Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 10 Update Will Support More Password-Free Logins (engadget.com)

Posted by msmash on from the up-next dept.

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.

66 comments

  1. Something you have and something you know by Hasaf · · Score: 3, Informative

    From the summary it looks like they are reverting to only using something you have, which is, normally, a lower level of security.

    1. Re:Something you have and something you know by gravewax · · Score: 4, Interesting

      For the average home user that reuses passwords with names and birthdays or simple repeated phrases it is a massive security improvement. For someone that understands the consequences of bad password management, password strength and reuse it is a decrease. The reality is for decades we have all tried to teach password health and for decades users have failed to learn, not sure if it is us IT people to blame or the users, either way it means passwords are very very weak security for a large percentage of the population.

    2. Re:Something you have and something you know by Anonymous Coward · · Score: 1

      we need tongue print scanners

    3. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      Maybe they think that "something you know you have" is stronger than "something you have" and "something you know".

    4. Re:Something you have and something you know by DontBeAMoran · · Score: 2

      Computers are to blame. What used to be good enough is now easy to bypass because of increasing computer power. You think your random 64-characters password is safe? Wait until quantum computers become commonplace.

      --
      #DeleteFacebook
    5. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      This isn't for home users. The summary even states that.

    6. Re:Something you have and something you know by Anonymous Coward · · Score: 5, Informative

      You think your random 64-characters password is safe?

      Not just the number of random characters... I've recently found a few websites that ignore password case altogether so it would be even easier to brute force a password now than it should be. I would hope that they look for brute force attacks but since they go so far as to ignore password case I wouldn't be so sure.

      I'm looking at you americanexpress.com

    7. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      From the summary it looks like they are reverting to only using something you have, which is, normally, a lower level of security.

      If the point is to prevent people from being able to leak keys, even unintentionally, or replay attacks FIDO can be more secure because only the device ever has the private key. Nitrokey for signing is actually an improvement over regularly signing for a similar reason and why Linux developers are getting them. Yes, preferably FIDO + password would be an option, and it definitely depends on the implementation--the article implies this is more for corporations and verification is done through a central authority, which makes it seem less useful.

      For most home users, though, having a physical key to lock out small children from an admin/privileged account would probably be very useful. Passwords would probably be less useful because children can readily duplicate your keystrokes. :)

    8. Re:Something you have and something you know by taustin · · Score: 2, Funny

      Because you like licking your computer? You don't know who else has licked it, you know. It's like you're licking everyone who has ever used that computer.

      I'm gonna go set up a Kickstarter for tongue condoms. I'll be rich!

    9. Re:Something you have and something you know by Obfuscant · · Score: 1

      You think your random 64-characters password is safe? Wait until quantum computers become commonplace.

      My password will be safer then. All the bad guys will be trying to break into the fancy new quantum computers instead of my 386 desktop with a 64-character password.

    10. Re:Something you have and something you know by Calydor · · Score: 2

      It's neither the users nor the IT people. The IT people taught the lesson, many users learned it.

      The thing is that typing a STRONG password with seemingly random lower and upper case characters, numbers, and signs, all while effectively blindfolded, is hard. Do it wrong a couple of times? Congrats, now you're locked out. Oh, and you have to do it a dozen or more times a day.

      Is it any wonder people settle for a good-enough password that they can easily remember and actually feel if they're typing it wrong, eg. the name of a pet?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    11. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      I think it's an improvement. People are terrible with passwords but mostly good with car/house keys: just make it look like a key, give it a keyring attachment and let people treat it like they treat their keys and things will be a lot more secure than the present "password = some easy to guess name, used everywhere, with a few numbers at the end if required" arrangement.

    12. Re:Something you have and something you know by skids · · Score: 1

      Yes, preferably FIDO + password would be an option

      If history repeats itself, people will just fight over whether to use passwords OR something else, and every major consumer implementation will make configuring both painful if not impossible. Witness every OS WPA supplicant save for wpa-supplicant, and every OS IKEv2 client save for strongswan.

      --
      Someone had to do it.
    13. Re:Something you have and something you know by sexconker · · Score: 1

      I had this checked. It's true. WTF Amex?

    14. Re:Something you have and something you know by skids · · Score: 2

      If your system is using the right algorithms, your random 64-bit character password should be as safe as a random 32-bit password was pre-quantum. Quantum computers have theoretical limits.

      --
      Someone had to do it.
    15. Re: Something you have and something you know by Anonymous Coward · · Score: 2, Funny

      Yes, but some sites like Slashdot are better. Passwords typed out in the comments section are starred out, for example: My password is ************.

    16. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      You think your random 64-characters password is safe? Wait until quantum computers become commonplace.

      My SysAdmin only allows 10-character pwds, you insensitive clod!

    17. Re: Something you have and something you know by Junta · · Score: 3, Funny

      you can go hunter2 my hunter2-ing hunter2

      Even the name is relevant.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    18. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      So as usual, if the topic involves the real world, we continue to default to making sure people actually understand consequences and enforce accountability when physical doors are left unlocked. We expect people to be able to match identify which physical keys open which physical doors.

      Meanwhile, as usual, if the topic involves the digital world, we continue to default to making sure people don't have to understand any consequences and to never enforcing accountability when digital locks are left open. We expect the technology to free us from this burden.

      Physical keys are a burden yet we use them. Digital keys are a burden, sure, but they get a pass. Instead, blame the technology and by implication the people that set it up. That is just like blaming locks and the people that install them when you fail to actually lock the door or insist on the same key for everything.

      I do blame technical people for many many things - I'm one myself and I know it is our fault in many situations. However, understanding the similarity between how usernames/password relate to accounts and how keys relate to locks really isn't that difficult. Sure, replace username/passwords with an all-account smartcard/PIN. Usernames/passwords were 'too hard', now PINs are 'too hard' and inserting/swiping the card is 'too hard'. Another round of 'solving the problem' via more dumb down.

      Do you expect me to help you regress to cutting your meat and whipping your ass for you as well? Somehow I'm the asshole because rather than just washing your hands for you I point out that you are perfectly capable of doing it yourself yet you refuse pretending you don't know how? Maybe you don't actually know how to wash your own hands - how is it that this ends up reflecting poorly on me rather than you? This after the first sentence into every conversation we've had is a statement about how much you DON'T know and about how OK that is? At what point will YOU be the one that has unreasonable expectations?

      The tech side does have it's failings but 'users' have been given a default pass for WAY too long. If a facilities department were to dumb things down to the same level as expected for IT, there would be no locks on any door anywhere on planet Earth. At the same time, facilities would be able to successfully argue how it wasn't their fault because nobody would be able to get away with playing dumb about a physical lock. IT however, would be blamed for essentially the same failure because everyone can still get away with 'Not my fault, I don't 'get' computers - that's your job.' Management doesn't care either, they have a black sheep because 'it's on a computer' so they don't have to deal with what is actually a management/hr/training issue.

      It doesn't matter why people can't or won't learn to deal with concepts than really aren't complicated. Neither laziness nor simple stupidity deserves encouragement.

      FUCK. YOU.

    19. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      Computers are to blame. What used to be good enough is now easy to bypass because of increasing computer power. You think your random 64-characters password is safe? Wait until quantum computers become commonplace.

      You often seem to be in the habit of posting what "sounds good" without having the necessary knowledge and understanding of underlying issues.

      The fact of the matter is notion finding hash collisions will be treated to quantum speedups should code breaking quantum computers ever become viable is completely without merit even for shit algorithms like MD5.

      Please look before you leap to conclusions.

    20. Re: Something you have and something you know by Anonymous Coward · · Score: 0

      Not everyone knows how to setup a YubiKey (or similar).

    21. Re:Something you have and something you know by gravewax · · Score: 1

      Most enterprise users are home users, at least when it comes to how they manage and use passwords. This is a constant battle in the enterprise and we are not winning. Users take the easy way out.

    22. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      Back in the real world we need to secure shit. I work at places where the policy is 1st time bad password hygiene you are on a 1 week security training re-education and have a security breach recorded against your name, second breach your out the door. Yet every quarter when they run that re-education the class is full and every year people are let go because of there poor security habits. consequences don't change this behaviour, everyone thinks they won't get caught.

    23. Re:Something you have and something you know by arglebargle_xiv · · Score: 1

      I've seen a preview of the new passwordless login, if you get your password wrong three times it says âoePardon meâ¦Have you forgotten your password? What password would you like?â and you (or anyone else) gets to change it to something more memorable.

    24. Re: Something you have and something you know by craigtp · · Score: 1

      They're coming right after the flying cars, right?

    25. Re:Something you have and something you know by Memnos · · Score: 1

      And a 64-character password will be even safer.

      --
      I don't trust atoms -- they make up stuff.
    26. Re:Something you have and something you know by Anonymous Coward · · Score: 0

      Never heard of passphrases? They have more entropy than a password that you can remember (i.e. a short one). A passphrase can be "tiny gates eating celery sticks", or even better "tiny gates neating kelery sticks".

    27. Re: Something you have and something you know by DontBeAMoran · · Score: 2

      Reference
      http://bash.org/?244321

      --
      #DeleteFacebook
    28. Re:Something you have and something you know by skids · · Score: 1

      Yeah, I noticed that last night after hitting submit. Point stands.

      --
      Someone had to do it.
    29. Re:Something you have and something you know by Memnos · · Score: 1

      Yep.

      --
      I don't trust atoms -- they make up stuff.
  2. Oh... by the_skywise · · Score: 2

    We've rediscovered java rings I see...
    https://www.javaworld.com/arti...

    1. Re:Oh... by ctilsie242 · · Score: 1

      Those were cool for their time. I knew one dot.com that used those instead of contactless badges for door entry because they didn't trust RFID transponders.

    2. Re:Oh... by Anonymous Coward · · Score: 0

      Except for the java branding, the iButton is a pretty neat idea. A bit clunky on a plastic stick but decent on a ring. Too bad the company backing them fucked up worse than ibm so the idea never really took off.

    3. Re:Oh... by Anonymous Coward · · Score: 0

      "extremely secure Java-powered"

      Hahahaha

  3. So... by r1348 · · Score: 1

    ...nothing new?

    1. Re:So... by Anonymous Coward · · Score: 0

      Marketing. They're on the bandwagon so they gotta signal that to the world, you know.

      On the one hand, reinventing PAM, badly, is what redmond and now googlesoup like to do best. Both companies have NIH in their DNA. On the other hand, the motivation means that it's yet another uefi secure boot/palladium/tpm/what-have-you, something to take control away from you. Passwords, as bad as they are, are still a better idea than anything redmond and teh zuck and googlesoup and all the others have come up with. That is, from your perspective. From their perspective, anything else is better.

      So it's happening. Just like windows 10 is happening. Doesn't make it a good idea, but it's happening.

    2. Re:So... by dog77 · · Score: 2

      What is new is that many companies got together and created a standard protocol for general purpose authentication. If adopted, it will allow the authentication to happen where the user decides it is convenient and safe (e.g. secure password manager device). Right now, the general state of things is that authentication typically takes place in the application and in a manner that the application decides. You have to trust that the application was designed in a safe manner and that it will not leak your secrets. Think of this as what the SSL standard did for encrypted communications. SSL makes it easy for a application to do encrypted communications in a secure manner. FIDO makes it easy for a application to do authentication in a secure manner.

  4. Remember, kiddies! by Locke2005 · · Score: 2, Funny

    OTHER parts of your anatomy can also be used for "fingerprint" login! (Unless you are Trump, it which case your "Little Donny" is far too small!)

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:Remember, kiddies! by Anonymous Coward · · Score: 0

      Forget it. Nobody makes a scanner big enough for my Johnson.

      Maybe you can bring back fax/copier sitting!

      No two assholes are alike.

  5. AKA... by CRB9000 · · Score: 1

    Also Known As...Something you have that can be stolen that can be used to fake the computer into thinking its you.

    1. Re:AKA... by Calydor · · Score: 1

      What is the security saying about having physical access to a machine to plug in a USB dongle?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:AKA... by sexconker · · Score: 1

      What is the security saying about having physical access to a machine to plug in a USB dongle?

      "Physical access is no access to remote resources when you still have to validate against a different remote server."
      That ol' chestnut?

    3. Re:AKA... by Anonymous Coward · · Score: 0

      Just as car keys are something that can be stolen and used to fake a car into thinking it's you?

      Nothing is perfect, but if the alternative is a user who uses MrTibbles123 as a universal password for everything then this seems comparatively not too bad.

    4. Re:AKA... by CRB9000 · · Score: 1

      Except if someone steals your car, they don't have access to your financial life.

    5. Re:AKA... by cavreader · · Score: 1

      That's why you should always use financial institutions and credit/debit cards that come with free online fraud protection. Then you are not liable for any unauthorized credit card or banking transactions.

    6. Re:AKA... by ConceptJunkie · · Score: 1

      My cat is named Mr. Tibbles, you insensitive clod!

      --
      You are in a maze of twisty little passages, all alike.
  6. Great. by Anonymous Coward · · Score: 0

    Now what am I supposed to change every three weeks that can't have more than three concurrent characters the same, be between 15 and 30 characters long, and have no repeats for a year?

  7. What is safer by Archfeld · · Score: 1

    The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:What is safer by bobstreo · · Score: 1

      The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.

      Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.

    2. Re:What is safer by Anonymous Coward · · Score: 0

      The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.

      Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.

      Wouldn't it be wiser if it switched to giving out to fake information?

      Someone is holding a gun to my head.
      I give the duress password.
      Device says, "wiping data".

      Yeah, I'm going to get murdered right about then.

    3. Re:What is safer by fahrbot-bot · · Score: 1

      The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.

      Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.

      IANAL, but using it would probably generate an obstruction of justice, or destruction of evidence, charge against you.
      The law says you don't have to help LEOs, but you can't hinder.

      --
      It must have been something you assimilated. . . .
    4. Re:What is safer by Anonymous Coward · · Score: 0

      The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.

      Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.

      Too obvious. How about a duress password/etc that loads in "fake/misleading data" mode? You could have eg a drive with two encrypted partitions, password silently selects which one gets loaded, other one remains hidden (and encrypted). Or if you're really paranoid your duress password could open in fake mode and start silently nuking the "real" partition in the background, all the while looking and acting like a regular computer.

    5. Re: What is safer by Anonymous Coward · · Score: 0

      The law is also increasingly corrupt, and deserves less respect with each passing year. Chances are eventually they'll just start detaining or killing anyone they don't care for, crime or not. Given that, you'd be better off making sure they can't get crap from you, or anyone else, so you don't wind up targeted or getting those you care for targeted.

    6. Re: What is safer by c6gunner · · Score: 2

      How about a duress password/etc that loads in "fake/misleading data" mode? You could have eg a drive with two encrypted partitions, password silently selects which one gets loaded, other one remains hidden (and encrypted).

      Congrats, you just described TrueCrypt.

    7. Re:What is safer by StormReaver · · Score: 1

      The law says you don't have to help LEOs, but you can't hinder.

      Or how about developing systems that work only on something you know (passwords), which can't be compelled, and induce a complete wipe if authenticating with something you have (which can all be compelled). Naturally, architect the system with no back doors or failsafes.

      Then, in court, you argue against having to provide the, "something you have", on the grounds that it violates your rights. When you inevitably lose, the courts compel you to use the, "something you have". Then, when the wipe is done and there is nothing left, there is nothing for the courts to charge you with; You complied with all court orders.

      If they had the foresight to ask you ahead of time if such a mechanism exists, you invoke your fifth amendment right against self-incrimination. After all, it's well known that law enforcement and the court system view self-protection mechanisms as a defacto indication of guilt (even today, they promote the idea that only criminals want unbreakable encryption), so you're covered.

      If they don't have the foresight to ask you ahead of time, you're still covered. You didn't lie about anything, and you're not obligated to volunteer any information which could be used against you.

    8. Re:What is safer by Archfeld · · Score: 1

      You have a legal right to refuse to provide a password under your 5th amendment rights. Purposefully wiping the drive would get you an obstruction of justice charge. You can refuse to speak but lying is a crime. When in doubt just do nothing.

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
  8. 2009 just called by scdeimos · · Score: 1

    They want their SmartCard Authentication technology back. FIDO itself has been around since 2013.

  9. What they really mean: by techno-vampire · · Score: 1

    They're replacing something that you can forget with something that you can lose or have stolen.

    --
    Good, inexpensive web hosting
  10. I work for Microsoft. by Anonymous Coward · · Score: 0

    I already have a password-free login for your Windows 10 machine.

  11. Password expiration by Anonymous Coward · · Score: 0

    and then you are unable to change your password when it expires because you have forgotten it, having left the password unused for 3 months after it was changed. Happens too often at the office running all Windows 10 PCs with PIN login enabled

    1. Re:Password expiration by Anonymous Coward · · Score: 0

      Disable pin login? Cause why would you want to allow users to access their computer with a 4 digit numeric password?

      Let me guess, you guys don't deal with audits.

  12. FIDO? by PPH · · Score: 1

    On the Internet, nobody knows you are a dog.

    --
    Have gnu, will travel.
  13. Retina anyone ?? by rojash · · Score: 1

    What happened to retina scan ?

  14. Most people are idiots, apparently by Anonymous Coward · · Score: 0

    The very fact that so-called adults can't even create secure passphrases (not passwords), can't write them down in a password book, or remember three or four words (i.e. a passphrase) is very depressing. So everything has to be dumbed down to the lowest degree because of the stupidity of so many people.

  15. Fingerprint reading support by DrXym · · Score: 1
    I got a new laptop recently with a fingerprint reader integrated into it. It is very cool how I can just place a finger onto the laptop and Windows 10 automatically knows who I am and logs me in. There are obvious pros and cons to this, but it suits my purposes.

    However... fingerprint setup requires me enter a secondary PIN code, presumably so if it can't read my print after a number of tries it can challenge for the PIN. This seems extraordinarily dumb to me because I already have a password it could prompt for, and a PIN is far weaker than a password. A chain is as strong as the weakest link. Even if I fail the fingerprint, it should challenge for the password next, or at least allow me to set my policy that way.

    I wonder what logic MS is going through to use a PIN here. Are they thinking of integrating print readers into phones or payment systems something? I can see the merit of a PIN challenge there. I don't see the merit on a Windows device.

  16. Microsoft's Windows is and always was just a toy. by Anonymous Coward · · Score: 0

    Microsoft's Windows is and always was just a toy.
    A broken one.
    For rather retarded kids.