Microsoft to add 'enterprise grade' biometric security to Windows 10

For years, biometric authentication has been a sci-fi staple. Bits and pieces of biometric technology already exist in popular technology, most notably the TouchID fingerprint sensors used on late-model iPhones and iPads.

With Windows 10, coming later this fall, Microsoft plans to go big with biometric technology. The new OS will introduce system support for biometric authentication, the company says, "using your face, iris, or fingerprint to unlock your devices ... with technology that is much safer than traditional passwords."

At the WinHEC conference in China today, Microsoft executives showed off the new feature, called Windows Hello. At first glance, it sounds like Microsoft's response to TouchID -- biometric authentication that can use a fingerprint reader, illuminated IR sensor, or other biometric sensor to provide instant access to a Windows 10 device. Show your face or touch a finger, Microsoft says, and you'll be instantly authenticated on the local device.

But the platform has bigger ambitions. It's based on a new API with a familiar code name, "Passport" (that was the original name for what became Windows Live ID and is now the Microsoft Account). The Passport framework allows enterprise IT managers, developers, and website admins to provide a more secure alternative to passwords. During the authentication process, no password is sent over the wire or stored on remote servers, cutting off the two most common avenues for security breaches.

This is, presumably, the Next Generation Credential capability that has been built into Windows 10 previews since last October but not available for use. This Microsoft video offers a few additional details.

The introductory post is vague on technical details, but it pointedly notes that Windows Hello uses biometric information "plus your device" as the keys to unlock devices, apps, data, and online services. That suggests there's an initial enrollment process required, which in turn allows the device to act as one factor in a multi-factor authentication regime.

The technology is "opt-in," and the biometric signature is secured locally on the device (perhaps as part of the Trusted Platform Module) and never transmitted over the network.

Microsoft claims that Windows Hello will offer "enterprise-grade security" suitable for use by government agencies and companies in the defense, financial, healthcare, and other regulated industries.

The new "Passport" APIs will work with enterprise Azure Active Directory services at launch, Microsoft says, and will also work with services that support the FIDO alliance.

To avoid common spoofing techniques, Microsoft claims that the new technology will use "a combination of special hardware and software to accurately verify it is you, not a picture of you or someone trying to impersonate you. The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions."

Naturally, this feature requires hardware support. Microsoft says the new feature will be available on new Windows 10 devices that ship when the operating system is released later this fall. The company says, "OEM systems incorporating Intel's RealSense 3D Camera (F200) will support the facial and iris unlock features of Windows Hello, including automatic sign-in to Windows, and support to unlock Passport without the need for a PIN."

In addition, devices that already have a fingerprint reader will be able to use Windows Hello to unlock that device.