In-Depth

Critics Skeptical of the Latest Microsoft Biometric Push

Does Microsoft's Windows Hello biometric login system avoid the security pitfalls that plague traditional passwords?

• By Jeffrey Schwartz
• 05/19/2015

It's hard to dispute passwords today are a weak form of securing data and access to systems, and Microsoft's latest effort to put them to pasture has earned the company praise from many security experts, but skeptics question if the company's new Windows Hello and Passport combination are the answer to the problem.

Critics of Windows Hello say Microsoft once again is late to the party on a technology that Apple Inc. has started to make popular when releasing touch-based authentication on its iPhone and iPad devices. Windows Hello also isn't Microsoft's first attempt to bring biometric authentication to the masses. More than a decade ago, Microsoft developed support for fingerprint scanners in Windows PCs, but only the most expensive systems were equipped with them and the technology wasn't consistent or reliable. Apple's biometric authentication works well to unlock devices and access the Apple Store, but that's as far as it goes right now, though early success of Apple Pay suggests that's about to change. Even though Windows Hello and Passport offers more varied biometric authentication than Apple fingerprint authentication, several detractors raised concerns that Windows Hello and Passport -- if there are holes in the technology -- could do more harm to those whose identities are stolen than compromised passwords.

"Broadly, it's a good thing to do, however, if you can break any part of the stack it can be extraordinarily bad, so I hope they do a good job securing it," says Simon Crosby, CTO and founder of Bromium, which offers an endpoint security solutions that create hardware- and software-based micro virtual machines for each computing task.

"I'm candidly worried about it," adds Morey Haber, vice president of technology at BeyondTrust Inc., a provider of privilege management software. "If someone steals your likeness, what can they do with it? Their facial recognition in Windows Hello is not a photo, it's infrared, it's other details but that has to get stored somewhere for comparison. Currently, and theoretically, there's no way to steal it. But what if they did? It's not like a password or even a government DOD CAC [two-factor authentication] card, where if it's compromised, they replace it and you get a new certificate. But if it's biometrics, you can't replace your face, your body or anything else. Can you ever stop someone from stealing that likeness?"

Dustin Ingalls, group program manager for enterprise and security in the Microsoft Operating Systems Group, looks to reassure skeptics such as Haber, explaining user likeness is never transmitted over a network, nor can it be compromised from a device. "When you enroll your biometric on a Windows device, we do feature extraction -- you can think of it as a one-way hash of your image," Ingalls tells Redmond. "It's basically the equivalent of a protected PIN, it's totally useless, unless I steal the device. If an attacker gets an incredibly high-fidelity image, it still doesn't do them any good."

While Windows Hello and Passport could usher in the replacement of passwords, there are a number of variables that must play out. For one, while most major OEMs have promised to release various forms of biometric-capable hardware to their new Windows 10-based systems, it remains to be seen if it's only added selectively to high-end machines or to what extent it becomes pervasive. Another key question is whether it will merely offer authentication to the devices, Windows Live and Active Directory, or whether Web site operators and payment processors will also support it. It's not a technical issue, according to Ingalls, who says it just requires a simple API call.

Because Passport supports the Fast Identity Online (FIDO) specifications, Ingalls says critics can't say it's limited to Windows only, because 200 hardware and software vendors are members of the FIDO Alliance. But that doesn't mean ISVs and Web sites will jump on the bandwagon immediately to support it. Also, two key companies aren't members of FIDO -- Apple and Amazon.

Brett McDowell, executive director of the FIDO Alliance, is hopeful that if the FIDO standard is broadly adopted, holdouts will ultimately support it, but even if they don't, there are plenty of third-party alternatives to enable interoperability. McDowell believes Microsoft's support is significant: "They're actually introducing authentication options right out of the box, but they have that standards-compliant piece, so all of the other authenticators will work with it," he says. "Windows 10 is a model for all platform providers. They have it right in the operating system, it will be interoperable with the rest of the ecosystem and they're providing some of their own solutions to bootstrap the experience."

Arshad Noor, CTO of StrongAuth Inc., a cryptographic solutions provider, believes Microsoft's embrace of FIDO in Windows Hello and Passport will have a tail effect. "They will legitimize the market," Noor says. "They will force everybody to start going toward FIDO." Jerrod Chong, vice president of solutions engineering at Yubico, a supplier of USB multi-factor authentication hardware, which kicked off the FIDO standardization effort, believes interoperability is the only way to ensure biometric authentication becomes widely implemented in devices, software and Web sites.

"You can have the best local authentication, but if it doesn't work with anybody else, it's not really useful," Chong says. "So when you start to standardize the actual authentication protocols, where I have a Windows device and I want to work with a bank, if the bank supports this protocol then I don't need to build this type of custom proprietary stack. That model, frankly, has not existed in the lifecycle of authentication protocols. Everybody was doing their own thing. Like I did my thing with my bank, you did your thing with your machine to your bank, it doesn't scale. Passport has the engine and the intelligence."

Still, many will take a wait-and-see approach. "I think Microsoft has done a lot of good things in Windows 10, but I don't know if Hello and Passport will completely change the use of passwords right way, because users have many devices they work on," says Steve Grobman, an Intel Corp. fellow and chief technology officer with the Intel Security Group. "But Microsoft is definitely taking steps in the right direction. "Intel is peddling its own authentication alternative, TrueKey, announced at the January Consumer Electronics Show and now in preview. "TrueKey is a capability that's aimed at solving the password fatigue problem," Grobman says. "It is a password manager, but also linked into biometrics, because we know that users are really frustrated with the whole password scenario."

Bromium's Crosby says Hello is an important effort, though not a panacea for the most sensitive of systems. "If anyone can use it, it would make the world better," he says. "Is it useful for military grade security? No."