Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft Windows

Microsoft Moves Windows 10 Closer To A Future Without Passwords (forbes.com) 224

"Microsoft has very quietly confirmed the death of Windows 10 passwords this week," claims Forbes -- though I think they may be overstating things a bit: Microsoft's crypto, identity and authentication team group manager, Yogesh Mehta, has made an announcement that he says puts "the 800 million people who use Windows 10 one step closer to a world without passwords...."

Mehta confirmed that with the release of the forthcoming Windows 10 May update, Windows Hello becomes a fully FIDO2 certified authenticator... [Windows Hello is "a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition."]

So does the arrival of FIDO2 certification for Windows 10 mean that passwords are now dead? Not quite. The death of the password for Window 10 could yet be a lingering and painful one. "We encourage companies and software developers to adopt a strategy for achieving a passwordless future and start today by supporting password alternatives such as Windows Hello," Mehta says, before admitting that to arrive in this future requires "interoperable solutions that work across all industry platforms and browsers."

I say painful, by the way, as there will no doubt be no shortage of stories about password security fails until the final nail is hammered into this authentication coffin.

This discussion has been archived. No new comments can be posted.

Microsoft Moves Windows 10 Closer To A Future Without Passwords

Comments Filter:
  • Good luck. (Score:5, Insightful)

    by DamnRogue ( 731140 ) on Sunday May 12, 2019 @12:38PM (#58578382)

    " that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition."

    My PC had no hardware capable of these functions, nor will it ever.

    • fingerprint, iris scan or facial recognition."

      My PC had no hardware capable of these functions, nor will it ever.

      No camera at all? Still, if your government wants your iris scan, they could get it through an eye exam at the DMV.

      • Re:Good luck. (Score:5, Interesting)

        by gweihir ( 88907 ) on Sunday May 12, 2019 @12:50PM (#58578430)

        Black PVC tape over the camera and it is going to stay. Sorry MS. Also, do not forget that you cannot change fingerprints, iris or face when they get compromised. And they will, rest assured of that. No thanks, I will stay with my passwords. The only ones ever compromised have been for an unimportant account, several years after it was terminated.

        • Re:Good luck. (Score:5, Informative)

          by Antique Geekmeister ( 740220 ) on Sunday May 12, 2019 @02:19PM (#58578892)

          There are, of course, "gummy fingerprints". The technology to beat most fingerprint scanners has been easily available for decades.

          https://www.theregister.co.uk/... [theregister.co.uk]

        • Black PVC tape over the camera and it is going to stay.

          "Samsung is working on ‘perfect full-screen’ devices with selfie cameras under the display" "The S10’s hole-punch display is just the start" "Samsung is working on making the entire front of its phones a screen, with no need for bezels or a camera cutout of any kind. Yonhap News Agency reports that the company’s vice president of its display R&D group, Yang Byung-duk, said that “though it wouldn’t be possible to make (a full-screen smartphone) in the next 1-2 years, t

        • by antdude ( 79039 )

          My custom built decade old desktop PCs don't have cams and mics. I'm not planning to get them too. ;)

        • Especially with more court rulings saying that police can use your biometrics to unlock devices.

          Facial Reognition or an Iris Scan is great for replacing a username.

          But it shouldn't be the "secret" part of a login

        • Black PVC tape over the camera and it is going to stay.

          There's a big difference between a computer not being capable and a computer being willfully defeated by its user.

    • My PC had no hardware capable of these functions, nor will it ever.

      Eventually every PC monitor and TV will come with inbuilt camera thats literally inside the screen and therefore cannot be taped over.

      • My PC had no hardware capable of these functions, nor will it ever.

        Eventually every PC monitor and TV will come with inbuilt camera thats literally inside the screen and therefore cannot be taped over.

        Every LED is also a weak photodiode.

        Luckily they can only capture a few frames per second, or you'd be able to see the flickering, since the LED has to be off to use it in reverse.

        It isn't enough to cover visible lenses. You also have to live inside a Faraday cage, and say no to backlit screens, OLED screens, and CRTs.

    • Damn right.

  • notice a rise in quality and spectrum of Halloween masks. At least till they pass a law...

  • by weilawei ( 897823 ) on Sunday May 12, 2019 @12:47PM (#58578410)

    Something you know, in the usual three (a thing you know, a thing you are, and a thing you have)?

    • by AmiMoJo ( 196126 )

      At the moment most people just use a single password. For Windows, for dozens of websites, for all sorts of stuff. So for them this is an upgrade.

      What I really want to see is the ability to use tokens to log in. A Yubikey or my phone via NFC would be good.

      • by EvilSS ( 557649 )
        You can already use a Yubikey to login to windows.
        • by AmiMoJo ( 196126 )

          Only with their app, and only by plugging in USB rather than just NFC.

          It needs proper support for the open standard so that everything works.

      • by WaffleMonster ( 969671 ) on Sunday May 12, 2019 @08:25PM (#58580610)

        At the moment most people just use a single password. For Windows, for dozens of websites, for all sorts of stuff. So for them this is an upgrade.

        Replacing one single password with a different form of a single permanently unchangeable password for Windows, dozens of websites, for all sorts of stuff is a downgrade that makes a bad situation much worse.

        What I really want to see is the ability to use tokens to log in. A Yubikey or my phone via NFC would be good.

        Until the key breaks or is lost or stolen never to be seen again.

        Expecting users to manage physical keys is a taller order than expecting users to remember and or write down passwords.

        If you look at the mass market for things like MFA being sold as improved security.. in real world deployments that selling point never materializes. These measures don't improve security as deployed. What they actually do is provide a means of resetting a forgotten password or replacing a lost or broken key effectively reducing security. Countless billions are lost yearly in "I forgot my password" and that's really the selling point for these systems not security.

        If people really gave a shit about outcomes and improving security for everyone they would stop with adhoc login forms peppering every website and web application on earth and instead use secure authentication algorithms rather than plaintext over TLS which unnecessarily turns the web into a phishers paradise.

        It's rather comical that people systematically fail to deploy proper security and then blame passwords as the root of all evils. It's nothing more than bankrupt marketing trash.

        • by AmiMoJo ( 196126 )

          Replacing one single password with a different form of a single permanently unchangeable password for Windows, dozens of websites, for all sorts of stuff is a downgrade that makes a bad situation much worse.

          That's not how it works. The tokens can be replaced as often as you like. If one is compromised just generate another. If your fingerprint is compromised the attacker still needs your particular phone or computer that has the token on it, so remote attacks e.g. on corporate network accounts don't work.

          Until the key breaks or is lost or stolen never to be seen again.

          Obviously you must have a backup way to gain access. Typically a long recovery key, generated by the machine, that either the IT department keeps track of or you can store securely yourself somehow.

          You have to

      • Then facial recognition will make the matter worse, because then not some, not many but ALL people will use the same face for all websites.

        • by AmiMoJo ( 196126 )

          No because your face doesn't get sent to the web site. A token gets sent, and the token is unique to the site and the computer. The site never gets near your authentication method, in this case an image of your face.

    • It doesn't replace three. It replaces one, through another using authentication in between. I.e. your multitude of passwords are replaced with a biometric authenticator that bypasses the passwords for you.

      No you won't find Windows Hello securing the NSA vault. Would make it a lot more secure though than having every website permanently logged in through cookies though.

  • by QuietLagoon ( 813062 ) on Sunday May 12, 2019 @12:47PM (#58578412)
    What iris do I use on the third site I want to log in to?
    • Yeah, I think this is a big problem.

      When you’re unlocking your personal devices, you can state that device is the “something you have” and your biometric attribute is the “something you are”, since you have control over the circumstances and the local environment. But translating that out to websites doesn’t really work in a non-spoofable manner - at least, I can’t see myself being comfortable with assurances from some company (be it Microsoft or someone else) that

      • Just guessing, but I'd expect in the future for them to use some sort of X.509 signing to identify you to websites. Browsers already support that, and the MS browser would then manage it for you as part of your Windows identity.

        This is great for MS because if you don't keep your OS subscription current, now you can't log into any websites until you either renew, or learn how to computer.

        • }}} This is great for MS {{{ === Lots of benefits to Microsoft, one or two benefits, and many downsides, to the Windows user.
    • What iris do I use on the third site I want to log in to?

      The same one you use for all your other varied and completely independent identities. You may want to read up on what FIDO2 is and how it works.

      • }}} You may want to read up on what FIDO2 is and how it works. {{{ --- I have. I remain skeptical. Especially in light of how Microsoft apparently breached its customers' trust with the Windows 10 update trick a couple years back.
        • by Altrag ( 195300 )

          Fido is an industry standard. It's of course possible that Microsoft managed to bungle the implementation (accidentally or otherwise) _and_ get that bungled implementation through Fido certification.. but they can only take that so far if they want to remain compatible with third party Fido systems (MS may not care about using external authentication dongles but they probably would _love_ to be able to act ass an authenticator themselves,) and of course would lose their certification if they got caught, wh

        • And that affects an open industry standard that doesn't pass tokens that cross identify you between instances how?

    • by AmiMoJo ( 196126 )

      It doesn't work like that. Your iris is never sent to the site.

      The site generates a token that your browser stores, and only sends for login when it has authenticated you locally.

      • It doesn't work like that. Your iris is never sent to the site.

        The site generates a token that your browser stores, and only sends for login when it has authenticated you locally.

        When number of devices exceeds number of eyeballs?

    • by Mal-2 ( 675116 )

      The brown one in the back.

  • by gweihir ( 88907 ) on Sunday May 12, 2019 @12:47PM (#58578414)

    Because whatever will replace passwords on win10 will surely be an insecure mess. And, unlike passwords, the user cannot increase security anymore by choosing a good password. Biometrics? Easily compromised and what do you do if your face/fingerprint/voice is public knowledge? Plastic surgery?

    At this time, passwords are the best thing we have, and adding a second factor like a smartcard makes them pretty secure. Nothing else comes even close.

  • How about... (Score:5, Insightful)

    by JMJimmy ( 2036122 ) on Sunday May 12, 2019 @12:51PM (#58578434)

    No.

  • Surveillance state (Score:5, Insightful)

    by joe_frisch ( 1366229 ) on Sunday May 12, 2019 @12:51PM (#58578438)

    Yet another step toward universal surveillance in the ongoing attempt to make it impossible to do anything without being tracked. Once the majority of users are on a system that verifies ID at a low level, it will be easy for sites to prohibit access to anyone who doesn't provide that sort of identification.

    I'm not claiming some great "conspiracy", just that personally identifiable information is valuable and consumers don't have a lot of leverage to push back against it. (sure individuals can elect not to use products that require bio metric identification, but those options will gradually disappear.

    Once this set of databases exists, I think its only a matter of time before it is misused in a dramatic fashion.

    • Yet another step toward universal surveillance in the ongoing attempt to make it impossible to do anything without being tracked.

      Yet another example of people commenting from a position of extreme ignorance on how a technology works. It's not the government or corporations destroying the world, it's a toxic ignorance of the world around us, an ignorance which we use to then make decisions and pass judgement.

      Congratulations. Now go put on your tinfoil hat.

  • one can write it down and keep it safe in case you forget it. What happens when, not if, but when this newest piece of shit software doesn't recognize you? Will you have to keep staring into the camera or sliding your finger across the bar in the hope the system will recognize you?

    And when, again, when the system doesn't recognize you, what next? Do you call Microsoft and tell them their shit software has locked you out of your own system and you can't get to your files or do your job? Will Microsoft tel

    • by Viol8 ( 599362 )

      MS arn't interested in you as a user, they're only interested in firing off buzzword bullshit in the direction of their investors and the small coterie of circle jerk techno evangelists who don't really understand security but have read too many of the aforementioned sci fi novels and think the real world is just another novel they're living in.

    • Doesn't Windows Hell-no have a backup password or PIN, or at least a means of resetting credentials via an email or phone linked to your MS account (Hell-no doesn't work with a local account)? Which is the real problem -- Microsoft becomes the gatekeeper on who can access your computer, as opposed to you, with strong local credentials and drive encryption.
  • Windows Hell-no. (Score:4, Insightful)

    by b0s0z0ku ( 752509 ) on Sunday May 12, 2019 @12:57PM (#58578472)
    Windows Hello required the use of an M$ account, not a local account to log in to Windows. I don't actually feel like giving MS so much control over authentication and settings on a device that I own. Until it can do local authentication (like Thinkpads with the fingerprint sensor can), it's Hell-no to Windows Hell-oh.
  • by Stolpskott ( 2422670 ) on Sunday May 12, 2019 @12:57PM (#58578474)

    For several years, I have been working in banks, with large teams of people using specialist trading keyboards built by Bloomberg (picture a normal QWERTY keyboard with a bunch of extra buttons, pre-programmed macros, colour-coding all over the place, and built to withstand daily tantrums and being hit by stressed users), which have very good (dare I say, state-of-the-art) fingerprint scanners on them.
    A certain percentage of users cannot use them - the ridges on their fingerprints are too small.
    In winter, a higher percentage of users cannot use them because the cold lowers the height of those fingerprint ridges.
    This colleague used a hand cream a few mintues ago... their keyboard would not validate their fingerprint because of the oil in the hand cream.
    That colleague cut the finger they use for authentication when doing DIY at the weekend, and now they cannot login, because their back-up finger (not the one they stick up their backside when bored... but the one the system says "register this as an alternative for when your primary finger is unavailable") doesn't work for some reason.

    And these Bloomberg keyboards are damned expensive, so they use premium quality components. Consider how reliable the sensors on cost-focussed consumer keyboards are going to be.

    • Can they use nipple ID in cold weather, since cold exaggerates the size of ... certain parts?
    • I have to re-enter my fingerprints about 2x a month on average with my Galaxy S9+, and it refuses to work period if my hands have been wet and pruny at all.

      That'd be fine, except my hands are frequently covered in grease, or scraped up a little. Even giving my hands a good thorough cleaning won't work after that sort of thing.

      People do actually still use their hands, even in technical positions. If you work in an industrial or manufacturing environment, that's pretty common.

    • by guruevi ( 827432 )

      It's not because they're expensive that they use quality components, especially in the niche areas. They are expensive because banks buy them regardless of the tech in them.

  • by QuietLagoon ( 813062 ) on Sunday May 12, 2019 @01:04PM (#58578514)
    }}} "We encourage companies and software developers to adopt a strategy for achieving a passwordless future and start today by supporting password alternatives such as Windows Hello," Mehta says {{{ --- In other words, he is saying something along the lines of, "too many people are avoiding the egregious data collection of Windows 10, so we are launching this initiative to collect data about the website sites you visit and log in to."
  • Biometry, until it is perfected to the point the consumer hardware cannot be fooled by gummy fingerprint or photography with a little bit of heat behind, is not good enough to be a password, only a username ("who you are"). When that comes to that point we can talk.
  • by Aethedor ( 973725 ) on Sunday May 12, 2019 @01:31PM (#58578638)

    When logging in to a system, two steps are usually taken: the identification step, where you state who you are, and the authentication step, where you prove that you are actually the person you claim to be. The identification is often done by entering a username and the authentication by entering the well-known password. Both the username and password have a number of attributes. Let's take a look at them.

    Identification: the username

    • Not a secret. Is often formed by the name, e-mail address or employee number.
    • Is often (more or less) the same within multiple systems.
    • Changing your username is not common and often impossible.

    Authentication: the password

    • Must remain secret.
    • It's best to use a different password for each system.
    • Most systems offer the possibility to change your password.

    Now, let's take a look at the characteristics of a person's biometric characteristics, such as the fingerprint and the iris scan.

    Biometric characteristics

    • They are not a secret. You leave fingerprints everywhere and even iris scans can be traced.
    • Given the limited number of usable biometric characteristcs on a body (ten fingers and two eyes), you often use a biometric characteristic for multiple systems.
    • Biometric characteristics cannot be changed.

    If you compare the properties of biometrics with those of the username and password, you will see that biometrics looks more like a username than a password. In addition, demonstrating who you are with what you are is a weak method, because it is visible to everyone and can even be imitated.

    So, biometric are a substitute for the username, not for the password.

    • Here's the thing -- they're not even a good substitute for a username, since not all of us want a username that's tied to our actual identity via biometrics.
      • Its not a good solution for the product (windows users), it is a very good solution for the customers (organizations that purchase the personally identified data).

        Its part of the goal of completely eliminating anonymity on the web.

  • If your password is compromised, you can change it. How would you change your finger prints?

    Identification != authentication. Already we have enough trouble people are using identifiers like social security numbers, mother's maiden names, high school mascots and honeymoon locations as authentications. Now random images taken in security camera is enough to fake an authentication?

  • Haven't we all heard about fingerprint scanners being easily fooled? Facial recognition fooled by a printed picture?
    'Iris scan'? I've never seen a computer that has an 'iris scanner' and I somehow don't think I ever will -- and I'm sure this can be faked, too?
    I don't get what they're thinking here. Nobody is going to stop using passwords in favor of these things.
  • I felt a great disturbance in the Force, as if millions of criminals suddenly cried out in joy and were suddenly empowered. I fear something terrible is about to happen.
  • Passwords are not going anywhere.

    Biometrics are unreliable, have terrible entropy and cannot be changed as need arises. The attempt to push biometrics is a play to weaken security not strengthen it.

    If Microsoft really gave a shit they would be deploying and pushing the use of secure zero knowledge authentication systems.

    If they really gave a shit they wouldn't be storing unsalted unamplified hashes in local SAM databases on hundreds of millions of computers.

    Microsoft doesn't care about security. They care

    • The attempt to push biometrics is a play to weaken security not strengthen it.

      MicroSoft has always been strong in the Dark Side of the Force, don't underestimate their planning capability.

      They don't want to weaken security. They know this wouldn't work well for many common, important situations.

      What if they're not idiots? What if they're run by a Sith Lord?

      In that case, they're almost certainly trying to further increase expectations of convenience. If they can get users to expect authentication to be easier than it currently can be, then in the future those users will be more recept

  • If ever there was a reason to dump Windows and move to any other OS, this would be it.

    If they made it 100% optional, then maybe, but it doesn't look like that's the case.

  • Forget eye-scans and fingerprints, EVERYONE can easily see and steal those. I think we should use only penis and vagina prints. That's the ONLY way to be sure.
    • With the mistaken use of biometrics as a password in the case of genitalia, revocation of password will mean mandatory gender reassignment or neutering.

  • Windows Hello is "a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition."

    and these biometrics-based files would be stored at that NSA server farm in Utah .. I don't think so.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...