Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Microsoft Expands Multi-Factor Authentication Solution

Microsoft this week announced a series of changes to the security capabilities of Windows 10, including expanded capabilities for Windows Hello, the end-to-end multi-factor authentication solution that eliminates passwords when connecting to various services.

Microsoft this week announced a series of changes to the security capabilities of Windows 10, including expanded capabilities for Windows Hello, the end-to-end multi-factor authentication solution that eliminates passwords when connecting to various services.

Together with Microsoft Passport, Windows Hello was meant to offer a password-less experience when accessing Active Directory/Azure Active Directory based business networks or various Internet facing business related services. The two technologies are also available when accessing Windows Store, Outlook.com, OneDrive and Office365, but the Windows 10 Anniversary Update, set to arrive in early August, will bring some changes to that.

First of all, Microsoft has joined the FIDO (Fast IDentity Online) Alliance to build a solution based on industry standards that will work cross platform and within heterogeneous environments. 

Secondly, Microsoft Passport will be retired as a brand and all of the authentication capabilities that it offers will be passed on to Windows Hello, which will be Microsoft’s FIDO 2.0 aligned end to end multi-factor authentication solution, Microsoft’s Nathan Mercer and Chris Hallum explains.

When Windows 10 first arrived, Windows Hello referred to the factors used to validate user’s identity and supported biometric verification though facial, iris, and fingerprint recognition. Microsoft Passport, however, referred to the credential people would use for authentication once verification through two or more factors had occurred, and this function will be part of Windows Hello as soon as Windows 10 Anniversary Update arrives.

According to Microsoft, this change will simplify things for its customers, given that they will be able to use Windows Hello for all of their authentication needs. Customers won’t be impacted by the change, as there will be no material modifications from a configuration or security perspective. What users will benefit from, however, would be the option to secure the Windows Hello credential from theft and tampering using the device’s hardware based Trusted Platform Module (TPM) or software based encryption, on devices that lack a TPM.

According to Microsoft, the Windows 10 Anniversary Update will bring a more flexible Windows Hello architecture that now includes support for devices, PINs, and biometrics as factor options, and which should make it easy to add support for new factor types. Starting with the upcoming update, users will be able to enroll devices such as wearables and phones to remotely access their PC and authenticate to resources.

A new Windows Hello Companion Device framework allows for external devices to be used as one or more of the factors for the authentication platform, Hallum says. The framework will also allow manufacturers to come up with two types of companion devices that can be used in multiple scenarios, including:

Advertisement. Scroll to continue reading.

– Users who want to use a device infrequently, or just a single time (e.g. kiosk), want to avoid enrolling their identity on each device (e.g.: Retail, Healthcare, Consumers)

– Some organizations are bound by regulations that require the user’s credentials must be physically separate from the device they are signing into (e.g.: Public Sector, Defense)

– Some organizations want their users to be able to access a device based on the possession of another device, like an access card. They want to be able to just tap to sign without entering in a PIN or using biometrics (e.g.: Manufacturing)

– Some users want to be able to access a PC using a device like a wearable. They want to be able to access their devices simply by being near them (e.g.: Consumers)

The first type of devices is paired with a PC already enrolled with Windows Hello, meaning that the user credentials aren’t stored on the companion device. To sign-in, users simply need to have the companion device in the proximity of the PC, but can also use an additional factor that is verified on the companion device itself. These devices would be low cost, and the option would offer increased security, courtesy of one or more external factors.

The second type of devices, Hallum says, would offer advanced security and would be used by organizations that are heavily regulated. The companion device would include all of the factors for user verification, while also storing user’s credential on it, providing increased mobility, because it allows the user to access devices without having to enroll their identity on each and every device.

Related: Windows 10 Devices to Allow Sign in With Face, Iris

Related: Defense Agencies to Upgrade 4 Million Devices to Windows 10

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...