Secure Authentication with Windows Hello

Download this Presentation

charles PPT making software
0

Presentation Transcript

  • 1.Secure authentication with Windows Hello Anthony Bartolo Technical Evangelist Email abartolo@Microsoft.com Twitter: @WirelessLife Pierre Roman Microsoft Canada Email pierre.roman@Microsoft.com Twitter: @PierreRoman
  • 2.Shared secrets shhh! Easily breached, stolen, or phished
  • 3.introducing Microsoft "Passport" Goals Replace passwords with a private key made available solely through a “user gesture” (PIN, Windows Hello, remote device, etc.) Support both local Passport and Passport2Go (phone, USB dongle, etc.) Introduce Microsoft Passport because of its convenience first and security first, UX must be at least as good as with passwords
  • 4.using Microsoft "Passport" The credential Public key of Passport is mapped to an user account Proof-able with OTP, code, and PhoneFactor… To the user, it’s familiar, Windows Hello or PIN user gesture To IT it’s familiar as it’s based on certificate or asymmetrical key pair
  • 5.using Microsoft "Passport" The usage Keys are ideally generated in hardware (TPM) first, software as a last resort Hardware-bound keys can be attested Browser support via JS/Webcrypto APIs to create and use Passport for users Single “unlock gesture” provides access to multiple credentials origin isolated
  • 6.Authentication for orgs & consumers A new approach: key based IDP Active Directory Azure Active Directory Microsoft Account Other IDP’s 1 Create Account or Proves Identity Create and trust my unique key orauthenticate me by validating this signed request User 2 Windows 10 3 IntranetResource 4 4 Here is your authentication token I trust tokens from IDP So do I IntranetResource User unlock Windows identity container w/ PIN or Bio
  • 7.Authentication for orgs & consumers Hardware Secured Keys TPM Default Container Microsoft Account Consumer IDP 1 Consumer IDP 2 Enterprise Container Enterprise IDP
  • 8.Why Windows Hello? A baby can identify its mother by the time it's a month old Our devices could not do it None of our senses operated in the digital world Until recently
  • 9.Biometric authentication in Windows 10 Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Biometrics… Windows Hello introduces system support for biometric authentication – using your face, iris, or fingerprint to unlock your devices Convenient device logon and strong user authentication Enterprise level security and access to High Business Impact data and resources via Microsoft Passport Consistent inbox user enrolment and usage across Windows enabled biometric devices
  • 10.Biometrics steps Face, iris, and fingerprint share the same design language for enrollment, usage, and recovery with Windows Hello Enrollment Usage Authentication and presence monitoring Recovery
  • 11.Enrollment :) Find a face Detect head orientation Build & secure vector based template 010011011100001001 Discover landmarks
  • 12. Usage Does it match a template? :) Find a face Discover landmarks Detect head orientation Build vector based representation 010011011100001001
  • 13.Recovery Does not Match Template Type a pin to verify your identity Does not match template? :) Find a face
  • 14.Authentication versus identification Not every biometric modality is created equal False Acceptance Rate (FAR) False Rejection Rate (FRR) “Live-ness” and anti-spoofing
  • 15.Windows Hello security requirements Demonstrate False Acceptance Rate (FAR): 1/100,000 With False Rejection Rate: 2-4% Provide live-ness measures Enable anti-spoofing detection Integrated with Windows Biometric Framework
  • 16.False Acceptance Rate, what is that?
  • 17.The face authentication Machine learned 1/100,000 false accept rate threshold Over 4.3 million test combinations Machine learning based accuracy threshold Validated against ~2,000 unique faces Large representative sample Over 13,000 unique faces captured so far (target 30k) Mix of ethnicities, height, weight, skin color, glasses, etc. Variety of possible angles and lighting conditions Captured on reference hardware
  • 18.False Rejection Rate, what is that?
  • 19.Live-ness and anti-spoofing?
  • 20.Biometric as a second factor System will only authorize use of Microsoft Passport keys when User submits a matching biometric sample at the moment of authorization, and The system determines that the sample is “live” Our goal is to make biometrics non-susceptible to Spoofing and replay attacks Attacks by privileged code on a compromised system Offline attacks
  • 21.Windows Biometric Framework, what is that?
  • 22.Windows Biometric Framework Windows Biometric Service Biometric Credential Provider Windows Biometric Client API (WinBio.DLL) Win32 Apps UAP apps Windows Runtime (WinRT) Engine Adapter Storage Adapter (inbox but can be replaced by third party if needed) Sensor Adapter (inbox but can be replaced by third party if needed) Windows Biometric Device Interface (WBDI) Driver Sensor Enrollment OS component Third party application Third party driver and companion components
  • 23.Inbox functionality Works across a variety of devices running Windows 10 Integrated anti-spoofing countermeasures to mitigate physical attacks Consistent image (via IR) in diverse lighting conditions allows for subtle changes in appearance—including facial hair, cosmetic makeup, eyewear, etc. Windows hello with iris and face
  • 24.Fingerprint Sensor FPC1021 Fingerprint Sensor FPC1150 Next Biometrics NB-1010-S Thermal The world is moving towards small, touch based sensors These sensors can fit on almost any device State of the art—Windows Hello fingerprints Taken from www.fingerprints.com – image of the Huawei’s Ascend Mate 7 Ultrasound Capacitive (CMOS)
  • 25.So why do we need to change our experiences? State of the art—Windows Hello fingerprints
  • 26.Summary Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Windows Hello… Windows Hello introduces system support for biometric authentication Your face, iris, or fingerprint Convenient device logon and strong user authentication Enterprise level security and access to High Business Impact (HBI) data and resources via Microsoft Passport Consistent inbox user enrolment and usage experiences
  • 27.
Related
Latest Release
SlideHTML5 Home Explore About Us
Support Contact Us FAQ Blog
Legal Terms DMCA Cookies Policy Privacy Terms of Service
SlideHtml5

Free online presentation maker for an exceptional way of presenting. Make interactive online presentations that impress, inspire, and connect.

© 2025 SlideHTML5. All rights reserved

© 2025 SlideHTML5.

All rights reserved