Microsoft is fighting the good fight against our overreliance on passwords. They recently announced that they are baking multi-factor authentication directly into Windows 10.
The new solution builds the concept of multi-factor authentication (a combination of something you know, something you have, and something you are) directly into the operating system and makes it as consumer-friendly as possible in hopes of encouraging users to move beyond passwords, which have proved time and again to be unreliable.
"With this release we will have nearly everything in place to move the world away from the use of single factor authentication options, like passwords...It’s a solution that offers benefits for both businesses and consumers, and one that provides all of the convenience of a password along with security that is truly enterprise-grade." (source)
Let's take a look at what we know about the solution so far.
The new solution will require two factors in order to access user accounts:
The device itself (something you have)
In the new solution, the device itself serves as one of the factors. The device's credential is a cryptographically generated key pair (private and public keys) generated by Windows itself, or issued from an existing PKI infrastructure (e.g., Microsoft Certificate Services or a third party Certificate Authority) and stored on a digital certificate. The key pair or digital certificate will live locally on the device.
Giving users the option to choose how they obtain their key pair makes this solution applicable for both consumers and organizations alike. This way everyone can take advantage of the benefits of using certificates as an authentication factor, but consumers don't need to go through the process of acquiring one from a CA and organizations can take advantage of existing PKI set-ups.
A PIN (something you know) or biometric (something you are)
Users have the choice to use a PIN (no word on complexity requirements yet) or a biometric (such as a fingerprint) as the second factor for authentication. Once again, it's great to see that users are given a choice here. I can see pros and cons to each.
While a PIN can be guessed or hacked using brute force, the familiarity of the concept may hold a lot of appeal for the mass population. We're used to entering PINs/passwords to gain access to things. Maintaining this routine may make the average person more likely to adopt this new solution.
Biometrics can be more difficult to hack (though not impossible), but carry long standing concerns about privacy, and, in light of the issues users had with the iPhone Touch ID fingerprint sensor, their efficacy and usability for the mass public may be questionable.
The end of passwords as we know them?
We've been advocating the move away from passwords for a while now, so I'm thrilled to see Microsoft supporting the cause as well. That they've seemingly made it so easy for everyone, even every day consumers, to adopt is even more exciting.
There's still no official release date for Windows 10 ("later in the year" 2015 is the latest), but it'll be very interesting to see the adoption and reception the new authentication features receive. Will this mark a turning point in the move away from passwords as Microsoft predicts? Only time will tell and I can't wait to see what happens.
What do you think? Would you take advantage of the new multi-factor authentication options in Windows 10?