The Windows 10 Technical Review is underway, and Microsoft says that multifactor authentication will be one the new system’s security hallmarks.
Windows 10 will incorporate a multi-factor authentication solution built into the operating system and device itself, which eliminates the need for additional hardware security peripherals. Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint.
“With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection and threat resistance,” said Jim Alkove, leader of the Windows enterprise program management team, in a blog. “With this release, we will have nearly everything in place to move the world away from the use of single-factor authentication options, like passwords.”
From a security standpoint, the scheme means that an attacker would need to have a user’s physical device, in addition to the user’s PIN or biometric information.
Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. That will enable them to sign in to all of their PCs, networks and web services as long as their mobile phone is nearby because the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard for two-factor authentication for both local sign-in and remote access.
Alkove explained that the credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself, or it can be a certificate provisioned to the device from existing PKI infrastructures.
“Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios, where PKI backed identity isn’t practical,” he said. “Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords. This technology is intentionally being designed so that it can be adopted broadly across other platforms, the web and other infrastructures.”
Windows 10 will also have an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the user access tokens that are generated once users have been authenticated from being extracted from devices, even in cases where the Windows kernel itself has been compromised.
“The technique is frequently coupled with advanced persistent threats (APT) and thus it’s a technique that we eagerly want to eliminate from the attacker’s playbook,” Alkove said.
He also said that, beyond the credentialing changes, protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. Additional security tweaks include a data loss prevention (DLP) solution that separates corporate and personal data and helps protect it using containment. Users can define which documents are corporate versus personal as they arrive on the device, and companies can designate all new content created on the device as corporate by policy.
Users can also define which mobile apps have access to corporate data. And Windows 10 also provides organizations with the ability to lock down devices, enabling additional threat and malware resistance. Because malware is often inadvertently installed onto devices by users, Windows 10 addresses this threat by only allowing trusted apps, meaning apps that are signed using a Microsoft provided signing service, to be run on specially configured devices.
Organizations will have the flexibility to choose what desktop or mobile apps are trustworthy – just apps that are signed by themselves, specially signed apps from ISVs, apps from the Windows Store, or all of the above.