Windows 10: Finally - Stronger Authentication

Windows 10 comes with the promise of changing computing from ground up. While this might be marketing speak in many aspects that might be true for one central aspect of daily computing life: secure user authentication for the operating system, but also for websites and services.

Microsoft goes beyond the traditional username and password paradigm and moves towards strong authentication mechanisms. While traditionally this was only possible with having costly additional hardware, infrastructure and processes available, e.g. smartcards, Microsoft does it differently now.

So, although the comparison might be difficult for some readers: improving security by implementing all necessary mechanisms within the underlying system is quite similar to what Apple did when they introduced secure fingerprint authentication with the recent models of the iPhone and the iPad, beginning with the iPhone 5S (in comparison to ridiculously inadequate implementations within several android phones as made public just recently).

The mechanism called "Windows Hello" supports various authentication scenarios. So with Windows 10 being an operating system designed to run across a variety of devices, Microsoft is going for multifactor authentication beyond passwords for authentication purposes for mobile phones, for tablets, mobile computers, the traditional desktop and more flavors of devices. One factor can be a device itself and can be enrolled (by associating an asymmetric key pair) to be part of a user authentication process.

The account settings dialog offers new and additional mechanisms for identifying valid users: User authentication with user name and password can be augmented by alternative authentication scenarios using PINs or gestures.

While passwords are typically used globally across all devices, PINs and gestures are specific to a single device and cannot be used in any other scenario.

Picture authentication records three gestures executed with any pointing device (e.g. stylus, finger, mouse) on any desired image (preferably cats, as this is the internet). Reproducing them appropriately logs you into the specific Windows 10 system without the need of typing in a password.

Actually, the combination of your device (something you have) plus PIN or gesture (something you know) can be considered as two-factor authentication for access to your data, e.g. in the OneDrive cloud service.

Other factors deployed for authentication include biometrics like the fingerprint scan, whenever a fingerprint sensor is available or a retina scan when a capable camera is available. Finally, "Windows Hello" adds facial recognition to the login process, although this might be scary for several users to have a camera scanning the room (which of course is nothing new for Xbox users deploying Kinect having their living room scanned all day) while the login screen is active. The requirement for deploying cameras that are able to detect whether it is a real person in 3-D or just the picture avoids simple cheating scenarios.

Once authenticated a user can access a variety of resources by deploying the Microsoft Passport mechanism which deploys asymmetric keys for accessing services and websites securely. A user successfully authenticated towards Microsoft Passport through Microsoft Hello will be able to access information securely by applications acting upon his behalf deploying the necessary APIs. This brings asymmetric key cryptography to different types of end-users, ranging from business users to home users and mobile phone users alike. Depending on the deployment scenario the user Data is then stored within the corporate Microsoft Active Directory infrastructure of the individual organisation, within Microsoft Azure Active Directory for cloud deployments, or -for the home user- within the associated Microsoft Live account, e.g. at

While Microsoft has been contributing to the standardisation of the FIDO (Fast IDentity Online) protocols for quite some time now, Windows 10 finally claims to come with support for the current versions of the final protocol specifications. This will allow Windows 10 users to connect securely and reliably to Internet sites providing services based on the FIDO standards, especially to prevent man in the middle attacks and phishing scenarios. As of now the FIDO standard implementations were relying on the support from e.g. browser providers like Firefox or Chrome. Support for the FIDO standards built into the Windows 10 operating system might give the standards an enormous boost and allow for a win-win situation for security and the OS.

Windows 10 is now in its early weeks of deployment in the field. It will be interesting to see whether the new authentication mechanisms will be broadly understood as a real game changer for securing identity information and providing stronger authentication. Any appropriately secure way allowing to get rid of password authentication is a chance to improve overall user security and to protect identity data and every connected transaction. So each and every Windows 10 user should be encouraged to deploy the new authentication mechanisms ranging from biometrics to PINs and gestures and to the deployment of the Fido standards through the Microsoft Passport framework. Why not at least once use Windows and be a forerunner in security and privacy?

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00