Microsoft hammered another nail in the password’s coffin by winning a certification for Windows Hello that will make it easier for people to log into Windows machines.
Windows Hello is the authentication system in Windows 10, and Microsoft introduced it to wean us off password-based access. It enables machines with the right hardware reader or camera to scan your fingerprint or face to access Windows 10 and your Microsoft account. You can also use it to access third-party services.
This month, the company earned FIDO2 certification for Windows Hello. By becoming a FIDO2 certified authenticator, Microsoft has just enabled 800million Windows 10 users to use a hardware security key with Windows Hello’s password-free system.
FIDO aims to make logins easier and more secure
To understand why this is important, we need to dig into FIDO, which stands for Fast IDentity Online. The FIDO Alliance is an industry group backed by large tech players that aims to make logins easier and more secure.
Since the FIDO Alliance started in 2013, it has released three specifications. The first, announced in 2014, was the Universal Authentication Framework (UAF). That standard focused on using biometrics like your fingerprint for password-free authentication.
The second standard was Universal Second Factor (U2F). This let people authenticate themselves using hardware devices like USB keys that you could plug into your computer, or near-field communication (NFC) devices that you could tap on a hardware-based reader. Google and Yubico developed this technology for two-factor authentication, meaning you’d use it as an extra layer of protection on top of your regular password.
Ideally, though, we’d like to do away with passwords altogether. That’s where FIDO2 comes in. It uses a protocol called Web Authentication (WebAuthn), which takes the digital key stored on your USB or other hardware key and delivers it directly to the web application you want to access.
What this means for you is that if you have a hardware key, a browser, and a web application all supporting FIDO2, you’ll be able to log into your web applications without trying to remember your pesky passwords.
Microsoft initially announced support for FIDO2 in November 2018. Then, you could use your hardware key with the Edge browser to log into your Microsoft account on the web. Windows Hello already allowed you to use your face or fingerprint (with a suitably equipped device) to log into your computer and Microsoft account.
Hello password-less web
This month’s announcement now means you can log into your Windows 10 machine and Microsoft account using your hardware key and Windows Hello. That will please Windows Hello users that don’t have a camera for facial recognition or fingerprint reader for scanning. Not all Windows 10 users are Windows Hello users, but this development makes it easier for more Microsoft users to adopt the system and move away from password-based access altogether.
It also adds more support for a standard that will help us move away from the password altogether. WebAuthn is an official standard after the W3C ratified it in March 2019, so the consensus for FIDO2 is strong. FIDO2 is also backward-compatible with UAF and U2F, meaning that people who’ve already invested in those systems don’t lose out.
Not all web applications support FIDO2, but things look promising because developers can turn on support using a simple JavaScript API call.
Firefox users win too
The company also announced today it would let Firefox users log into their Microsoft accounts using FIDO2, with Chrome support to follow soon. So if you’re not an Edge fan, you can still access your Microsoft goodies that way.
There are risks with FIDO2. You could lose your hardware key, and if someone steals it, they can theoretically log in as you. I say ‘theoretically’ because are mitigating steps you can take to avoid this, such as making a backup key and using a hardware key with built-in fingerprint recognition. It’s certainly more secure than relying entirely on a password that someone halfway across the world can steal, and it‘s more convenient to use.
Does this mean the end of the password as we know it? No. This probably won’t happen for years, given the inertia inherent in thousands of online applications and services. But support from Microsoft, with its massive user base, is a step in the right direction.
Simon McAllister
“Ideally, though, we’d like to do away with passwords altogether”
Why? And who? ‘We’ as in Microsoft?
Isn’t it better to ‘add’ this layer to our security model that continues to ‘include’ passwords? If someone steals my password, but don’t have my USB key… or vice versa.
Isn’t password-less security is an improvement of convenience – not security?
Mat Hanson
2FA is always going to be more secure than 1FA (generally speaking), but most people are still using 1FA and that factor being a password. Getting everybody to use 2FA would ultimately be the best solution regardless of the authentication methods, but that is a tall ask of the general population. Simply put, the password is one of the least secure methods of authentication, and if people are only going to use 1FA, it would be more secure to use something that “they have” or that “they are”. Obviously there are security implications to either of those solutions as well, but ultimately they are better solutions. Even with 2FA, I would rather one of those factors wasn’t a password.
We have been using passwords since the 60s, it’s time to move on.
Max
“Simply put, the password is one of the least secure methods of authentication” Not really though, at least not inherently. The insecurity comes with human tendencies. Avoiding inconveniences, reusing passwords that already are likely too weak to begin with, or is written down somewhere it shouldn’t be. Arguibly a cryptographically strong password for a single use that isn’t written down anywhere is harder to overcome than a physical token, or even some biometrics.
Mark Stockley
The thing is, you can’t take humans out of the equation. There is no point in a password unless it’s supposed to be used by a person, and people have proven, on aggregate, across decades, that they simply can’t or won’t use them well. That’s not a human problem, that’s a design problem.
Passwords only work well in an environment where people are good at understanding what a strong password is, why they need one, are good at generating random strings of characters and good at remembering them. That environment doesn’t exist and never has.
Max
Sure. But I just think calling it “one of the least secure methods of authentication” is not correct. That would apply to door keys or car keys too, if people would just hand them out to strangers. It’s the way people use passwords that is insecure, not passwords itself. And that is an important distinction for at least as long we still do have passwords. Because if people think passwords are just insecure anyway they might bother even less to use them correctly.
Mat
Mark Stockley has pretty much already explained what I meant – of course passwords are not inherently insecure, the way that humans tend to use them is generally speaking, insecure.
Max
The only reason I made my comment is because yours doesn’t read like you meant it that way. And I think it is very important to make that distinction, especially since passwords are bound to be around for a while longer. So to spread the idea that they are insecure anyway makes things only worse.
Thomas
And now Microsoft, along with whatever government entity they might work with, has my fingerprint, my photo ID, and my geo-location updated every time I log in. The only thing missing is the spit analyzer to log in with DNA. And because of some yet unknown weakness, someone will eventually find a way to share all this with all members in the FIDO alliance too: https://fidoalliance.org/members/. I don’t cover my camera lens, but I’ll stick with a password.
YubiKeys also seem dauntingly complex for a small business to implement; have limited website support; and would be difficult to sell usage to C-level execs.
Mat
I can’t speak for all instances of biometric authentication, but every implementation that I have used stores all of this information (securely) on the device. I would be highly surprised to find out that any trusted manufacturer would be sending biometric data off-device. If they were to do this, it instantly makes this method of authentication insecure – of which, I’m sure they spent quite a lot of their budget implementing.
Don’t get me wrong though, you’re right to be suspicious and paranoid about this data, but make sure that you’re not preventing advancement due to misinformation.
Mark Stockley
FIDO2 keeps the sensitive data on the device in your possession. The biometrics just give the device permission to access your private keys, which are then used to do some cryptographic work. The non-secret output of that cryptographic work is then shared with the system you’re authenticating to.
FIDO2 doesn’t send any secrets – biometrics, passwords, cryptographic keys etc – and that’s one of the things that makes it so good. You don’t have to trust the system you’re logging into to store your secrets securely because you don’t give it any.
Mat
Ahhh that makes sense, and makes it a great option. Thanks for the info! I should really do some more reading on FIDO2 by the looks of things.
Mark Stockley
No problem. If you want to do a bit more reading, you could start here with my article “The passwordless web explained” :)
https://nakedsecurity.sophos.com/2018/11/22/the-passwordless-web-explained/
Thomas
…And, just 5 days after my post, certain FIDO keys are found to have a security issue – https://nakedsecurity.sophos.com/2019/05/17/google-recalls-titan-bluetooth-keys-after-finding-security-flaw/. So the FIDO alliance doesn’t get your data, but your neighbor could (far-fetched, but possible).
John
Going passwordless seems to assume that it each device is dedicated to a single user and that one user will be the only one ever to use it. There is also a severe risk of creating a barrier to entry for users trying to use digital by default services. As has already been pointed out, it goes some way to greating a de-facto digital ID without the necessary legal controls. Finally it is not clear how device owners will recover from hacks, electronic and mechanical failure and life changes (Oh dear I have just been in a car crash so now I have lost all my data!).
So work on social acceptability and understanding perhaps?
roleary
Where is the user’s consent in this new process? It sounds like as long as the device can see them any malefactor can probe it freely.