Hello! Soon you’ll be introducing yourself to your personal computer every time you switch it on, assuming Microsoft has its way. The company will be introducing a new authentication system with Windows 10 July 29. It’s dubbed Windows Hello.
Supporting face, iris and fingerprint recognition, the software will depend on specialized hardware to determine if the person in front of the PC is really the owner. This all sounds very exciting, but has Microsoft cracked it? Will Windows Hello mean no more passwords?
For face and iris recognition, Microsoft is requiring specialized infrared cameras, which will allow the software to work accurately in low light conditions. This will also help work out whether the person in front of the camera is really a person or just a picture of that person being used by somebody else in an attempt to gain access.
Fingerprint scanning will be familiar to some users. High-end laptops have come with scanners for some years now, and Microsoft is promising that existing scanners should work with the new system.
Not Just For Logging In
Microsoft is taking a big risk with Hello. The software will authenticate the user not only when logging in for the first time but also for enterprise tasks, other applications and even some online services.
These apps and services can use a system Microsoft has code-named Passport to authenticate a user and get them started. The end goal of Passport is to replace the password, and the company has joined with the FIDO (Fast IDentity Online) Alliance to do so. The alliance is working to establish a set of universal authentication criteria that will decrease password use.
“You may have seen recent press coverage about a single group collecting 1.2 billion usernames and passwords from websites they hacked,” Microsoft’s Joe Belfiore said in a blog post. “This creates lousy odds in the hacker roulette for all of us -- there are only about 2 billion people online today!”
By replacing passwords with Windows Hello, Microsoft is hoping to enhance security for the millions of users it wants to get using Windows 10. Those without fancy new hardware can still use Passport, however.
Microsoft is also letting users authenticate with a personal identification number, which seems to defeat the purpose of not having a password. However, the authentication system will still work locally to tell an app whether to let you log in, which will help avoid any password interception by hackers.
Microsoft is letting any computers equipped with an Intel RealSense 3D camera to log in using Hello. These come built-in on a range of laptops and all-in-one devices, but is also available as a stand-alone webcam device for developers.
The Intel device retails for $99, which gives a sense of the sort of premium consumers can expect to pay for an external device. For that, you get a 1080p camera which can “see” in 3D between 0.2 and 1.2 meters away.
Microsoft won’t be letting any old webcam unlock your computer. This is going to require cutting-edge tech. And for good reason, as with such a high-profile launch the company cannot risk any sudden reports of hackers holding up selfies to gain access to accounts.
Death Of The Password?
It all sounds very exciting, but is biometric authentication really about to kill off the sticky notes of passwords adorning the world’s computers? Chester Wisniewski, senior security adviser at Sophos, indicated he believes there are some major issues that need to be addressed first. “Whether it is a fingerprint or an iris scan, what happens to the data to make it a suitable replacement? What happens when the information is lost? It can’t be changed like a password,” he said.
Wisniewski also pointed out the use of the same authentication method everywhere could present a security risk, as users cannot make it unique on every site as they can with a password. “Biometrics don’t really solve many problems, they just create new ones,” he said.
“They are a nice benefit for local authentication like on your iPhone or perhaps to your new Windows 10 laptop/tablet/phone where you are the only person needing access and you don’t need to share your biometric information with a third party. To replace passwords? I don’t think so. Nothing is solved that easily. Passwords are here to stay for now.”