Microsoft has been pushing towards a password-free future for some time. Another step along this road has been taken. The Windows Hello authentication system has been granted FIDO2 certification. What is FIDO2 and why is this important?
We looked at Windows Hello a while ago. Now that Windows 10 market penetration is pretty high and many of us are either already running Windows 10 or will be when we get our next computer, the Hello system is accessible to a lot of people.
Windows Hello is Microsoft’s biometric security system. It supports fingerprints, facial recognition as long as your device has a suitable camera, or a PIN. So, even though you have a password for your user account, you won’t often need to use it.
What is FIDO2?
When you think about securely connecting a user to access a system, there are three parts:
- End user authentication
- A middle layer of APIs for developers that create a bridge between users and systems
- A backhand layer for IT operators that provides secure access regardless of how the user authenticates
FIDO2 (Fast IDentity Online) uses asymmetric cryptography at the end-user end of the equation.
If you think about a password-based system, it relies on a shared secret; you set a password that you store (in your head or on a Post-It note under your keyboard) and that is stored in the system you’re connecting to.
With FIDO2, there’s no password exchange. When the user authenticates using a certified mechanism, such as the Windows Hello system, a one-time-use response token is exchanged. So there’s no password to forget or have leaked in a breach. On the user side, there’s a private encryption key while the service you connect to has a public key.
So, even if the system you connect to is hacked, all the bad guy gets is a list of public keys that can’t be used.
When you look into FIDO2, you’ll also encounter a couple of other standards and tools.
WebAuthn is a web authentication API developed by the World Wide Web Consortium. And CTAP1, which is the Client To Authentication Protocol.
When will Windows 10 support FIDO2?
Windows 10 version 1903, the May 2019 Update, is officially be FIDO2 certified. Initial, but uncertified, support, appeared last November.
Why does this matter?
End-points are the origin of most cyberattacks. And compromising user credentials is one of the preferred methods employed by bad actors. But if your authentication method doesn’t have a password that can be stolen, then life gets a lot harder for attackers.
FIDO2 means there’s no password repository for bad guys to steal. And even if they eavesdrop and swipe credentials over the air, all they get is a one-time token that can’t be reused.
Windows Hello does support PIN codes, which is part of the FIDO2, which is a bit of weakness in my view. Many people use PINs that are relatively easy to guess. And my experience has been that fingerprint scanners vary substantially in their reliability although facial recognition has worked well.
That’s the big benefit. By supporting FID02, Windows 10 ups the privacy and security ante by making to much harder for user credentials to be compromised. In particular, if you’re using facial recognition or fingerprint scanning, it becomes very difficult for someone to compromise your identity.