Say Hello to Windows Hello

You come across a killer app, but it needs another set of user credentials for you to remember for authentication. Could this be the straw that breaks the camel’s back? Especially with the constant stories of widespread enterprise hacking that expose consumer data, something has to change, right?

Windows Hello offers easy biometric authentication integrated into Windows 10. Windows Hello promises seamless 2 Factor Authentication (2FA) using device and user biometrics, taking away much of the pain around managing user credentials. Has this been tried and failed in the past? Yes. But Windows Hello has a better shot at success with well-thought-out features and reusable authorization.

In this article, we’ll unpack Windows Hello to help you understand the specifics.

Authentication is Hard

Information security is fundamentally about systems identifying users – are you who you say you are? This user identification (authentication) is the basic first step before systems can decide what level of access or features that the user is entitled to use (authorization). It turns out, the first step is really tricky.

Credentials are a mess

A vast majority of computer systems depend on user credentials for authentication. What could potentially go wrong? Here are just a few items, from a developer’s perspective:

  • You are making users remember one more User ID and Password, on top of the dozens they already have.
  • If someone grabs your users’ credentials, they can easily impersonate being them.
  • You are having to deal with securely storing user passwords somewhere. That isn’t easy.
  • Users will reuse credentials across apps, making them inherently easier to compromise.
  • Passwords can be stolen through carefully orchestrated social engineering.
  • Credentials are transported over the wire, making them susceptible to man-in-the-middle attacks.
  • Malware can steal user credentials through keystroke logging or network sniffing.

Complexity does not help

You may think making credentials and their management inherently complex may make them more secure. To that end, you could try a few tricks:

  • Implement strict password policies with minimum suggested complexities.
  • Force reset of user credentials after short time intervals.
  • Enforce credential usage within firewalls, if permissable.
  • Implement TLS (Transport Layer Security) against network eavesdropping.
  • Utilize strong encryption and hashes to store credentials.

While the above tricks will definitely help, they are not foolproof. Inherently, we developers are trying to make our applications easier to use for the end user. If we turn up the authentication complexity, it naturally goes directly against convenience and invites push back from users.

No amount of security will help if users write down, share or recycle credentials across apps. And even the safest system backends are defenseless if compromises happen elsewhere and users are being impersonated through stolen credentials.

The risks of managing user credentials go on and on. The point is, no matter how carefully you manage user credentials on your side, there are factors that are just beyond your control. And user credentials may be compromised for no fault of your authentication system. So why take the risk?

Windows Hello

Windows Hello is the new biometric authentication system built into Windows 10. Windows securely stores the user’s biometric information in the device itself and allows for seamless safe authentication. By using Windows Hello to unlock a device, the authenticated user gains access to all of his or her Windows experience, as well as authorization to apps, data, websites, and services.

2 Factor Authentication

Windows Hello is not just a credential system – it is a 2FA out of the box. What are the two factors?

  1. Individual device or hardware
  2. Specific user biometrics

Windows Hello security information does not roam across devices and cannot be easily extracted from the device. Windows Hello credentials are never sent across the wire to a server or shared with 3rd party apps or services – it is only meant for use on a specific device.

Every user and account on a given device has to have its own Windows Hello authentication. You can think of a Hello as a token you can use to release a stored credential on the device – it only authenticates you on a specific device. In terms of authorization, Hello itself doesn’t allow you access to an app or service, but it releases credentials that can.

Hello Types

The Windows Hello authenticator is simply called the Hello – a unique combination of an individual device and a specific user. At Windows 10 launch, there are 3 Hello types:

  1. PIN – Before using Windows Hello biometrics, every user has to set up a PIN. You may or may not use biometric gestures, but you always have the option of unlocking your device using the PIN you set up. The PIN is your fallback plan when biometrics cannot be used because of injury or device failures.
  2. Facial Recognition – This is the most commonly used Windows Hello biometric sign on technology. Special cameras see in Infrared light and can perceive depth – so as to differentiate a human face from a photograph. How cool is it to simply look at your computer or phone and it unlocks itself?
  3. Fingerprint Recognition – Capacitive fingerprint sensors can scan your fingerprint and authenticate you if pre-existing matches are found. Modern fingerprint scanners have become much more sophisticated and less error-prone.

The choice of Hello you use will depend on the availability and precision of the specific hardware device you have at hand.

The first step, however, towards getting any Windows Hello biometric gestures set up on a Windows 10 device is to set up the security PIN. This can be found in System Settings and Sign-In Options, as shown below. After a PIN is set up, you can configure Windows Hello to recognize you through an available biometric device, commonly facial or fingerprint recognition.

PIN Setup

PIN over Password

The security PIN you set up in Windows Hello is your gateway to setting up other Hellos, and, if you’re like me, you may often use the PIN to unlock your device. At this point, you may be wondering how a PIN is any different from just entering a Password to authenticate yourself? Although the user’s action is similar, a PIN has several advantages over traditional passwords, namely:

  1. A PIN is tied to a specific device on which it was set up. Even if is stolen, a PIN is useless without the specific hardware device.
  2. A PIN is local to the device and is never transmitted or stored on any server. This is a major advantage over passwords which are susceptible to tampering/stealing over the network.
  3. A PIN can be as sophisticated as a password in terms length, complexity, expiration and history. And all this can be governed by enterprise or domain policies.
  4. A PIN can be backed by hardware security, lending to it’s reliability. A PIN is often protected by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. TPM chips have layers of physical security and protect against a variety of potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
  5. A PIN is backed by a pair of asymmetrical keys – one private and one public. When you enter your PIN, it unlocks the authentication key and uses the key to sign the requests/responses with a service/app trying to authorize you.

Downsides of Hello

So is Windows Hello the one-stop panacea for all your authentication woes? While it does have a lot of promise for sure, any first-generation technology has some pitfalls. Here are few things to consider with Windows Hello:

  • Some of the biometric detection in Windows Hello requires specialized, sophisticated and expensive sensors. As such, the list of Windows 10 devices that have the hardware baked in, is limited at launch. Modern devices like the Surface Book, Surface Pro 4 and Windows 10 Mobile devices sport the latest Hello sensors. Third party external hardware can be used to augment existing Windows devices to support Windows Hello. And it is up to Microsoft to drum up the needed support for Windows Hello in the PC industry and among computer buyers.
  • One concern to keep in mind, especially if facial recognition is used, is device battery life. The remarkable convenience of simply looking at your device to unlock it, may come at a price. Keep in mind, the device camera is having to scan for your face continuously, in order to detect the moment you step into focus. This has the potential to drain away at the charge on your device battery.
  • As of now, there are no direct APIs in Windows Hello for developers. Take heart though – because these APIs will be inherently complicated. What you can do easily however, is utilize Windows Hello to authenticate the user for your apps or services, and even trigger Hello to re-authenticate users for additional security (like before an In-App purchase). This is the realm of authentication leading to user authorization, utilizing something new called Microsoft Passport – strong 2FA using Windows Hello. This deserves a dedicated discussion and I’ll talk all about it in an upcoming article.

Conclusion

Toss out your old user credentials – they are inherently difficult to manage and prone to misuse or hacks. Instead, trust Windows 10 to handle it all with authentication through Windows Hello. Backed by specific hardware devices and user biometrics, Windows Hello is uniquely positioned to replace traditional credential systems. And Windows Hello relieves developers from the responsibility of securely authenticating users in their apps or services, and instead trusting a strong 2FA baked into Windows.

Like any new technology, Windows Hello may have rough edges and hardware demands, but the potential is immense.

Did you know you could leverage Windows Hello in your UWP apps? Yep, authenticate and authorize users with ease through biometrics – we’ll talk about it in the next article. In the meantime, stop re-inventing the UI wheel and give your UWP apps a much-needed boost by using Telerik UI for UWP suite. You get polished and performant UI controls out of the box – try for free today!

Comments