- Jan 24, 2011
- 9,378
The Windows 10 Technical Review is underway, and Microsoft says that multifactor authentication will be one the new system’s security hallmarks.
Windows 10 will incorporate a multi-factor authentication solution built into the operating system and device itself, which eliminates the need for additional hardware security peripherals. Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint.
“With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection and threat resistance,” said Jim Alkove, leader of the Windows enterprise program management team, in a blog. “With this release, we will have nearly everything in place to move the world away from the use of single-factor authentication options, like passwords.”
From a security standpoint, the scheme means that an attacker would need to have a user’s physical device, in addition to the user’s PIN or biometric information.
Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. That will enable them to sign in to all of their PCs, networks and web services as long as their mobile phone is nearby because the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard for two-factor authentication for both local sign-in and remote access.
Alkove explained that the credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself, or it can be a certificate provisioned to the device from existing PKI infrastructures.
“Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios, where PKI backed identity isn’t practical,” he said. “Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords. This technology is intentionally being designed so that it can be adopted broadly across other platforms, the web and other infrastructures.”
Windows 10 will also have an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the user access tokens that are generated once users have been authenticated from being extracted from devices, even in cases where the Windows kernel itself has been compromised.
“The technique is frequently coupled with advanced persistent threats (APT) and thus it’s a technique that we eagerly want to eliminate from the attacker’s playbook,” Alkove said.
Read more: http://www.infosecurity-magazine.com/news/windows-10-looks-to-eliminate/
Windows 10 will incorporate a multi-factor authentication solution built into the operating system and device itself, which eliminates the need for additional hardware security peripherals. Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint.
“With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection and threat resistance,” said Jim Alkove, leader of the Windows enterprise program management team, in a blog. “With this release, we will have nearly everything in place to move the world away from the use of single-factor authentication options, like passwords.”
From a security standpoint, the scheme means that an attacker would need to have a user’s physical device, in addition to the user’s PIN or biometric information.
Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. That will enable them to sign in to all of their PCs, networks and web services as long as their mobile phone is nearby because the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard for two-factor authentication for both local sign-in and remote access.
Alkove explained that the credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself, or it can be a certificate provisioned to the device from existing PKI infrastructures.
“Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios, where PKI backed identity isn’t practical,” he said. “Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords. This technology is intentionally being designed so that it can be adopted broadly across other platforms, the web and other infrastructures.”
Windows 10 will also have an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the user access tokens that are generated once users have been authenticated from being extracted from devices, even in cases where the Windows kernel itself has been compromised.
“The technique is frequently coupled with advanced persistent threats (APT) and thus it’s a technique that we eagerly want to eliminate from the attacker’s playbook,” Alkove said.
Read more: http://www.infosecurity-magazine.com/news/windows-10-looks-to-eliminate/
