While Windows Hello is an interesting and useful implementation of biometric security, it’s pretty much relegated to the sign-in process in the shipping version of Windows 10. But that will change with the Anniversary update, which is adding Hello support to Microsoft Edge.
“We look forward to a web where the user doesn’t need to remember a password, and the server doesn’t need to store a password in order to authenticate that user,” the Microsoft Edge team explains. “Windows Hello, combined with Web Authentication, enables this vision with biometrics and asymmetric cryptography.”
Here are the gory details:
To authenticate a user on a secure web site, the server delivers a plain text challenge to Edge. The browser verifies the user with Windows Hello, signs the challenge with a private key provisioned specifically for this user, and then sends the signature back to the web server. If the server can validate the signature using the public key it has for that user and verify the challenge is correct, it will securely authenticate the user.
You can test this for yourself using a Microsoft Test Drive web site for Edge: The site needs to ensure that you’re you, so to speak, and will do so via Windows Hello—or by a PIN verification—on the PC client. And then you’re let into the site, and no credentials have changed hands at all. That is, your Windows login remains secure and isolated from the web site.
According to Microsoft, Edge’s support for Hello is driven by web standards—including an early implementation of the Web Authentication (formerly FIDO 2.0) specification—and the software giant is working with web standards bodies to standardize the APIs its using.
Microsoft is also working with the same standards bodies on two-factor and password-less authentication for the web.
“In the password-less case, the user does not need to log into the web page using a user name or password – they can login solely using Windows Hello,” Microsoft says. “In the two factor case, the user logs in normally using a user name and password, but Windows Hello is used as a second factor check to make the overall authentication stronger.”
Microsoft Edge is obviously not read for prime time in the shipping (1511) version of Windows 10. But with extensions and now Windows Hello support coming in the Anniversary update, Edge could very well go from also-ran to no-brainer this year. And that is pretty amazing.