Web sign-in, FIDO 2, remote biometrics–Windows 10 is ready for better security than passwords offer.
Passwords are hard to remember and easy to lose. Whether it’s people reusing the same weak password on multiple sites or services that don’t protect their user data and expose usernames and passwords in data breaches, simple passwords don’t offer enough protection. That’s why Windows 10 is moving towards more secure options like biometrics, tokens and push authentication — including support for the new FIDO 2 internet identity standards.
Fingers and faces
Windows Hello makes using biometrics like fingerprint sensors and infrared facial-recognition cameras much easier, by making it part of the standard way you sign in, rather than leaving OEMs to add this functionality to the account process.
Faces, fingers and other biometric factors like hand vein prints can’t be phished like passwords, and they aren’t sent across the network or roamed between devices the way passwords are. This means that attackers who get into a network can’t scoop up and reuse credentials from a PC to access servers. Windows 10 has protections like Credential Guard to make it harder for attackers to get at credentials by running the LSA service that stores them in Virtual Secure Mode. There’s also a new Cloud Credential Guard that protects cloud credentials like Azure AD tokens using TLS token binding. However, switching to biometrics means that credentials aren’t as vulnerable because they aren’t sent back and forth.
Registering a biometric like a fingerprint or a face with Windows Hello creates a cryptographic key pair that’s stored in the TPM (or a software TPM) and used with identity services like Microsoft accounts and Azure Active Directory. If you register the same fingerprint or face onto multiple Windows PCs, each device creates a unique key pair — not a copy of the key pair from the first device.
You’re not going to leave your face or fingerprint behind the way you could forget a password, but you still need a way to log in if you’ve got a cut on your finger or are working in unusually dark or bright surroundings where a facial recognition camera can’t see you clearly. The fallback for biometrics that aren’t recognized is still called a PIN, but as well as numbers it can include special characters and upper and lower-case letters like a password. Enterprise policies dictate how complex PINs have to be (the home edition of Windows 10 is happy with just four digits in your PIN). But it’s the fact that they’re only stored on the device (not roamed to other devices with the same account) and only used to unlock the authentication key used to sign requests to servers (not sent to a server the way a password is) that make PINs more secure than passwords. Plus, PINs are stored in the TPM, whereas passwords aren’t.
If your PC doesn’t have a facial camera or fingerprint sensor, you can plug one into a USB port, or you can use a ‘companion device’ like the Nymi Band that uses your heartbeat and ECG to identify you.
With the next release of Windows 10, you’ll be able to use Windows Hello biometrics to sign in to Remote Desktop sessions. If you’ve logged into Windows with biometrics, you’ll be signed in to the remote desktop automatically when you open an RDP session (although if you need to confirm your Windows password inside the remote session, for example to elevate a dialog, you’ll have to type in the PIN).
But biometrics don’t work in every situation or for every person. Almost every biometric, from fingerprints to hand vein prints to irises, only works for about 80 percent of the population. For example, some older Chinese women and people who work at dry cleaners have fingerprints that just don’t scan well. Replacing passwords is about using multiple factors, including other devices. If you have a YubiKey for services like Gmail, GitHub and DropBox, you can sign into Windows Hello by inserting it into your PC (you’ll also need the YubiKey for Windows Hello app).
You could use a phone with text messages or an authenticator app to log into Windows, the way you can use that kind of multi-factor authentication to make logging into Twitter or Gmail more secure, but it’s not particularly convenient. Using your phone to lock your device when you walk away from it is handy though; once you’ve paired a phone with your PC over Bluetooth, you can use the Dynamic Lock feature to lock it when you’re out of range. You turn that on under Accounts > Sign-in options in the Settings app. Admins can use the Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business\Configure dynamic lock factors Group Policy to set how weak the Bluetooth signal can be before the PC locks.
Is it me you’re looking for?
Up until now, Windows Hello has only handled your Windows password, the Microsoft Store and any services that you’ve set up for single sign-on with Azure Active Directory. With the next release of Windows 10, we’re going to finally see more of the FIDO 2 standards. Direct support for FIDO 2 security keys like Yubikeys and smart cards (without needing a specific app for each separate key) is in limited preview.
This isn’t a major change to Windows Hello, which was built to an early version of the FIDO protocols; it’s more about updating it now that FIDO 2 standards for secure keys and the W3C Web Authentication API have been agreed. That means a user with a FIDO 2 security key can log into any Azure AD-joined PC without having to set up an account on it first, which is ideal for front-line and mobile workers.
It also means that as browsers implement and websites adopt the new WebAuthn API, Windows Hello will be able to start replacing passwords in the browser too, using biometrics or FIDO UAF security keys to log in without a password at all when websites support that. WebAuthn also supports the two-factor U2F option, where you use a username and password and either a FIDO security key or Windows Hello biometrics as the second factor. Edge has supported a preview version of WebAuthn since 2016; in build 17723 (currently available to Windows Insiders), Edge supports the Candidate Recommendation of the API, although it doesn’t yet work for PWAs or UWP apps that are web based. There aren’t many sites that support WebAuthn yet, but you can try it out in this sample app and there are instructions for adding WebAuthn support to your own internal sites.
As well as new kinds of credentials, Windows is also going to support more identity providers directly. Windows Hello works with Azure AD, Active Directory and third-party federation servers that support the necessary extensions to OAuth 2.0 and OpenID Connect 1.0. With the next release of Windows 10, Windows logon will support SAML identity providers — not just identities federated to ADFS and other WS-Fed providers.
You’ll need Azure AD to use this new Web Sign-in, and you’ll have to enable the Policy CSP/Authentication/EnableWebSignIn Group Policy. This isn’t likely to shake the dominance of Active Directory in the enterprise, but it makes it much more convenient for organizations that use SAML systems like Oracle Identity Federation to have these accounts show up as an option for signing into Windows.