Guest author: Chris Hallum
Our customers face many security related challenges, but one of the biggest is related to your users’ identities. They’re getting stolen and misused at unprecedented levels, and if we look back at the recent breaches, you can see how devastating the impact can be when user identities and credentials, like user names and passwords, or derived credentials, like NTLM Hashes, fall into the wrong hands.
When we defined the plan for Windows 10, addressing this problem was one of our biggest priorities. However, this plan couldn’t be completed in a single move. Instead, it required a series of steps – some of which would require the entire industry to align around. At this point in time, phase one of our effort is complete, as we’ve already delivered Windows Hello and Microsoft Passport, which have enabled Windows users to say goodbye to passwords when accessing Active Directory/Azure Active Directory based business networks, as well as thousands of internet facing business related services (i.e.: SaaS). Additionally, consumers can use these same technologies to access Microsoft consumer related apps and services, such as the Windows Store, Outlook.com, OneDrive and Office365.
The progress that we’ve delivered to customers in phase one is substantial, and now we’ve transitioned to phase two of our effort, where we will help drive the related industry standards to final closure and we will enhance Windows Hello to better accommodate the full breadth of industry scenarios that our customers in education, manufacturing, and public sector require just to name a few.
Our strategy is FIDO and the stage is now set
Building a solution that is based on industry standards and will work cross platform and within heterogeneous environments is central to our strategy for Windows Hello. For this reason, we joined the FIDO (Fast IDentity Online) Alliance to help drive that vision forward with like-minded FIDO members like Intel, and even industry competitors like Google, who partner with us on the FIDO board.
The FIDO 2.0 spec that was under development last year has since been ratified, and now the World Wide Web Consortium (W3C) is actively working with FIDO to complete the work on the web platform API’s. These API’s will enable FIDO 2.0 authentication to work cross platform and everywhere on the web. Once this work is complete, we will synchronize any applicable changes into Windows Hello itself.
At this point, there will be well over the existing 300 million Windows customers – plus those from FIDO members like Google – that will provide compatible solutions. We expect this huge customer base will create the demand necessary to drive rapid and wide scale adoption across the web.
Simplifying Windows Hello
In anticipation of this moment where wide scale adoption will occur, we’re delivering new capabilities to Windows Hello in the Windows 10 Anniversary Update, that will make it easier to deploy and more mobile. With these improvements, Windows Hello will be flexible enough to support the full spectrum of industry scenarios with varying usability, security and regulatory requirements.
When Windows 10 first shipped, we delivered two new identity related technologies including Microsoft Passport and Windows Hello. Collectively, these represented our FIDO 2.0 aligned end to end multi-factor authentication solution. Moving forward, Windows Hello will represent the brand we will refer to for our FIDO aligned end to end multi-factor authentication solution. Microsoft Passport will be retired as a brand.
With these changes, there are some new simplified semantics for our customers to be aware of, which include the following. Window Hello now consists of two main concepts:
Factors are quite literally the factors used to validate the user’s identity before enabling them to authenticate with their Windows 10 device and access resources. In the original Windows 10 release, Windows Hello only supported biometric verification though facial, iris, and fingerprint recognition. The second factor for user validation was the user’s device itself. In the Windows 10 Anniversary Update, Windows Hello’s architecture has been designed to be more flexible, enabling it to support devices, PINs, and biometrics as factor options. The architecture has also been made flexible enough to support the addition of new factor types which may be added in the future.
In the original Windows 10 release, Microsoft Passport was the name used to describe the credential that users would use for authentication once user verification through two or more factors had occurred. As mentioned earlier, the Microsoft Passport brand will be retired and the credential is now considered part of Windows Hello. From a customer’s perspective, this is simply a semantics issue and there are no material changes from a configuration or security perspective. The Windows Hello credential can be secured from theft and tampering using the device’s hardware based Trusted Platform Module (TPM). For devices that lack a TPM, Windows Hello will use software based encryption.
Extending the Windows Hello family with companion devices
As mentioned above, Windows Hello supports using a device as one of the factors. However, as opposed to the original release where the user must enroll their PC as one of the device based factors, the Anniversary Update introduces a new set of experiences based on the new Windows Hello Companion Device framework. This framework allows an external device to be used as one or more of the factors for Windows Hello. With this, users can use a variety of device types, like a wearable, to remotely access their PC and authenticate to resources.
The Windows Hello Device Framework enables companion devices to be developed for virtually any possible scenarios, some of which include:
- Users who want to use a device infrequently, or just a single time (e.g. kiosk), want to avoid enrolling their identity on each device (e.g.: Retail, Healthcare, Consumers)
- Some organizations are bound by regulations that requires the user’s credentials must be physically separate from the device they are signing into (e.g.: Public Sector, Defense)
- Some organizations want their users to be able to access a device based on the possession of another device, like an access card. They want to be able to just tap to sign without entering in a PIN or using biometrics (e.g.: Manufacturing)
- Some users want to be able to access a PC using a device like a wearable. They want to be able to access their devices simply by being near them (e.g.: Consumers)
The Windows Hello Device Framework enables hardware vendors to develop companion devices for these scenarios and many more, with two types of companion devices. The first type is a device that is paired with a PC that is already enrolled with Windows Hello, and, in this case, the companion device doesn’t store the user’s credentials on it. Once paired, signing into a PC can be based on the companion device being within in the proximity of the PC, or, alternatively, it can be based on proximity plus an additional factor that is verified on the companion device itself (e.g.: biometrics). This option lends itself to lower cost companion devices and improved security, since signing into the PC requires one or more external factors. It is also can provide convenience and can prove useful on devices that lack integrated biometric sensors.
The second type of devices provide advanced security, making it suitable for organizations that are heavily regulated (e.g.: bound by FIPS 140-2), or in scenarios where the mobility of the Windows Hello credentials is useful or required. In this case, the companion device includes all of the factors for user verification and it also stores the user’s credential on it. This makes Windows Hello and the user’s credentials mobile, enabling the user to access devices without having to enroll their identity on each and every device.
So as you’ve just seen, we’re well under way on our journey to end the use of passwords, and Windows Hello is already serving our customers around the world in both consumer and commercial scenarios. In fact, here at Microsoft, we’ve deployed Windows Hello to over 100 thousand Microsoft employees. Now we’re excited to enter into phase two of our effort, where we’ll help finalize the FIDO related web standards, while delivering new technology within the Anniversary Update that will to make Windows Hello ideal for the diverse set of industry scenarios that our customers are asking for.