News

Microsoft Previewing FIDO2 Security Key Authentication with Windows 10 Spring Release

• By Kurt Mackie
• 04/18/2018

Microsoft this week announced new passwordless sign-in support, using FIDO2, that's coming to the spring Windows 10 release and now available at preview.

There's now a "limited preview" of device sign-ins using a "FIDO2 security key" via the spring Windows 10 update. The spring Windows 10 release (code-named "Redstone 4") was expected to arrive during this month's patch Tuesday security update release phase, but it's been delayed.

Fast IDentity Online 2.0 (FIDO2) is a Web authentication standard developed by the FIDO Alliance industry coalition and the Worldwide Web Consortium (W3C) with a goal of moving away from a reliance on passwords for user authentications. Instead, the FIDO specification describes a public key-private key method that purportedly thwarts "phishing, man-in-the-middle and replay attacks" using stolen passwords. The inclusion of portable private keys in the authentication scheme supposedly defers interlopers who have access to the public passwords.

The ability to test using a FIDO security key with the Windows 10 spring update is currently available via a preview waitlist sign-up process. The FIDO security key typically might be a USB thumb drive type of device with some sort of biometric means of establishing user identity, such as a thumbprint reader. A user plugs the device into the computer and then taps the device to sign into Windows 10 biometrically, without having to enter a user name or password. The FIDO security key also permits single sign-on access to services if they are Azure Active Directory-controlled.

This passwordless access method will work across all Windows 10 Azure AD domain-joined machines in an organization, without having to set up Windows Hello for each device, according to a description in this Microsoft announcement.

Windows Hello is Microsoft's biometric sign-in solution, which is now able to use FIDO2 security keys made by various hardware partners. Microsoft's announcement pointed to Yubico, HID and Feitian as collaborating partners on building security keys that will work with Windows Hello. Essentially, the partners are building so-called "companion devices," which are things like bands, cards or USB devices that enable PC access with a finger tap, a wireless transmission (Bluetooth or near-field communications) or by plugging in a device into a port. Microsoft had described early partner progress on this front last year.

FIDO2 got its start almost two years ago, when the W3C announced a standardization effort behind FIDO 2.0 Web APIs. Last week, the two organizations indicated that the Web specifications for Web Authentication (WebAuthn) and the FIDO Client to Authenticator Protocol (or CTAP, used with devices) had reached the Candidate Recommendation stage, which is one step before final approval. The user authentication works "through the browser or via an external authenticator" (such as mobile phones or USB keys), according to the W3C's announcement.

Various browser makers are implementing WebAuthn into their products for Android, Chrome OS, Linux, Mac and Windows operating systems, according to the W3C. Google is adding support in its Chrome browser. Microsoft is adding support in the Microsoft Edge browser. Mozilla is adding it to Firefox.

At some future point, the FIDO Alliance plans to certify "servers, clients and authenticators" for adherence to FIDO2 specifications. It's also working on a "Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO, UAF, FIDO U2F, WebAuthn, CTAP)," according to the W3C announcement.