Windows Hello, Passwords Goodbye

Microsoft announced today that it will support more personal ways for you to authenticate your identity on Windows 10 devices and in apps and web sites. The Windows 10 feature is called Windows Hello, and it provides biometric authentication—via facial recognition or a finger touch—on new devices that will start shipping later this year. And a separate feature code-named “Passport” will help you to more securely sign-in to applications, enterprise content and online experiences without needing a password.

“With Windows Hello, you’ll be able to just show your face, or touch your finger, to new devices running Windows 10 and be immediately recognized,” Microsoft’s Joe Belfiore writes in a post announcing this feature. “And not only is Windows Hello more convenient than typing a password, it’s more secure! Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all.”

The big question here, of course, is how will this work? Here’s how.

Windows 10 will natively support various forms of biometric authentication, including a facial scan, an eye scan or a fingerprint. This authentication, plus the device itself, provide a form of two-factor authentication, which I recently wrote about in Tip: Protect Your Online Accounts with Two-Factor Authentication. And that’s because both factors are unique. You are obviously unique, and so is your device, because it will be uniquely registered to you.

Windows Hello will also work on previous devices with fingerprint readers, assuming they’re upgraded to Windows 10. But facial and iris detection will require new hardware: “Windows Hello uses a combination of special hardware and software to accurately verify it is you – not a picture of you or someone trying to impersonate you,” Belfiore explains. “The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.”

Windows Hello also provides “enterprise-grade” security that meets the needs of government, defense, financial, health care and other related organizations, Microsoft says. This is a “1 in over 100,000 false accept rate,” Microsoft explains in an accompanying video.

As for “Passport”—another great code-name that will no doubt be destroyed with some terrible actual product name (and yes, I know of the history of this name in Microsoft’s services)—Microsoft describes it as a “programming system” that IT managers, software developers and web site makers can use to provide a more secure way of letting you sign-in to their sites or apps.

“Instead of using a shared or shareable secret like a password, Windows 10 helps to securely authenticate to applications, web sites and networks on your behalf, without sending up a password,” Belfiore explains. “Thus, there is no shared password stored on their servers for a hacker to potentially compromise.”

Passport obviously relies on Windows Hello or other forms of authentication (like a PIN) on the Windows 10 device. And once you’re authenticated with “Passport,” you will be able to instantly access “a growing set of web sites and services across a range of industries – favorite commerce sites, email and social networking services, financial institutions, business networks and more,” Belfiore claims.

At launch, “Passport” will work with Azure Active Directory services, and as I wrote about previously, Microsoft has joined the FIDO Alliance to support two-factor authentication outside of its own infrastructure products. It will work with Microsoft’s consumer services—Outlook.com, OneDrive and so on—at launch as well.

“Using Windows Hello and ‘Passport’ is your choice and you control whether to opt-in to use it,” Belfiore writes. “We understand how critical it is to protect your biometric data from theft, and for this reason your ‘biometric signature’ is secured locally on the device and shared with no one but you. It is only used to unlock your device and ‘Passport,’ it is never used to authenticate you over the network.”

If you’re looking for a PC that will support these technologies, here’s a start: PCs that use the Intel RealSense 3D Camera (F200) will support the facial and iris unlock features of Windows Hello, including automatic sign-in to Windows 10, and support to unlock “Passport” without the need for a PIN. Microsoft says it is working with PC makers to deliver Windows Hello capable devices alongside Windows 10 at launch.