But the way you might first see FIDO 2.0 showing up in your business is via Windows 10. The Microsoft Hello technology in Windows 10 uses biometrics like facial recognition, fingerprints and – with Windows Mobile phones – iris scanning to sign you into your account. And the Microsoft Passport two-factor authentication built into Windows 10 can use that biometric verification (which doesn’t roam between devices and is never sent to a service) instead of a PIN to unlock cryptographic tokens (also stored in secure hardware on the device) that log you into services – replacing both passwords and physical smart cards.
The combination means there are no credentials to steal or leak. And unlike smartcards, you don’t need a PKI to deploy credentials to devices; because Passport is built in to Windows 10, just setting up a Microsoft account in Windows enables Passport.
If that sounds familiar, it’s because those are the principles of FIDO. And because – along with Google, PayPal and Nok-Nok Labs – Microsoft is behind the key specifications submitted for FIDO 2.0.
“We are on a mission to replace passwords with strong, user-friendly authentication for consumers and businesses alike, for all the devices people use every day against all the services people use every day,” says Microsoft’s Chris Hallum. “We designed Microsoft Passport for this purpose, but we wanted to solve the challenge beyond just Microsoft devices. Participating in FIDO and contributing all of the Microsoft Passport specifications to the FIDO 2.0 working group will help reach our shared goal of strong authentication everywhere.”
Passport at work
With Windows 10 Pro and Enterprise, you get Microsoft Passport for Work, an “enhanced” version that lets you choose the PIN strength and enforce what biometrics you trust centrally.
For your users, it means they can sit at their computer or pick up their phone, and be logged into your network, the enterprise services they’re supposed to have access to, and even their bank account, without ever typing in a password they could forget or having to remember to carry a hardware dongle they can lose or leave at home.
The FIDO 2.0 specifications aren’t finished yet. Microsoft calls Windows 10 “a reference implementation of the concepts” and plans to make sure it complies with FIDO 2.0 once it’s complete (which Hallum suggests will be “in the coming year”). Microsoft is also planning to add the device-to-device feature, which it calls remote unlock, and have it work with all FIDO devices. “Microsoft Passport was designed to give users and the hardware ecosystem choices,” Hallum says. “In the future with, users will be able to use a FIDO-compliant device (a phone, a fob, or a wearable) to seamlessly unlock their Windows PC and authenticate to Web services, pay for purchases or any number of other authentication activities.”
Sign up for CIO Asia eNewsletters.