News

Windows 10 To Support Biometric Security with 'Windows Hello'

• By Kurt Mackie
• March 17, 2015

Microsoft on Tuesday revealed two new features coming in Windows 10 that will let users forgo using passwords to ensure the security of their devices.

One of them, "Windows Hello," is a biometric security feature that adds face and iris scanning as a method of verifying the user of a device. It also supports fingerprint scanning to gain device access.

Windows Hello is a hardware-dependent feature that will be supported by the "Intel RealSense 3D Camera (F200)," according to Microsoft's announcement. Specialized hardware, such as a "fingerprint reader, illuminated IR sensor or other biometric sensors," will be required to use the feature. Windows Hello uses infrared-sensing technology, developed via Microsoft Kinect technology, to further verify the identity of a user, according to a video accompanying Microsoft's announcement. This infrared-sensing technology provides an "antispoofing" capability. For instance, Microsoft claims in the video that a photo of a person can't be used to bypass a device's security.

Windows Hello will work with existing device fingerprint scanners, and will meet enterprise and government regulations when it's released, according to Microsoft's announcement.

Microsoft currently has a Windows Biometric Framework that supports biometrics for its Windows 8.1, Windows Server 2012 R2 and Windows Server 2012 operating system products. However, that framework just works with fingerprints in Windows 8.1; it doesn't work with face or iris scans.

The second security feature coming in Windows 10 uses the shop-worn Microsoft product name, "Passport" (although at this point, it's just a code name). This new Passport feature needs to be distinguished from "Microsoft Passport" (formerly known as "Windows Live"), which Microsoft renamed "Microsoft account." Microsoft account has become the system for logging into consumer Microsoft applications, as well Microsoft Web sites for accessing technical content, such as TechNet and MSDN. The new Passport feature for Windows 10 will be a way to access Software as a Service (SaaS) apps without using passwords.

Passport for Windows 10 appears to be a set of APIs. Microsoft calls it a "programming system":

Passport is a code name for a programming system that IT managers, software developers and website authors can use to provide a more secure way of letting you sign-in to their sites or apps. Instead of using a shared or shareable secret like a password, Windows 10 helps to securely authenticate to applications, websites and networks on your behalf—without sending up a password. Thus, there is no shared password stored on their servers for a hacker to potentially compromise.

The FIDO Alliance supports standards for the "protocol used between the client and the online service," according to its spec description. It uses "standard public key encryption" in which the client establishes a public key with an online service. Once that's done, the online service sends a challenge to verify that the "client owns the "private key."

The Passport feature will work with "thousands of enterprise Azure Active Directory services at launch," Microsoft's announcement promised. It apparently will also work with services and Web sites that support FIDO Alliance standards.

Both the Passport and Windows Hello features will be available via Windows 10 on an opt-in basis. Microsoft claims that the biometric data used with Windows Hello "is secured locally on the device and shared with no one but you." The company also claims that Passport data "is never used to authenticate you over the network." While those may be reassuring details to hear at this point, it's not clear how individual users could verify such claims.