Windows 10 to get two-factor authentication built-in
By Juan Carlos Perez
Microsoft is continuing its crusade to get CIOs interested in Windows 10, touting new security features that include two-factor authentication built directly into the OS.
The effort to bake two-factor authentication into Windows 10 is intended at doing away with the old single-password method that has proven so insecure in recent years and has led to so many instances of system break-ins and data theft, according to Microsoft. With two-factor authentication, malicious hackers need to be in control of two pieces of information in order to break into a system, such as a password and a code sent to a user’s device like a smartphone.
Overall, Windows 10 will offer businesses enhanced security in areas like identity protection and access control, information protection and threat resistance, since security “has been central to many of the customer conversations I’ve had since we announced the availability of the [Windows 10] Technical Preview,” wrote Jim Alkove in the blog post, referring to the pre-release version of Windows 10 that is publicly available for testing.
In the area of identity and access control, Windows 10 will offer IT managers the necessary functions to protect user credentials and devices with two-factor authentication, without having to rely on third-party products, he wrote.
“We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals,” Alkove wrote.
More specifically, Windows 10 will let users enroll their devices as one of the two authentication factors, with the second being either a pin or a biometric input, such as the reading of a fingerprint.
“From a security standpoint, this means that an attacker would need to have a user’s physical device—in addition to the means to use the user’s credential—which would require access to the users PIN or biometric information,” he wrote.
The credential can be either a key pair generated by Windows, or a certificate provisioned for the device by a company’s existing PKI system. “Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn’t practical,” he wrote.
The new user credentialing system will be supported by Microsoft’s Active Directory, Azure Active Directory, and consumer Microsoft Accounts “so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords.”
Windows 10 will also have features to protect the user access tokens generated as part of the authentication process, so that they’re not vulnerable to techniques like Pass the Hash coupled with advanced persistent threats.
“With Windows 10 we aim to eliminate this type of attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised,” he wrote.
In the area of information protection, Windows 10 will have a data loss prevention (DLP) technology baked in that distinguishes between personal and corporate data, and protects the latter using “containment.”
“Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations,” he wrote.
The DLP technology will also work on Windows Phone, and documents will be covered by this protection as they’re accessed from different desktop and mobile devices.
IT managers will be able to establish policies that control which apps can access corporate data, and Windows 10 also extends VPN control options to protect this data in devices owned by employees.
“App-allow and app-deny lists will enable IT professionals to define which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps,” he wrote, adding that administrators can also restrict access by specific ports or IP addresses.
Finally, in the area of threat and malware resistance, Windows 10 will have features to lock down devices and only allow users to run apps that have been signed using a Microsoft provided signing service.
“Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM,” he wrote. “The lockdown process OEMs will use is similar to what we do with Windows Phone devices.”
IT administrators will be able to determine which apps they consider trustworthy, such as those they sign themselves, those signed by ISVs, those available on the Windows Store, or all of them.
“Ultimately, this lockdown capability in Windows 10 provides businesses with an effective tool in the fight against modern threats, and with it comes with the flexibility to make it work within most environments,” he wrote.
Microsoft is aiming to ship Windows 10 by mid-2015, and in the meantime it’s publicly testing in an open program which recently topped 1 million participants and has generated 200,000 feedback items.
After Windows 8 was thoroughly ignored by Microsoft’s enterprise customers, the company is bending over backwards in its attempts to make CIOs and other enterprise IT executives pay attention to Windows 10.
As the OS goes through its pre-release public testing, it’ll become clearer whether the Windows 10 security improvements that Alkove is trumpeting today end up being compelling enough for business customers.