Microsoft is rolling out a change in minimum hardware requirements for Windows 10 PCs and mobile devices, and expects hardware makers to comply in order to make their devices more secure.
Starting Thursday, PC makers should include a hardware-based security feature called TPM (Trusted Platform Module) 2.0 in Windows 10 PCs, smartphones and tablets.
The TPM 2.0 feature will be beneficial for users as it will do a better job of protecting sensitive information on a PC. A TPM 2.0 security layer -- which can be in the form of a chip or firmware -- can safeguard user data by managing and storing cryptographic keys in a trusted container.
Microsoft wants to kill passwords with a biometric authentication feature called Windows Hello, in which users can log into a PC via fingerprint, face or iris recognition. A TPM 2.0 chip is important to Windows Hello as it generates and stores the authentication keys in a secure area.
TPM 2.0 could also make two-factor authentication via Microsoft Passport -- which could use biometric and pin-based authentication -- a common feature in Windows 10 PCs. The Passport feature could be used to log into websites, applications and other services.
Microsoft has said TPM isn't needed for Windows Hello, but recommends the security layer to protect biometric login data. TPM chips can be hard to hack, and do a better job protecting sensitive information than the software-based mechanisms that would otherwise be used to protect Windows Hello login data.
TPM definitely provides a security improvement in laptops, and is an excellent protection for encryption keys and other critically important data needed for authentication on the PC, said Kevin Murphy, vice president of operations at security company IOActive.
"Since it is hardware based rather than software based, the keys are not exposed to the PC memory. PC memory is a common venue for attackers to scrape intellectual property resident in the memory, which is usually the main purpose of the attack," Murphy said.
However, using the TPM does not protect the encryption keys from being manipulated by an attacker. If an attacker "owns" the machine -- for example by spoofing an authorized user -- the TPM will answer any request as it normally would to the legitimate user.
"It will not know the difference. The advantage in this scenario is that the attack is limited to the current attack and cannot steal the keys for a future attack," Murphy said.
It is possible to break TPM chips, but it would be a difficult attack, likely requiring a tremendous amount of skill, equipment, time, and investment, Murphy said.
Sign up for CIO Asia eNewsletters.