Security Experts:

Microsoft Expands Multi-Factor Authentication Solution

Microsoft this week announced a series of changes to the security capabilities of Windows 10, including expanded capabilities for Windows Hello, the end-to-end multi-factor authentication solution that eliminates passwords when connecting to various services.

Together with Microsoft Passport, Windows Hello was meant to offer a password-less experience when accessing Active Directory/Azure Active Directory based business networks or various Internet facing business related services. The two technologies are also available when accessing Windows Store,, OneDrive and Office365, but the Windows 10 Anniversary Update, set to arrive in early August, will bring some changes to that.

First of all, Microsoft has joined the FIDO (Fast IDentity Online) Alliance to build a solution based on industry standards that will work cross platform and within heterogeneous environments. 

Secondly, Microsoft Passport will be retired as a brand and all of the authentication capabilities that it offers will be passed on to Windows Hello, which will be Microsoft’s FIDO 2.0 aligned end to end multi-factor authentication solution, Microsoft’s Nathan Mercer and Chris Hallum explains.

When Windows 10 first arrived, Windows Hello referred to the factors used to validate user’s identity and supported biometric verification though facial, iris, and fingerprint recognition. Microsoft Passport, however, referred to the credential people would use for authentication once verification through two or more factors had occurred, and this function will be part of Windows Hello as soon as Windows 10 Anniversary Update arrives.

According to Microsoft, this change will simplify things for its customers, given that they will be able to use Windows Hello for all of their authentication needs. Customers won’t be impacted by the change, as there will be no material modifications from a configuration or security perspective. What users will benefit from, however, would be the option to secure the Windows Hello credential from theft and tampering using the device’s hardware based Trusted Platform Module (TPM) or software based encryption, on devices that lack a TPM.

According to Microsoft, the Windows 10 Anniversary Update will bring a more flexible Windows Hello architecture that now includes support for devices, PINs, and biometrics as factor options, and which should make it easy to add support for new factor types. Starting with the upcoming update, users will be able to enroll devices such as wearables and phones to remotely access their PC and authenticate to resources.

A new Windows Hello Companion Device framework allows for external devices to be used as one or more of the factors for the authentication platform, Hallum says. The framework will also allow manufacturers to come up with two types of companion devices that can be used in multiple scenarios, including:

- Users who want to use a device infrequently, or just a single time (e.g. kiosk), want to avoid enrolling their identity on each device (e.g.: Retail, Healthcare, Consumers)

- Some organizations are bound by regulations that require the user’s credentials must be physically separate from the device they are signing into (e.g.: Public Sector, Defense)

- Some organizations want their users to be able to access a device based on the possession of another device, like an access card. They want to be able to just tap to sign without entering in a PIN or using biometrics (e.g.: Manufacturing)

- Some users want to be able to access a PC using a device like a wearable. They want to be able to access their devices simply by being near them (e.g.: Consumers)

The first type of devices is paired with a PC already enrolled with Windows Hello, meaning that the user credentials aren’t stored on the companion device. To sign-in, users simply need to have the companion device in the proximity of the PC, but can also use an additional factor that is verified on the companion device itself. These devices would be low cost, and the option would offer increased security, courtesy of one or more external factors.

The second type of devices, Hallum says, would offer advanced security and would be used by organizations that are heavily regulated. The companion device would include all of the factors for user verification, while also storing user’s credential on it, providing increased mobility, because it allows the user to access devices without having to enroll their identity on each and every device.

Related: Windows 10 Devices to Allow Sign in With Face, Iris

Related: Defense Agencies to Upgrade 4 Million Devices to Windows 10

view counter