Microsoft's Edge Browser To Support 'Hello' Biometric Authentication For Websites

At Build, Microsoft announced that “Windows Hello,” its biometric authentication mechanism for Windows 10, will now work with websites, as well. The company’s Edge browser will be the first to support this new standard for biometric web logins, but others should soon follow.

About a year ago, Microsoft announced its “Windows Hello” protocol for biometric authentication, which supports fingerprint, face and iris recognition. Microsoft claimed “enterprise-grade security” for these options, including a False Acceptance Rate (FAR) of 1/100,000 (for Android Marshmallow it’s only 1/50,000), a False Rejection Rate (FRR) of 2-4 percent (10 percent for Android M). Liveness measures for face recognition were included as well to ensure the authentication can’t be spoofed with a photo or a device.

When Microsoft announced Hello last year, it was meant to be the biometric login mechanism only for the device itself, in the same way fingerprints, PINs, or passphrases are already used to unlock the latest iPhones and Android phones. However, Microsoft also created another login mechanism for native apps (and services at a later date) that could utilize the Hello biometrics to create a public key, which would then be recognized by apps and websites that use the Hello APIs. The websites or apps would never be able to see your fingerprint or iris patterns.

This protocol was called Passport then, but it appears that Microsoft may be unifying the two under the “Hello” name to avoid user confusion. Microsoft also said that Passport would be standardized under the FIDO 2.0 specification (likely to be finished later this year), so other browsers can use the same authentication mechanism as well.

The FIDO working group dealing with fleshing out the latest version of the protocol is co-chaired by Microsoft, Google, and Nok Nok Labs (a security company specializing in multi-factor authentication).

If Microsoft wouldn’t have agreed to standardize the protocol, then sometime in the future, developers may have had to choose between the biometric login methods of Microsoft, Google, or Apple, and perhaps other companies’ as well. Facing that choice, web developers may also simply stick to usernames and passwords and reject biometric authentication for their websites.

If all companies agree to a standard, then this will avoid fragmentation in biometric protocols and will also accelerate adoption by web developers. Apple is not yet part of the FIDO Alliance, so we may still see at least two biometric standards for web services (if Apple ever decides to support Touch ID for websites, too).

The new Windows Hello APIs will be included in the Windows 10 Anniversary Update, which will arrive this summer for free to all Windows 10 users.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • canadianvice
    I will literally sell my soul for this tech. I really, really, really hope that Chrome gets the API or whatever implemented; then it's just a matter of a finger scanner.
  • DeadlyDays
    IDK if I am just ignorant, but something seems inherently insecure about passing biometric data from a windows OS to a windows web browser......
  • viewtyjoe
    IDK if I am just ignorant, but something seems inherently insecure about passing biometric data from a windows OS to a windows web browser......

    It's okay, Google or Apple will just as gladly take your biometric information and store it in some data warehouse somewhere.
  • 17742667 said:
    IDK if I am just ignorant, but something seems inherently insecure about passing biometric data from a windows OS to a windows web browser......

    Pretty sure that's not how it'll work.

    The app (in this case Edge) will just ask the OS to identify the user. The OS may then ask for the user's password, PIN, or biometric data. Once the user has been verified, the OS will notify the app that the user has been verified.

    Chrome does something similar.
    Whenever you want to see your currently saved passwords, it asks Windows to authenticate the user. You'll have to provide your Windows user password, not your Google account one. Windows won't tell Chrome what the password is, only that the person sitting in front of the PC is indeed the current user, and not someone else who just wants to take a picture of all your web credentials.
  • SillieAbbe
    It is now getting known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. Are you aware of this video that explains how biomerics makes a backdoor to password-protected information?