Microsoft hammered another nail in the password’s coffin by winning a certification for Windows Hello that will make it easier for people to log into Windows machines.
Windows Hello is the authentication system in Windows 10, and Microsoft introduced it to wean us off password-based access. It enables machines with the right hardware reader or camera to scan your fingerprint or face to access Windows 10 and your Microsoft account. You can also use it to access third-party services.
This month, the company earned FIDO2 certification for Windows Hello. By becoming a FIDO2 certified authenticator, Microsoft has just enabled 800million Windows 10 users to use a hardware security key with Windows Hello’s password-free system.
FIDO aims to make logins easier and more secure
To understand why this is important, we need to dig into FIDO, which stands for Fast IDentity Online. The FIDO Alliance is an industry group backed by large tech players that aims to make logins easier and more secure.
Since the FIDO Alliance started in 2013, it has released three specifications. The first, announced in 2014, was the Universal Authentication Framework (UAF). That standard focused on using biometrics like your fingerprint for password-free authentication.
The second standard was Universal Second Factor (U2F). This let people authenticate themselves using hardware devices like USB keys that you could plug into your computer, or near-field communication (NFC) devices that you could tap on a hardware-based reader. Google and Yubico developed this technology for two-factor authentication, meaning you’d use it as an extra layer of protection on top of your regular password.
Ideally, though, we’d like to do away with passwords altogether. That’s where FIDO2 comes in. It uses a protocol called Web Authentication (WebAuthn), which takes the digital key stored on your USB or other hardware key and delivers it directly to the web application you want to access.
What this means for you is that if you have a hardware key, a browser, and a web application all supporting FIDO2, you’ll be able to log into your web applications without trying to remember your pesky passwords.
Microsoft initially announced support for FIDO2 in November 2018. Then, you could use your hardware key with the Edge browser to log into your Microsoft account on the web. Windows Hello already allowed you to use your face or fingerprint (with a suitably equipped device) to log into your computer and Microsoft account.
Hello password-less web
This month’s announcement now means you can log into your Windows 10 machine and Microsoft account using your hardware key and Windows Hello. That will please Windows Hello users that don’t have a camera for facial recognition or fingerprint reader for scanning. Not all Windows 10 users are Windows Hello users, but this development makes it easier for more Microsoft users to adopt the system and move away from password-based access altogether.
It also adds more support for a standard that will help us move away from the password altogether. WebAuthn is an official standard after the W3C ratified it in March 2019, so the consensus for FIDO2 is strong. FIDO2 is also backward-compatible with UAF and U2F, meaning that people who’ve already invested in those systems don’t lose out.
Not all web applications support FIDO2, but things look promising because developers can turn on support using a simple JavaScript API call.
Firefox users win too
The company also announced today it would let Firefox users log into their Microsoft accounts using FIDO2, with Chrome support to follow soon. So if you’re not an Edge fan, you can still access your Microsoft goodies that way.
There are risks with FIDO2. You could lose your hardware key, and if someone steals it, they can theoretically log in as you. I say ‘theoretically’ because are mitigating steps you can take to avoid this, such as making a backup key and using a hardware key with built-in fingerprint recognition. It’s certainly more secure than relying entirely on a password that someone halfway across the world can steal, and it‘s more convenient to use.
Does this mean the end of the password as we know it? No. This probably won’t happen for years, given the inertia inherent in thousands of online applications and services. But support from Microsoft, with its massive user base, is a step in the right direction.