Microsoft Has Finally Solved A Massive Problem With Windows 10 – Forbes
Passwords are the single greatest problem facing most of us in staying safe online. Let’s be honest here, you have a password you use on more than one site. Perhaps you have a set of passwords that escalate in complexity based on how much you care if the service gets hacked. For example, your bank password should be, and probably is, a lot more secure than your Netflix account.
But Microsoft wants to make those worries go away with Windows 10, and for me this is the single most significant feature in the OS. In fact, it’s actually two features – one called Windows Hello, and one called Passport. Hello is aimed at letting you log in with biometric data, but it’s a bit more involved than that, and should offer pretty good security in itself.
With Hello you can ask your computer to recognise your face, but this isn’t the usual webcam login business that’s easy to spoof. Instead it will be tied to specific hardware which uses an IR camera, and allows Windows to make a detailed map of your face in 3D. The idea is, it’s impossible to just spoof by holding up a photo of yourself – something that was a problem for other facial recognition systems.
Of course other biometrics can be used too, like a fingerprint scanner for example. But what you use to log in to your computer isn’t the important thing here, it’s about using it with the security hardware built into a computer to securely log you into an account online.
It’s the logging in to websites that invokes the “Passport” feature. You might remember the name from a few years back, it was basically the name for Microsoft’s Single Sign On service which has since become just the “Microsoft” account that you can use across Windows, Xbox, email and Skype.
Microsoft is clear about this though, your computer isn’t sending your password or any data related to your biometrics. Instead, the computer authenticates you locally, then sends a public key which logs you in. Hackers accessing the public key can’t use it for anything else, it’s useless. It’s known as “asymmetric cryptography” or “public key cryptography” and it’s nothing new, but using it as a way to identify you to websites is a great idea.
The main reason this is such a good idea, and why it answers the world’s greatest security problem, is that you no longer need to remember lots of passwords, you have a master password which can be traditional, or biometric and it keeps your private key safe. Your private key means you can send encrypted messages to the server, ensuring safe data transfer but it also means the server can positively identify the user as you. Unless you let someone have your private key, this system is much safer.
That’s not to say it’s flawless, but when the number one issue with account security is that people are using bad passwords all over the place, it does make things a lot more secure. You’re not being asked to remember anything, and – at least in theory – logging in to any site that uses this system would be quick and simple.
Of course it requires everyone implement it, and that will take a lot of time. But the steps to move away from using a password to sign in to a site, and risking hacker being able to intercept that login or simply brute-force your woeful password, are finally being taken.