Malware developers and cybercriminals are constantly adapting and evolving new techniques, so it makes sense that any new software–particularly any new version of the Windows operating system–must also adapt and evolve to stay secure. Windows 10 includes a number of new and enhanced security features designed to protect you and your data.
I wrote this story for Windows Secrets (subscription required) diving down into the details of some of the top Windows 10 security features:
Given the increasingly sophisticated nature of malware, it’s no surprise that Microsoft built new security capabilities in Windows 10.
The company also enhanced its built-in encryption tool, BitLocker, to make it easier to protect your data.
Moving authentication beyond the password
Here are three new features that make signing in to PCs and sites easier and more secure. Most of these new capabilities, however, require additional hardware or newer security features such as built-in Trusted Platform Module (TPM) chips (more info).
Windows Hello: Have you seen those Win10 TV commercials showing cute babies around the world? The narrative suggests that today’s small children will grow up in a world without passwords — a world where they can sign in to their devices with nothing but a smile.
The death of passwords and the promise of biometric authentication have been heralded for years now. We’re not there yet, but Windows Hello is a step in the right direction.
Windows Hello is the biometric-authentication component in Win10. With the right hardware, you can use facial recognition, fingerprints, or iris scanning as your security credentials. As you’d expect, Hello can’t be fooled with a simple photo of your face. In fact, based on tests described in a TECH2 article, the facial-recognition technology is so accurate it can differentiate between identical twins.
The major catch with Windows Hello is, of course, the added hardware needed to make it work. Microsoft’s description of Hello includes this footnote: “Windows Hello requires specialized hardware, including fingerprint reader, illuminated IR iris sensor, or other biometric sensors.” And you can’t use a simple USB cam for facial recognition — the system currently requires specialized cameras such as the Intel RealSense 3D. The new Microsoft Surface Book and Surface Pro 4 both include cameras capable of using Win10’s facial recognition feature. And according to the Intel RealSense site, selected laptops from ASUS, Dell, Lenovo, and others already have the camera built in.
Iris scanners are rather rare on PCs, but fingerprint readers are fairly easy to find on portables or easy to add to a desktop system.
If you have a device installed that supports Windows Hello, it’s enabled by clicking Start/Settings/Accounts/Sign-in options. (The Hello setup option won’t appear if your system doesn’t have a compatible recognition device.) According to the official Hello FAQ, the biometric data used to identify you is kept only on the local device.
Passport: This option takes password elimination to another level. You start by enrolling a device with Passport using a PIN or Windows Hello; the system then authenticates you via an MS account, Active Directory account, Azure Active Directory account, or a non-Microsoft service that supports FIDO (Fast ID Online; more info) authentication.
After you’ve been verified by Passport, you can connect to protected accounts and services without needing to enter individual passwords.
Microsoft Passport provides stronger security because it uses two-key, two-factor identification in place of passwords. (Device enrollment is one factor; a PIN or Windows Hello is the other.) That helps protect your identity and credentials from phishing, brute-force attacks, and keystroke logging. It also prevents replay attacks, even if a key is intercepted or compromised.
If you have (or get) a subscription, you can read the complete story in this week’s Windows Secrets newsletter: A review of Win10’s new security features.
- Unlocking Proactive Compliance with Adobe’s Common Controls Framework - October 14, 2024
- Unlocking the Power of Continuous Threat Exposure Management - October 8, 2024
- The ReliaQuest Mindset: A Competitive Edge in Cybersecurity - October 4, 2024
Windows Hello would bring down security unless used wisely.
Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at
http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802