device PIN to continue.

Saboori also said Microsoft's choice of going with infrared cameras for Windows Hello will battle spoofing attempts. Using a physical photograph or one stored on another device will cause the camera to view that as a blank image and will not authenticate the user.

Biometric Single Sign-On

During his demonstration at Build, Saboori showed off how Windows Hello can be used to authenticate online purchases. Saboori selected a digital movie on the Microsoft Store, prompt­ing a screen to pop up that requested the pending purchase to be approved through fingerprint, iris or face. This is just one way outside the traditional system login that Windows Hello can be used. But what about the non-Microsoft password-­protected Web sites and apps encountered every day?

Providing a new key is only good if the locks are in place to accept them. The success of Windows Hello lies in the industry moving away from traditional passwords and, Windows Hello is looking to change how users log in to not just Windows, but to anywhere a password would be needed. Microsoft Passport, introduced with Windows Hello, looks to be the underlying technology of the Windows Hello UX. Passport, which isn't associated with the single sign-on service by the same name and now known as Live ID, will allow developers and IT to replace traditional third-party app passwords in apps with either device pins or (as Microsoft is hoping) biometric login via Windows Hello.

"Think of Microsoft Passport as a cryptographically secure credential that's stored on a device, which enables two-factor authentication," said Belfiore during his keynote. "You could have a phone and a PC serving as the two factors, but when you combine it with Windows Hello, biometrics let users serve as an authentication mechanism that's incredibly fast and easy."

Microsoft Passport, in conjunction with Active Directory, will be able to replace Microsoft-based logins at the launch of Windows 10 and, with Microsoft including support for Fast IDentity Online (FIDO) 2.0 authentication in Windows 10, Passport will be able to connect with many authentication systems found in online sites and Android and iOS apps. Not only will Microsoft support FIDO 2.0, but the FIDO Alliance will use Microsoft Passport as the API framework for developers, meaning that within the hands of a willing developer community, its usage could spread quickly. Still, while organizations can choose to enable it through Active Directory and Azure Active Directory, its true appeal will be if ISVs and commercial Web sites support it, as well.

Slowing the leak of data due to network breach is a strong incentive to get developers onboard. Microsoft with Passport has taken the threat of password theft due to corporate break-ins out of the equation. The two-factor authentication process ensures that the only sensitive data stored is the device-specific PIN. While a four-digit PIN may not sound like the most secure way to confirm identity after a possible false rejection, an attacker would need both PIN and the specific device to gain access.

"With Microsoft Passport, you are simply storing public keys -- there's nothing secret about it," said Saboori during his Build session. "You can even publish them, there's no problem with that."

Passport and Windows Hello will also save administrators time and energy by avoiding password retrieval procedures. If on a device that's already authenticated with the PIN set up through Passport, biometric login ensures there's nothing else to remember for end users.

1 Billion Systems

Biometrics-based security isn't a new notion. However, with Windows Hello and competing products like the Apple Inc. iOS biometrics fingerprint scanner, the technology is making a big move. U.K.-based market analyst firm Juniper Research Ltd. in a report issued in January found that the market of biometric authentication applications will skyrocket from just 6 million this year to 770 million by 2019. And with Terry Myerson, head of the Microsoft Operating Systems Group, predicting at the start of this year's Build conference that 1 billion devices will be running Windows 10 in the next couple of years, the Juniper Research figures sound reasonable.

But with 1 billion machines in the wild possibly attached to fingerprint-, iris- and face-scanning tech, privacy concerns are hard to ignore, especially in a post-Snowden world. Looking to get ahead of the issue, Saboori said that through Windows Hello and Passport, Microsoft's access to your literally vital information is secure.

"From a privacy perspective, we want to make sure that you know that Microsoft never stores an image of you either on the device or on the back-end server," Saboori said. "We never send the enrollment data to the application or the server that is trying to authenticate you. And, more importantly, we never update your enrollment data without your consent. You're always in control."

While the notion of a more-secure, password-less approach to enterprise security sounds very appealing, there still will be one hurdle to get past for implementation once Windows 10 is released: hardware upgrades.

Windows Hello will use the same fingerprint device found on many current Windows-based PCs, laptops and tablets. However, to take advantage of both the iris scanning and facial recognition capabilities, a special camera featuring multiple lenses, infrared lasers and a special processing chip will be needed, like those found in the Intel RealSense F200 camera tech, available in some PCs including the Dell Inspiron 2350 all-in-one line.

Microsoft is also working with a number of OEMs, including Acer Inc., Hewlett-Packard Co., Lenovo, Toshiba, Fujitsu and NCR Corp., among others, to provide Windows Hello-ready Windows 10 machines early in the lifespan of the OS. Also, three currently available machines (Dell Inspirion 15, HP ENVY 15 and Lenovo B50-30 All-In-One) will be able to take full advantage of Windows Hello at the release of Windows 10.

While the investment of new hardware isn't cheap, Windows Hello arriving with a new OS is perfect timing, with many organizations mulling over hardware upgrades on the heels of Windows 10. And with the increased security benefits that Windows Hello and Passport bring, while ditching the traditional password, it could be the push IT needs to invest in Windows Hello-ready technology.