SAN FRANCISCO – Forgotten passwords are the scourge of the Internet.
They create friction for users between intention to complete a task online and attaining it. They are leaked out in mass data breaches of popular websites and services. For years, both web users and creators alike have said “there must be a better way.”
With Windows Hello and Microsoft Passport, Microsoft Corp. says it has found that better way. If it works as Microsoft’s developers promise, users may never have to actually remember whether they used their pet’s first name or the first street they lived on as a password retrieval question. Instead, they’ll just have to be using their own device and inhabiting their own body – and that’s not too much to ask.
Specifically, Microsoft will support fingerprint, face recognition, and iris recognition in order to unlock its devices running Windows 10, explains Anoosh Saboori, senior program manager for the Windows security team at Microsoft.
“It’s a very personal experience it makes the PC much closer to what users expect,” he says.
Saboori demonstrated the technology during a session at Microsoft’s Build developer conference, on the heels of a slew of platform announcements the Redmond. Wash.-based software firm made in its keynote. His Surface 3 tablet lock screen indicated that it was looking for him in order to unlock. “Looking for you…” text appeared on the screen, and an emoticon eyeball moved to and fro. Saboori revealed his face, and the device was unlocked.
So that’s Windows Hello. How accurate is it at recognizing the device owner? Saboori says the false acceptance rate is just one in 100,000 – that’s the likelihood someone that’s not you could unlock your device with this mechanism. The false rejection rate is a bit higher, between two and four per cent, meaning the device will fail to recognize you and prompt you for a PIN.
It’s an experience that Android users might be familiar with right now, unlocking their device with their face. Apple iPhone and iPad users (of the newer models) can use their fingerprint to unlock their device and complete purchases in the app store.
But Microsoft hopes to take it a step further with Microsoft Passport. This service will take what Windows Hello accomplishes so easily and extend it out to third parties. That includes websites that you log into, and apps that require credentials.
For developers that want to make use of Passport to authenticate a user, they just have to make a request to the app. Doing this might appeal to many developers, who are unburdened of having to implement their own encryption and secure password storage system. Instead, they lean on Microsoft’s solution – the same way an online retailer might use PayPal as its payment processor, Microsoft could act as an identity processor.
For the user, the transaction is secure and privacy is assured. Microsoft never stores a user’s biometric information on the device or on their servers, and never passes identifying information to the third-party apps that use it for authentication.
“It’s actually more secure than a password,” Saboori says. “Knowing the PIN is not enough to access your account. An attacker actually has to have access to your device.”
This is what many services call two-factor authentication, but it’s done in a way that’s seamless for the user.Typical two-factor authentication models in place now require a password to be entered first, then an SMS message sent to a phone number with a secret code, for example.
Passport stores all of a user’s credentials in an encrypted folder that is only unlocked when the user proves their identity. A token is sent to the server to indicate a successful transaction. Since third-party apps don’t have any other insight into this folder, they can’t cross-reference you against other applications to try and glean more information about your identity.