Back in 1999, I was writing a column for Microsoft TechNet called "Robichaux on Security." (Sadly, it's no longer online). One of my columns was all about how reusable passwords are bad, and how smartcards offered a viable replacement. As it turns out, I was half right—reusable passwords are bad, but smartcards weren't the silver bullet I was hoping for. Since then, there's been a steady movement towards multi-factor authentication (MFA) across a range of systems, including Windows Server. The latest step towards a password-free world comes with the recent release of Windows 10, which includes two technologies that work together to reduce dependency on reusable passwords: Windows Hello and Microsoft Passport.
Why reusable passwords stink
Before I talk about Passport and Hello, a quick refresher on why reusable passwords are awful:
- An attacker can steal them. Every place a password is stored, it's vulnerable (although some storage methods and locations are more vulnerable than others). An attacker who steals a password can impersonate the rightful owner, no questions asked, in any single-authentication-factor system.
- An attacker can guess them. Password cracking tools use lots of smart tricks, including precomputation and large variant dictionaries. Just making your password policy require longer or more complex passwords doesn't help—"P@ssw0rd1" is not really any more secure than "password" or "anaphylaxis" because crackers have rulesets that take common terms and permute them automatically by replacing "0" in place of "O" and so on.
- Users often reuse the same password across multiple systems. This problem is made worse because so many consumer-oriented systems use the email address as the user name—an attacker who steals my password from one service can try the same username/password combination against every other service in the world to see if there are matches. (To make things worse, it looks like in most cases, requiring more complex passwords just encourages users to reuse them!)
- Users are often careless with passwords. They pick easily-guessed words or phrases, they write them down, and so on.
I could go into more depth on any of these points, but I trust you get the idea.
Solving the reusable password problem
Solving the problems caused by passwords is tricky. Tightening password policies alone won't do it, especially because doing so may just encourage users to recycle, share, or write down passwords. Although user education is critical for authentication security, education alone doesn't eliminate the problem either.
What about multi-factor authentication? The answer there is "it depends." Just adding more authenticators won't necessarily help if the new authentication systems add complexity, cost, or fragility. That's why smartcards haven't caught on more broadly: the need to issue cards, manage the revocation process, and put readers on every device where you want to use the cards has been a deal breaker at most organizations. On the other hand, SMS messages as a second authentication factor have become popular because they're simple: most Internet users have the capability to send and receive texts, so using one-time SMS codes has proven to be a pretty decent way to get a second authentication factor out into the world.
In Windows 10, Microsoft is tackling these problems with two new technologies: Windows Hello and Microsoft Passport. (And yes, they maybe should have picked a name besides "Passport" given the history of its predecessor, but no one asked me....)
Working together, Hello and Passport help increase both security and user convenience:
- Microsoft Passport replaces passwords with strong device-specific credentials. Applications can request access to credentials from the Passport store. For example, when you register an Office 365 account in Windows 10, and go to an Office 365 app in the Edge browser, you get single sign-on because Edge is smart enough to use the Passport APIs to request access to your stored Office 365 account—and this works even if your PC is domain-joined to a different AD domain, or not domain-joined at all.
- Windows Hello provides a way for users to unlock (or "release") their Passport credentials. The unlock mechanism can be a PIN, a fingerprint, or facial recognition—or all 3, if your PC is capable. (Facial recognition uses a combination of special infrared cameras and software to increase accuracy and guard against spoofing; major ISVs are getting ready to ship devices with integrated Windows Hello-compatible cameras). Fingerprints are easy—any fingerprint reader that supports the Windows Biometric Framework, which means almost all of them, can be used.
What is Windows Hello?
Formally, Windows Hello is the name given to the new biometric sign-in system built into Windows 10. By building biometric authentication directly into the operating system, Windows Hello allows users to unlock their devices by using face or fingerprint identification; other biometric methods may be added later. An attacker who steals the device can't log in to it unless they have the ability to produce the associated Hello gesture. Unlocking a device with Hello provides the authorized user access to all her Windows experience, apps, data, websites, and services.
Hello's authenticator is known as a Hello. A Hello is unique to the combination of an individual device and a specific user. Hellos don't roam between devices, aren't shared with a server, and cannot easily be extracted from a device. If a device is shared by multiple users, each user gets a unique Hello for that device.
The best way to think of a Hello is as a token that can be used to release a stored credential—the Hello itself doesn't authenticate the user to an app or service, but it releases credentials that can.
At the launch of Windows 10, there are three supported Hello types:
- PIN: before you can enable a biometric Hello on a device, you must choose a PIN, which is used as your initial Hello gesture. After you've set a PIN, you can enroll additional biometric gestures if you want to. You can always use the PIN gesture to release your credentials, so you can still unlock and use your device even if you can't use your preferred biometric—maybe you've got a bandage on your face or a cast on your finger, or your facial recognition camera isn't working properly. (Technically, the PIN isn't really a Hello gesture but I'll treat it as one for discussion purposes.)
- Facial recognition uses special cameras that see in both visible and infrared light, allowing them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices as well. (I have one of these for now).
- Fingerprint recognition uses an optical fingerprint sensor to scan the user's fingerprint. Almost all existing fingerprint readers (whether external or integrated into laptops or USB keyboards) can be used with Windows 10. Synaptics just announced a fingerprint-reading touchpad that I'm eager to get a look at, and no doubt there will be other similar developments in the not-too-distant future.
Biometric Hellos are recognized by hardware on the device. I want to emphasize that the biometric data used to implement these Hello gestures is stored securely on the local device only; it doesn't roam and is never sent to external devices or servers. In fact, the PIN itself is only stored on the local device and doesn't roam.
One question I've heard repeatedly bears answering: a Hello gesture doesn't replace your actual password. For example, you can't RDP into your computer and log in with your PIN; for that, you need to use a password. Hellos are unlockers that work alongside your passwords.
Windows Hello offers some major benefits. First, when combined with Microsoft Passport, it effectively solves the problems of credential theft and sharing. Because an attacker must both obtain the device and the selected Hello, it is much more difficult to gain access without the user's knowledge. Second, using biometrics means that users get a simple authenticator that's always with them—there's nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for logging in to all their Windows devices. Finally, in many cases, there's nothing additional to deploy or manage to use Windows Hello (although Passport may require additional deployment- a topic for another day). Windows Hello support is built directly into the operating system, so there are no additional drivers to deploy. You can still add biometric devices, or upgrade to newer devices that include biometric sensors; the good part is that individual users can upgrade their own devices and take advantage of Hello immediately.
Here's a quick video that shows Hello in action on my Surface Pro 3.
What is Microsoft Passport?
Windows Hello provides a robust way for a device to recognize an individual user; that addresses the first part of the path between a user and a requested service or data item. However, once the device has recognized the user, it still must authenticate the user before deciding whether to grant access to a requested resource. Microsoft Passport provides strong two-factor authentication (2FA), fully integrated into Windows, that replaces reusable passwords with the combination of a specific device and a Hello or PIN. However, Passport isn't just a replacement for traditional 2FA systems. It's conceptually similar to smartcards; authentication is performed using cryptographic primitives instead of string comparisons, and the user's key material can be secured inside tamper-resistant hardware if you have it.
Unlike smartcards, though, Passport doesn't require the extra infrastructure components required for smartcard deployment. In particular, you don't need a PKI if you don't currently have one. Passport combines the major smartcard advantages-- deployment flexibility for virtual smartcards and robust security for physical smartcards—without any of their drawbacks.
Here's a quick demo of how Passport enables unlock. I've set my machine up so that my Summit 7 Office 365 account is associated with it. That means that my S7 credentials are protected in the Passport container. That container stays locked until I unlock it with a Hello. Once I unlock it, any compatible app can request use of those creds… and Edge is a compatible app.
So what just happened? I logged into the machine using a biometric Hello, which unlocked the container where my registered accounts were stored. When I requested access to my O365 portal, Edge requested access to the creds but those creds never left my machine. Through the magic of an authentication flow that I'll explain in a later article, my device generated a token that O365 used to verify my identity and poof, I got my page without typing my password.
Now's probably a good time to point out that this works just fine with individual credentials against Office 365—there's no infrastructure required. Things get more complicated for environments where you have on-premises Active Directory, an existing PKI, or an existing mobile device management system; I'll have more to say on that in a future post.
The future's exciting
There's a lot more I could say about how Passport works, what's required to implement it in various scenarios, and how you can use it to better protect your enterprise assets. Look for more articles covering this topic in the near future. If you're using Windows 10, I encourage you to set a PIN, register your Office 365 account, and start taking advantage of the Hello/Passport combination.