'Windows Hello' With 'FIDO2 Certification': Closing In To The Passwordless Future

Password is not going anywhere anytime soon. But in the future, people can be sure that password would eventually be a relic of the past.

In the works to pave that future, Microsoft becomes one of the players that attempt to kill password by announcing that it has achieved FIDO2 Certification for Windows Hello.

What this means, Microsoft passwordless authentication method that allows users to sign in into their Windows 10 machine using biometric information, officially becomes one of FIDO2-certified authenticators, joining the list of hardware-based security keys like Yubico’s YubiKey.

This way, users can use Windows Hello, which can be found on many laptops with facial and fingerprint recognition systems, to access supported apps, online services, and networks.

According to Yogesh Mehta, head of Microsoft‘s Principal Group Program Manager, and a member of the authentication team in Azure Core OS, in a blog post:

"No one likes passwords (except hackers)."

"People don’t like passwords because we have to remember them. As a result, we often create passwords that are easy to guess – which makes them the first target for hackers trying to access your computer or network at work."

Passwordless authentication leverages the FIDO U2F (Universal 2nd Factor) open standard, which should make it easy for users to seamlessly sign in into their online accounts and apps using Bluetooth, Near-field Communication (NFC) or USB.

Developed jointly by Google and Yubico, it is overseen by the FIDO (Fast IDentity Online) alliance.

And as for Microsoft, what makes its Windows Hello platform different, is because the security option is built into the immensely popular Windows 10 operating system. Here, users won't have to have the specialized hardware to sign in.

It was on November 2019 that Microsoft added the capabilities for users to use Windows Hello or a FIDO2-compliant external authenticator to securely sign in to users' Microsoft account on the web without having to use a password.

FIDO login process
FIDO login process

About how it works, in a typical scenario, when users are prompted to sign in to their account, they need to enter their username (email or phone number) and a password. Submitting this will send the login credentials over the web securely to the website, that will then verify the username/password combination to ascertain their identity before letting them in.

The problem here is that, users have no way of guaranteeing the website will keep their login credentials safe.

For example, when a web service stores users' login credentials, the users have no control over what it does with the data. In the modern days of the web where hackers are relentlessly seeking for weaknesses in systems to hack and steal information, users also have no ways to ensure that the web service they use won't get breached.

With FIDO2, things are different.

Users won't have to deal with passwords, and importantly, they won't even have to trust any online services that support FIDO2 with their credentials.

This is because in a passwordless authentication, no password is sent over the internet. In other words, users can prove who they are with their identity, but without revealing anything about them.

With no sensitive login credentials sent, if ever the site users have registered got hacked, there simply won't be any compromised login data.

This is because FIDO2 uses public key encryption (PKE) for authentication, which involves using a pair of cryptographic keys: a private key that’s a secret, and a public key that is widely disseminated.

In a typical encrypted message, for example, if Alice is sending a message to Bob and doesn’t want anyone else to read its contents, she would encrypt the message with Bob’s public key. When Bob receives the encrypted message, he would use his private key to decrypt and read it.

Alternatively, this method can also be used to verify users' identity.

In this scenario, Alice, the sender, encrypts the message with her private key and sends it to the recipient, who can then decrypt the message with Alice’s public key, hence confirming that the encrypted message came from her.

FIDO2 makes use of this second approach for authentication.

So, when users attempt to sign up for a service, instead of presenting them with a regular login form where they must enter their username and password, the website can authenticate them simply by using special JavaScript code embedded on its web page.

That special code adheres to the WebAuthn API standard, allowing web browsers to create and manage the cryptographic credentials required for signing in users to the website.

In short, it’s nothing but a JavaScript-based password autofill, which acts as middleman between the client (the users' web browser) and the website’s web server.

As for the authentication keys, users can use authenticators, for example.

These can be either natively integrated into the operating system, like Google with its Android, or the Windows Hello facial recognition system, or external authenticator like YubiKey or other hardware, including the users' smartphone.

Read: The Internet Is Killing Password By Making 'WebAuthn" An Official Web Standard

FIDO registration process
FIDO registration process

For how Windows Hello with FIDO2 Certification works, Windows will scan the users' face.

The authenticator will then confirms the users' biometric information, and encrypts the data using a private key and passes it back to the web browser, which then passes the data back to the website's client-side JavaScript code, which then sends it to the website's server.

The site's server, now having received the encrypted message, will decrypt the data with the registered public key users provided it when they first signed up, thereby proving who the users are.

With Microsoft joining the team, people can expect an accelerate transition towards a passwordless web.

This comes months after Google Chrome, Mozilla Firefox, Microsoft Edge and Opera added support for WebAuthn, a key standard that defines the implementation specifics of authenticating users to web-based apps and services.

With platforms like Android 7 and up which started supporting FIDO2 in early 2019, and Windows 10 powering a combined billion active devices, the shift to passwordless authentication will lead to increased security for hundreds of millions of users.

Mehta continued by saying that:

"Our work with FIDO Alliance, W3C and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords."

"Windows Hello was built to align with FIDO2 standards so it works with Microsoft cloud services and within heterogeneous environments. Today’s certification announcement brings this full circle, allowing organizations and websites to extend certified FIDO Authentication to over 800 million active Windows 10 devices."

Further reading: FIDO Alliance And W3C Bring 'WebAuthn' For Password-Free Authentication

Published: 
10/05/2019