Microsoft targets two factor authentication for Windows 10
23 October 2014 15:15 GMT

Biometrics could be core to advanced security measures in Windows 10

A Microsoft blog focusing on security in Windows 10 has detailed how the new operating system is looking at shifting away from single factor authentication (the password) to two factor authentication including PINs or biometrics, such as fingerprints.

Microsoft's Jim Alkove  said: "In today’s world, the market for cyber-attacks on businesses is wide-reaching and attacks are increasingly high-profile and successful in execution. We’re seeing network breaches resulting from techniques as simple as username and password theft. In a couple of recent cases, hackers infiltrated Fortune 500 companies using stolen usernames and passwords which gave them access to point of sale systems and the credit card data being processed with them. The attacks resulted in the theft of millions of credit card numbers which quickly ended up in the black market…With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection, and threat resistance. With this release we will have nearly everything in place to move the world away from the use of single factor authentication options, like passwords."

Alkove says Windows 10 protects user credentials when breaches occur in the data center and protects users from theft when devices are compromised. It also renders phishing attacks for identities almost completely ineffective.

He continued: "We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals...Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information."

Alcove explained that users will be able to enrol each of their devices with these new credentials, or they can enrol a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC’s, networks, and web services as long as their mobile phone is nearby. In this case, the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.

To read the full blog post click here.