At Build, Microsoft announced that “Windows Hello,” its biometric authentication mechanism for Windows 10, will now work with websites, as well. The company’s Edge browser will be the first to support this new standard for biometric web logins, but others should soon follow.
About a year ago, Microsoft announced its “Windows Hello” protocol for biometric authentication, which supports fingerprint, face and iris recognition. Microsoft claimed “enterprise-grade security” for these options, including a False Acceptance Rate (FAR) of 1/100,000 (for Android Marshmallow it’s only 1/50,000), a False Rejection Rate (FRR) of 2-4 percent (10 percent for Android M). Liveness measures for face recognition were included as well to ensure the authentication can’t be spoofed with a photo or a device.
When Microsoft announced Hello last year, it was meant to be the biometric login mechanism only for the device itself, in the same way fingerprints, PINs, or passphrases are already used to unlock the latest iPhones and Android phones. However, Microsoft also created another login mechanism for native apps (and services at a later date) that could utilize the Hello biometrics to create a public key, which would then be recognized by apps and websites that use the Hello APIs. The websites or apps would never be able to see your fingerprint or iris patterns.
This protocol was called Passport then, but it appears that Microsoft may be unifying the two under the “Hello” name to avoid user confusion. Microsoft also said that Passport would be standardized under the FIDO 2.0 specification (likely to be finished later this year), so other browsers can use the same authentication mechanism as well.
The FIDO working group dealing with fleshing out the latest version of the protocol is co-chaired by Microsoft, Google, and Nok Nok Labs (a security company specializing in multi-factor authentication).
If Microsoft wouldn’t have agreed to standardize the protocol, then sometime in the future, developers may have had to choose between the biometric login methods of Microsoft, Google, or Apple, and perhaps other companies’ as well. Facing that choice, web developers may also simply stick to usernames and passwords and reject biometric authentication for their websites.
If all companies agree to a standard, then this will avoid fragmentation in biometric protocols and will also accelerate adoption by web developers. Apple is not yet part of the FIDO Alliance, so we may still see at least two biometric standards for web services (if Apple ever decides to support Touch ID for websites, too).
The new Windows Hello APIs will be included in the Windows 10 Anniversary Update, which will arrive this summer for free to all Windows 10 users.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.
