Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!
Windows Server 2016

Could Windows 10 and Windows Server vNext End the Reliance on Passwords?

Passwords have long been a security headache for both consumers and enterprises. On one hand, passwords are simple to use and convenient. On the other hand, they are also easily compromised using a variety of methods, including no or weak encryption, keyloggers, Post-it notes stuck to monitors, phishing and other social engineering techniques. But Windows 10 and Windows Server vNext might be able to change all that.

Microsoft is planning to integrate what it calls next generation credentials in the forthcoming server and client releases of Windows. Combined with other security improvements, next generation credentials will make compromising passwords and security tokens much harder than it is today.

About Microsoft’s next generation credentials

Based on existing technology that’s already part of Windows, next generation credentials promises to make two-factor authentication more accessible to consumers and small businesses. Enterprises often deploy two-factor authentication using smart cards, where users have to enter a password or PIN, along with their smart card that stores a certificate issued by the enterprise using a Public Key Infrastructure (PKI) and Active Directory.

Smart cards work well in the enterprise, but can be costly to deploy and maintain, and it’s never been a realistic option for consumers. The Microsoft Authenticator and Google Authenticator apps, for Windows Phone and Android respectively, go some way to solve this problem, by generating codes allowing users to enable two-factor authentication for popular online services, but this still requires a degree of understanding and effort to set up.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

As something we always carry, Microsoft is taking the concept of using smartphones as a means of authentication a step further by allowing them to act as virtual smart cards over WIFI or Bluetooth. Currently exact details of how this will work are scant, but we do know that instead of a password, users will have the option to use a PIN or biometric security in the form of a fingerprint. Secondly, the credential can be either a key pair generated by Windows, i.e. no PKI required; or a certificate provisioned from an enterprise PKI.

PINs versus passwords

PINs are more convenient than passwords, but when used alone they are less secure. But as part of a two-step verification process, they are more secure than passwords. Because PINs are shorter and numerical, they offer a few advantages. Users are more likely to remember and type PINs correctly, because they’re shorter. And while this might not apply to the majority, bilingual users won’t have to check which input language is selected before typing a PIN, although alphanumeric PINs will be supported. Finally and not unrelated to the last point, CAPS LOCK related password errors will be a thing of the past if users choose numeric-only PINs.

Biometric authentication

Fingerprints are more secure again, but with the exception of the iPhone, fingerprint readers are not ubiquitous. As I’ve written before on the Petri IT Knowledgebase, I believe that’s something that needs to change, and Windows 10 looks like it could be a key driver.

Authentication success or failure?

Microsoft has tried to reduce our reliance on passwords before. Remember the now discontinued Windows Cardspace? Infocards that could be presented to websites as digital identities to authenticate users and provide other information, except that the only sites to support it were those run by Microsoft.

Active Directory, Azure Active Directory, and Microsoft Accounts will naturally be supported from the get go, but new generation credentials have also been designed on FIDO (Fast IDentity Online) Alliance standards to easily integrate with other platforms and services, so there’s room to be hopeful that the concept of virtual smart cards supporting Microsoft’s system won’t be limited to Windows Phone or logins using a Microsoft Account. Adherence to FIDO standards may mean that trusted zones other than Trusted Platform Module (TPM) chips, such as ARM’s TrustZone technology, will also be supported.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By