Passwords have long been a security headache for both consumers and enterprises. On one hand, passwords are simple to use and convenient. On the other hand, they are also easily compromised using a variety of methods, including no or weak encryption, keyloggers, Post-it notes stuck to monitors, phishing and other social engineering techniques. But Windows 10 and Windows Server vNext might be able to change all that.
Microsoft is planning to integrate what it calls next generation credentials in the forthcoming server and client releases of Windows. Combined with other security improvements, next generation credentials will make compromising passwords and security tokens much harder than it is today.
Based on existing technology that’s already part of Windows, next generation credentials promises to make two-factor authentication more accessible to consumers and small businesses. Enterprises often deploy two-factor authentication using smart cards, where users have to enter a password or PIN, along with their smart card that stores a certificate issued by the enterprise using a Public Key Infrastructure (PKI) and Active Directory.
Smart cards work well in the enterprise, but can be costly to deploy and maintain, and it’s never been a realistic option for consumers. The Microsoft Authenticator and Google Authenticator apps, for Windows Phone and Android respectively, go some way to solve this problem, by generating codes allowing users to enable two-factor authentication for popular online services, but this still requires a degree of understanding and effort to set up.
As something we always carry, Microsoft is taking the concept of using smartphones as a means of authentication a step further by allowing them to act as virtual smart cards over WIFI or Bluetooth. Currently exact details of how this will work are scant, but we do know that instead of a password, users will have the option to use a PIN or biometric security in the form of a fingerprint. Secondly, the credential can be either a key pair generated by Windows, i.e. no PKI required; or a certificate provisioned from an enterprise PKI.
PINs are more convenient than passwords, but when used alone they are less secure. But as part of a two-step verification process, they are more secure than passwords. Because PINs are shorter and numerical, they offer a few advantages. Users are more likely to remember and type PINs correctly, because they’re shorter. And while this might not apply to the majority, bilingual users won’t have to check which input language is selected before typing a PIN, although alphanumeric PINs will be supported. Finally and not unrelated to the last point, CAPS LOCK related password errors will be a thing of the past if users choose numeric-only PINs.
Fingerprints are more secure again, but with the exception of the iPhone, fingerprint readers are not ubiquitous. As I’ve written before on the Petri IT Knowledgebase, I believe that’s something that needs to change, and Windows 10 looks like it could be a key driver.
Microsoft has tried to reduce our reliance on passwords before. Remember the now discontinued Windows Cardspace? Infocards that could be presented to websites as digital identities to authenticate users and provide other information, except that the only sites to support it were those run by Microsoft.
Active Directory, Azure Active Directory, and Microsoft Accounts will naturally be supported from the get go, but new generation credentials have also been designed on FIDO (Fast IDentity Online) Alliance standards to easily integrate with other platforms and services, so there’s room to be hopeful that the concept of virtual smart cards supporting Microsoft’s system won’t be limited to Windows Phone or logins using a Microsoft Account. Adherence to FIDO standards may mean that trusted zones other than Trusted Platform Module (TPM) chips, such as ARM’s TrustZone technology, will also be supported.