Mar 08 / 2017
Windows Hello: Waving at the Future of Identity and Access Management
email@example.com (Nathan Stilwell, Senior Consultant)
For most of computing history, the username and password have served as the defacto standard for user authentication. Yet, security experts have long-warned that passwords present a number of problems.
As cracking techniques have improved, longer and better passwords have been required. Good passwords are hard to remember and users will write them down and reuse them. Your data is as secure as the yellow sticky note under your keyboard. Savvy users will bring a password manager with them, but many users are, let us gently suggest, not very savvy. Your users shouldn't have to be! The future of Identity and Access management is not the password. Let us look to this future through the lens of Microsoft’s Windows Hello.
No More Passwords
Passwords are a liability, perhaps even an issue of national security.
The good news is this: Several key players, including Google and multiple financial institutions, are making inroads for employees and customers to move away from passwords entirely. Services such as LastPass and Twilio's Authy offer one-time passwords via SMS, email or push notifications. There is also the relatively new realm of biometrics – the best example made ubiquitous through the fingerprint sensors on Android and iOS devices.
Microsoft's entry into the biometric realm is Windows Hello. Windows Hello can be used to authenticate against any Windows or Active Directory account, either on-premise or through Azure.
For businesses or consumers with stronger IAM security needs, Windows Hello can become part of a "Two-Factor Authentication (2FA) strategy." Traditional passwords are made more robust when combined with another form of authentication, such as a biometric scanner. Microsoft Passport provides an out-of-the box method by combining Windows Hello with a device-specific PIN code.
“That's great,” you may be thinking, “but what does it mean for me and my company today?” Windows Hello, and a growing list of supported hardware, offer a low-cost solution that can fit your ecosystem. Here are some options to consider.
- Fingerprint Scanners
For laptops and desktops, fingerprint scanners with simple USB connections have reached commodity-level pricing (< $100). In the mobile world, the options are decidedly more limited; while fingerprint scanners have become almost ubiquitous, and Microsoft has promised to support IOS and Android in the past, Windows 10 Phone remains your only option. Fingerprint scanners can be fooled, so care must be taken to weigh risks versus rewards. The safe bet is to use them only as part of a two-factor configuration.
- Facial Recognition
Early facial recognition was easy to spoof with a simple photograph, so Microsoft has been careful to only support cameras with the ability to see into the infrared – similar to the technology in their own Xbox Kinect. Costs are more significant than fingerprint scanners; facial recognition with Windows Hello requires either a supported laptop (available from Dell, HP and others, along with Microsoft's own Surface), or a special webcam, such as the new Logitech Brio.
- Hardware Keys
Devices such as YubiKey's range of USB and NFC authentication keys are readily available to support 2FA with Windows Hello.
- The Eyes (Don't) Have It
What about retina or iris scanning? The only device-level implementation of iris scanning is on the Nokia Lumia 950 series (circa 2015), and it remains to be seenwhat biometric option will be used on the forthcoming Surface Phone. As with mobile fingerprint scanners, your options are limited.