IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Welcome to my first blog post on askpfeplat! My name is Milad Aslaner and I’m a Premier Field Engineer specialized in Windows Reliability. Some of you might know me from my sessions TechEd, TechNet and Microsoft Virtual Academy, for those who don’t know me yet, you can call me the "Windows Guy".
Passwords are not sufficient anymore to keep data secure. Let me provide you some facts around this:
– Consumer Reports survey 2013
9.8 million Adult Facebook users had their account used by an unauthorized person; had their reputation harmed; or were harassed, threatened, or defrauded.
– Deloitte Study 2013
I a recent study of six million actual user passwords, the 10,000 most common passwords would have accessed 98.1 percent of accounts.
Now for me personally the last case study is the scariest one. Basically it means that every time I visit a customer and talk about IT Security we could use that list and access a majority of corporate machines.
Biometrics has a long history in Windows. We first introduced biometrics capabilities in Windows XP, later with Windows 7 we added the Windows Biometrics Framework but we always had a dependency on 3rd parties to provide enrollment tools and drivers.
When we look at the adoption rate it was just not there where it should be. Biometrics is not available in most PC’s, OEM’s use to differentiate and really just a few users has experienced it.
Moving forward we want to provide the best experience for modern authentication with biometrics. Users love the idea of simplicity, and they really see it a as solution for the above mentioned problems.
Let’s explore first the basics of fingerprint!
In simple term fingerprint is composed of two elements. We got ridges; raised areas of the skin and valleys; lower areas of skin that separate the ridges. Those two elements combined make two features
- Which are too general for identification purpose and often used to bucketsize fingerprints in larger databases
Local features also known as minutiae
- Those provide the detailed description of the fingerprint structure and which forms the basis of most identification systems
Raw Binary Pruned Minutiae located
Processing an fingerprint means that it starts with the raw image of the fingerprint, then the computer converts it to a binary format, it then removes all the extra information’s which are not required and then lastly identifies the minutiae identifiers to create a pattern or unique representation of the fingerprint.
So when the user enters his fingerprint the enrollment process begins. The computer extracts the local minutiae and builds a template out of that. Btw. the actual fingerprint is not stored on the computer it’s always a digital representation of it. You could call it a one way hash.
This template gets then stored in a template storage. Once the user is enrolled and a user tries to identify afterwards, the computer extracts again the relevant data and try to match against the template storage database. So that’s how in general fingerprint enrollment and identification works.
Let’s look at Windows Biometrics:
It starts with the fingerprint sensor (bottom right) then directly above that we got the WBDI driver which is responsible to talk with the sensor. Then we got 3 adapter: storage adapter to store data, engine adapter which is an important element because that adapter is responsible for most of the tasks and then we got the sensor adapter which is utilized together with the storage adapter by the engine.
Next we got the Windows Biometric Service this service is also a system level component. But don’t worry it looks complicated but in reality for Apps to use biometrics in Windows 8.1 its very convenient because on top of the system level components we got the Windows Biometric Client API which takes all the “talking” between apps and the sensor.
So on the very top we got then the apps such as Fingerprint Enrollment Application, Biometric Credential Provider, Win32 Applications and new in Windows 8.1 Windows Runtime (WinRT) and with that the support for Windows Modern Apps.
Aren’t all fingerprint sensors the same kind?
That’s a big no. While we see that primary of OEM devices implement swipe sensors there are many other kinds. We got optical readers, thermal readers, capacitive readers and even ultrasound readers.
You might have seen a Microsoft representative talking about modern readers as well. But what is a modern reader? In Microsoft terminology modern readers are readers who are touch-based and offer liveness detection. These are the readers we are evangelizing and we would like to see going mainstream.
What about enterprise scenarios? How can they use biometrics?
In Exchange ActiveSync we have ‘convenience logon’. When you had disabled this in Windows 8 it was also disabling biometrics logon and removed any credentials saved by previous enrollments. The default group policy settings also disables domain logon with fingerprint.
Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
With Windows 8.1 there were some significant changes to the Exchange ActiveSync policies. Now when you disable convenience logon, the in-box registration is still allowed but the credentials won’t be saved.
If the machine is protected with BitLocker, then we will allow the storage of credentials. If it’s a domain user who has local admin rights and he decides to enroll for fingerprint, domain logon will be enabled without having to dig through group policy settings.
Where can I use biometrics and how can I implement it for my Apps?
We introduce new APIs for our developers which can be utilize to implement biometrics into their Windows Modern Apps. You can use these APIs to confirm purchases, profile changes or to support your in-app experiences.
Windows Biometrics Sign-In
• Windows sign-in
• Remote Access sign-in
• All remaining authentication prompts (e.g.: UAC)
“Touch to Buy” added to:
• Windows Store
• Xbox Music
• Xbox Video
I hope that this first blog post showed you the benefits of biometrics in Windows 8.1 and help to drive awareness around the importance of modern authentication.