Microsoft talks more about putting in Windows Hello support in Edge browser

Microsoft is currently testing the addition of Windows Hello security support in Insider builds of Windows 10's Microsoft Edge browser. The company is revealing more information on those plans, including how website developers can add support for this feature on their sites.

Windows Hello

Microsoft states:

In order to authenticate a user, the server sends down a plain text challenge to the browser. Once Microsoft Edge is able to verify the user through Windows Hello, the system will sign the challenge with a private key previously provisioned for this user and send the signature back to the server. If the server can validate the signature using the public key it has for that user and verify the challenge is correct, it can authenticate the user securely.These keys are not only stronger credentials – they also can't be guessed and can't be re-used across origins. The public key is meaningless on its own and the private key is never shared. Not only is using Windows Hello a delightful user experience, it's also more secure by preventing password guessing, phishing, and keylogging, and it's resilient to server database attacks.

Microsoft says site developers can use the Web Authentication API to begin prototyping and testing for the addition of Windows Hello support in Edge. The company is working with both the FIDO Alliance and W3C Web Authentication working group to help standardize these APIs so that all websites can benefit from these additional security measures.

  • "resilient to server database attacks" - what does this mean exactly?
  • If I understand correctly: They're saying if a server was hacked and information were leaked, the credentials would be useless to any attacker, because the authentication has been encrypted with the user's private key. It's not useful information, it would just appear as a random string of characters if viewed in plain text. That's how I understand it. But I'm not really sure how it's any "more" secure. If someone is managing their database correctly: Details like passwords should be protected in a very similar way. Maybe this decreases the bar of entry, and makes it easier to implement for newer developers? I don't know. Anyone who manages a database want to chime in?
  • Well even when passwords are hashed they give hackers a target to work towards. They can use offline brute-forcing to try to find the password that will reproduce the hash. It's a slow process, but not impossible. It would appear that with Hello this would be useless because the private key is not stored in the server but instead with the user (if I understand correctly).
  • Hmm, that does seem to make sense. Pretty good stuff then, if we're understanding it correctly. Now my only concern is how this is expected to work across multiple devices. If the private key is being stored on the device: How are we supposed to use it across multiple devices (I.E: A person who has a Windows Mobile device, a Windows tablet and a Windows desktop)? Yes: The obvious answer is sync it via the cloud, but this also seemingly defeats the premise of Windows Hello being done entirely on-device, without sending any info the Microsoft's servers. I'm not saying I don't trust Microsoft, but we need to be absolutely assured the private key is well-protected. After all, I assume it has to be cloud-synced even when only using one device. Otherwise: What happens when your laptop crashes and you need to migrate to a new machine? If you can't pull that private key down from the cloud, will you be locked out (Using Windows Hello, that is. I'm sure websites will continue using traditional passwords as a fall back for many more years to come)? Again, not really concerned as much as curious. I want to know what exactly it's doing, how it all works, and how it all comes together. More documentation from Microsoft would be fantastic, and I assume we'll get some more leading to its public release.
  • The Private key is stored on your Device only, it's no where in the cloud.
  • Possibly the keys are stored with Microsoft? That would still provide the same security in the case that a site's database is hacked, but makes Microsoft the attack vector. I'm not sure though, I'd have to look into it.
  • Maybe there's something built in to the code the website would implement that allows multiple credentials for each user. That way there's a different key for each device, but all still tied to the same user? Posted via the Windows Central App for Android
  • That's what I was thinking. Have multiple keys assigned to a single account, similar to how 2-Factor Authentication special passwords work (I.E: On your Microsoft account, if you have 2-Factor Authentication enabled and a log-in doesn't support the codes, you have to use a special password generated by Microsoft). I'm thinking there's a similar principle here, where you can add and remove different devices. Which I guess would mean that you'd have to log-in with a typical username and password if you ever switched devices, but that's not really a problem. Can't expect to suddenly get rid of passwords overnight.
  • Yeah, that's how it works with Github. I can add as many SSH keys as I want for each Terminal application I remotely acces it from. And they're sometimes added automatically, depending on how I access it, so it could be done.
  • Kinda like no Ashley Madison leaks :p
  • Awesome feature
  • I wonder if sites like Facebook will ever use Windows Hello.
  • What if somebody forcefully made someone to use this windows hello feature for bank account fund transfer
  • You mean it the bank forced it? Then they would lose business, but it might encourage a few people to get windows devices. +640/Win 10
  • I don't know if they would lose business if they implement it correctly. My bank take a picture of me periodically and when I go to a teller they look at my photo and make sure it's me. You could do the same thing with an ATM (possibly running W10 IoT) and a realsense camera. The user will have to register at some point, and then the image is now in the database so it works across all ATM's in the network. I think it would be expensive, and a pain to sign up for, but I don't imagine a lot of business would be lost.
  • Less likely and harder than password hacking.
  • Super awesome
  • What I don't get is why can't they just integrate Windows Hello into Edge's password manager? Then you could choose to save a password for a site, but only have it autofill after it's authenticated you. That way you don't need each and every site to approve this feature, it would work pretty much everywhere.
  • That's honestly what I thought it was going to be when they first announced it. This seems pretty neat, but I would also appreciate Windows Hello being required for password auto-fill as a backwards-compatibility type thing in the meantime.
  • I'm sure it will be coming, but it doesn't go any way to making the web more secure and lessening our reliance on passwords, which is what Microsoft really wants to achieve. Password managers are around because passwords are a terrible way of keeping things secure. Microsoft are again trying to find out what the next revolution is rather than just trying to fix the symptoms of the current paradigm.
  • Yes, but that would be redundant because you already signed-in to Windows using Hello. I personally don't want to be bothered again and prefer having my passwords there.
  • Wait, what? You don't want to be bothered with using Windows Hello again but don't mind filling in your passwords? Posted from WC 920, 1520, 920, 635, 640 or 950XL
  • That's a separate issue from what they are proposing here. While that would be a nice feature, it still leaves the authentication process to the server the way it is. If a site uses a weak process, or the users password is weak, the password manager will still be vulnerable. This replaces that weak link with a way of more securely telling the site that you are who you claim to be.
  • That is a good idea, though it is only a makeshift solution. Kinda like a Lumia 950 to the surface phone. They don't want us to have many passwords to begin with, in the future. Just a windows hello enabled Microsoft passport of sorts. It is a good problem to solve. And your suggestion is a nice tradeoff to have in the meantime.
  • This is something that could make me change to Edge. It's exactly how passwords in the web should be handled.
  • I really hope that it is blatantly ovious that it is Edge making the request for Windows Hello. As I can see people being tricked by this type of popup. Shoot I know of people being tricked by websites and UAC requests.
  • briliant
  • I think this is a great idea, because now when a site has e.g. Basic_authentication challenge, Browser pops a userID & password dialog and there could be autofilling it using Hello. Of course user needs once manually to input it, but Hello will autofill it later on :)