Windows 'Hello' And 'Passport' Features Promise Website And App Logins Without Passwords

Today, Microsoft announced that Windows 10 will come with not one, but three methods of biometric authentication: facial recognition, iris recognition and fingerprint recognition. This authentication system, called Windows Hello, will be built using the FIDO specification. Both Microsoft and Google have been early members of the FIDO Alliance, which was created to build a cross-platform standard for biometric authentication with solid security in mind.

The new devices using Windows 10 will need to support fingerprint readers or have certain camera hardware, such as Intel's RealSense 3D camera, in order to use these authentication methods. Those cameras will use infrared to identify your face and iris, even in tougher lighting conditions.

Microsoft claimed that these authentication solutions are not only easier to use, they're also more secure. Windows Hello will offer enterprise-grade security that should pass the strictest security requirements and regulations, according to Microsoft.

Companies such as Sony could have avoided getting hacked if all of their employees were authenticated with biometric systems. If every single computer within a company had to be authenticated with the employee's fingerprint or a complex profile of his or her face, and that data was stored locally in a secure hardware zone, hacking company networks would become radically more difficult. Microsoft envisions that financial, healthcare, defense and other government institutions could all use these new authentication systems securely.

Microsoft doesn't actually specify where exactly in hardware the data is stored, but if OEMs use "Secure Enclaves" such as the ones found on iOS devices with Touch ID fingerprint readers, then that data should be quite secure.

The biometric data will never be shared over the network and will remain stored locally. It will only be used to unlock the device and the new "Passport" system, which can be used by apps and websites to authenticate you without ever sending them a password.

“Passport is a code name for a programming system that IT managers, software developers and website authors can use to provide a more secure way of letting you sign-in to their sites or apps. Instead of using a shared or shareable secret like a password, Windows 10 helps to securely authenticate to applications, websites and networks on your behalf—without sending up a password. Thus, there is no shared password stored on their servers for a hacker to potentially compromise."

Passport will be optional for websites and apps, as well as users. If there is no biometric hardware support present on a device, the Passport system will just require a PIN number to authenticate you. In other words, Passport will verify that it's you locally, on your machine, and then it will communicate with other services so you can log in.

It seems Microsoft is using asymmetric encryption here, wherein it creates a private key for the user that is tied to the fingerprint, facial or iris data, as well as a public key that it shows to the third party service to identify you.

What's not clear is whether that private key remains the same or is changed with each new authentication. If it does change every time, that would make the system more secure, because even if a hacker manages to steal that private key, the key is ephemeral. The attacker would only be able to use it until the user's next biometric authentication.

Other security experts have been working on similar open source solutions that will work cross-platform, and Microsoft itself admitted that similar technology has existed before but hasn't been implemented for mainstream use. Microsoft said that it has contributed the Passport technology to the FIDO Alliance so that it can work with "all the different devices you use everyday."

Microsoft hasn't offered much information about this so far, but if the company has given the technology up for standardization, then even Google or Apple could use it in the future. If the three major computing platforms would use the same authentication standard, then websites and apps could also integrate the technology much faster. That would allow users on all three platforms to completely give up on using passwords in a relatively short amount of time.

Windows 10 devices that support the Hello and Passport authentication methods will be available later this year, after the official launch of Windows 10.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Alec Mowat
    I remember the screen picture touch identification was cracked in about a day. All the Windows 8.1 MS documentation advised disabling it through Group Policy and forcing a password and PIN on mobile devices.

    Let's see how long this one lasts.
  • tomfreak
    With a lot of people using stupid simple password these days, this new feature IMO is generally more secure. Good work Microsoft.
  • cats_Paw
    I had facial activation in my MSI laptop.
    It would be all nice and good if windows wasent the most popular and easiest to hack OS in the planet :D.
    Also, in todays world, most internet active users will have to remember like 30-50 passwords.
    If you cant even remember your Windows Password, you are screwed :D.
  • voodoochicken
    Does it work on black skin, or do they still have to hire white people to follow them around?
  • LouF
    They shall call it......Relic
  • mapesdhs
    I must be getting old... why do I find the most annoying thing about this the use
    of 'Yup' in the Windows popup? :D

    Other than that, who knows; we've seen announcements like this before, eg.
    fingerprint scanning on mobiles, but they've always been hacked.


  • ikefu
    The important piece on the facial recognition part is that is requires camera hardware specifically built for it which solves a lot of the current issues. The old "hold up a picture of the person" trick doesn't work since the camera measures in three dimensions and sees that the picture is flat. Could be cool.