Windows 10 Update Will Support More Password-Free Logins (engadget.com)

← Back to Stories (view on slashdot.org)

Windows 10 Update Will Support More Password-Free Logins (engadget.com)

Posted by msmash on Tuesday April 17, 2018 @08:45AM from the up-next dept.

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.

42 of 66 comments (clear)

Min score:

Reason:

Sort:

Something you have and something you know by Hasaf · 2018-04-17 08:56 · Score: 3, Informative

From the summary it looks like they are reverting to only using something you have, which is, normally, a lower level of security.
1. Re:Something you have and something you know by gravewax · 2018-04-17 09:04 · Score: 4, Interesting
  
  For the average home user that reuses passwords with names and birthdays or simple repeated phrases it is a massive security improvement. For someone that understands the consequences of bad password management, password strength and reuse it is a decrease. The reality is for decades we have all tried to teach password health and for decades users have failed to learn, not sure if it is us IT people to blame or the users, either way it means passwords are very very weak security for a large percentage of the population.
2. Re:Something you have and something you know by Anonymous Coward · 2018-04-17 09:07 · Score: 1
  
  we need tongue print scanners
3. Re:Something you have and something you know by DontBeAMoran · 2018-04-17 09:15 · Score: 2
  
  Computers are to blame. What used to be good enough is now easy to bypass because of increasing computer power. You think your random 64-characters password is safe? Wait until quantum computers become commonplace.
  
  --
  #DeleteFacebook
4. Re:Something you have and something you know by Anonymous Coward · 2018-04-17 09:29 · Score: 5, Informative
  
  You think your random 64-characters password is safe?
  Not just the number of random characters... I've recently found a few websites that ignore password case altogether so it would be even easier to brute force a password now than it should be. I would hope that they look for brute force attacks but since they go so far as to ignore password case I wouldn't be so sure.
  I'm looking at you americanexpress.com
5. Re:Something you have and something you know by taustin · 2018-04-17 09:58 · Score: 2, Funny
  
  Because you like licking your computer? You don't know who else has licked it, you know. It's like you're licking everyone who has ever used that computer.
  I'm gonna go set up a Kickstarter for tongue condoms. I'll be rich!
6. Re:Something you have and something you know by Obfuscant · 2018-04-17 10:00 · Score: 1
  
  You think your random 64-characters password is safe? Wait until quantum computers become commonplace.
  My password will be safer then. All the bad guys will be trying to break into the fancy new quantum computers instead of my 386 desktop with a 64-character password.
7. Re:Something you have and something you know by Calydor · 2018-04-17 10:19 · Score: 2
  
  It's neither the users nor the IT people. The IT people taught the lesson, many users learned it.
  The thing is that typing a STRONG password with seemingly random lower and upper case characters, numbers, and signs, all while effectively blindfolded, is hard. Do it wrong a couple of times? Congrats, now you're locked out. Oh, and you have to do it a dozen or more times a day.
  Is it any wonder people settle for a good-enough password that they can easily remember and actually feel if they're typing it wrong, eg. the name of a pet?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
8. Re:Something you have and something you know by skids · 2018-04-17 10:39 · Score: 1
  
  Yes, preferably FIDO + password would be an option
  If history repeats itself, people will just fight over whether to use passwords OR something else, and every major consumer implementation will make configuring both painful if not impossible. Witness every OS WPA supplicant save for wpa-supplicant, and every OS IKEv2 client save for strongswan.
  
  --
  Someone had to do it.
9. Re:Something you have and something you know by sexconker · 2018-04-17 10:46 · Score: 1
  
  I had this checked. It's true. WTF Amex?
10. Re:Something you have and something you know by skids · 2018-04-17 11:11 · Score: 2
  
  If your system is using the right algorithms, your random 64-bit character password should be as safe as a random 32-bit password was pre-quantum. Quantum computers have theoretical limits.
  
  --
  Someone had to do it.
11. Re: Something you have and something you know by Anonymous Coward · 2018-04-17 11:32 · Score: 2, Funny
  
  Yes, but some sites like Slashdot are better. Passwords typed out in the comments section are starred out, for example: My password is ************.
12. Re: Something you have and something you know by Junta · 2018-04-17 13:06 · Score: 3, Funny
  
  you can go hunter2 my hunter2-ing hunter2
  Even the name is relevant.
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
13. Re:Something you have and something you know by gravewax · 2018-04-17 17:23 · Score: 1
  
  Most enterprise users are home users, at least when it comes to how they manage and use passwords. This is a constant battle in the enterprise and we are not winning. Users take the easy way out.
14. Re:Something you have and something you know by arglebargle_xiv · 2018-04-17 18:47 · Score: 1
  
  I've seen a preview of the new passwordless login, if you get your password wrong three times it says âoePardon meâ¦Have you forgotten your password? What password would you like?â and you (or anyone else) gets to change it to something more memorable.
15. Re: Something you have and something you know by craigtp · 2018-04-17 18:49 · Score: 1
  
  They're coming right after the flying cars, right?
16. Re:Something you have and something you know by Memnos · 2018-04-17 19:06 · Score: 1
  
  And a 64-character password will be even safer.
  
  --
  I don't trust atoms -- they make up stuff.
17. Re: Something you have and something you know by DontBeAMoran · 2018-04-18 00:28 · Score: 2
  
  Reference
  http://bash.org/?244321
  
  --
  #DeleteFacebook
18. Re:Something you have and something you know by skids · 2018-04-18 06:35 · Score: 1
  
  Yeah, I noticed that last night after hitting submit. Point stands.
  
  --
  Someone had to do it.
19. Re:Something you have and something you know by Memnos · 2018-04-18 14:16 · Score: 1
  
  Yep.
  
  --
  I don't trust atoms -- they make up stuff.
Oh... by the_skywise · 2018-04-17 08:59 · Score: 2

We've rediscovered java rings I see...
https://www.javaworld.com/arti...
1. Re:Oh... by ctilsie242 · 2018-04-17 09:02 · Score: 1
  
  Those were cool for their time. I knew one dot.com that used those instead of contactless badges for door entry because they didn't trust RFID transponders.
So... by r1348 · 2018-04-17 09:05 · Score: 1

...nothing new?
1. Re:So... by dog77 · 2018-04-17 13:11 · Score: 2
  
  What is new is that many companies got together and created a standard protocol for general purpose authentication. If adopted, it will allow the authentication to happen where the user decides it is convenient and safe (e.g. secure password manager device). Right now, the general state of things is that authentication typically takes place in the application and in a manner that the application decides. You have to trust that the application was designed in a safe manner and that it will not leak your secrets. Think of this as what the SSL standard did for encrypted communications. SSL makes it easy for a application to do encrypted communications in a secure manner. FIDO makes it easy for a application to do authentication in a secure manner.
Remember, kiddies! by Locke2005 · 2018-04-17 09:10 · Score: 2, Funny

OTHER parts of your anatomy can also be used for "fingerprint" login! (Unless you are Trump, it which case your "Little Donny" is far too small!)

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
AKA... by CRB9000 · 2018-04-17 09:13 · Score: 1

Also Known As...Something you have that can be stolen that can be used to fake the computer into thinking its you.
1. Re:AKA... by Calydor · 2018-04-17 10:20 · Score: 1
  
  What is the security saying about having physical access to a machine to plug in a USB dongle?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
2. Re:AKA... by sexconker · 2018-04-17 10:39 · Score: 1
  
  What is the security saying about having physical access to a machine to plug in a USB dongle?
  "Physical access is no access to remote resources when you still have to validate against a different remote server."
  That ol' chestnut?
3. Re:AKA... by CRB9000 · 2018-04-17 13:07 · Score: 1
  
  Except if someone steals your car, they don't have access to your financial life.
4. Re:AKA... by cavreader · 2018-04-17 17:21 · Score: 1
  
  That's why you should always use financial institutions and credit/debit cards that come with free online fraud protection. Then you are not liable for any unauthorized credit card or banking transactions.
5. Re:AKA... by ConceptJunkie · 2018-04-18 06:51 · Score: 1
  
  My cat is named Mr. Tibbles, you insensitive clod!
  
  --
  You are in a maze of twisty little passages, all alike.
What is safer by Archfeld · 2018-04-17 09:31 · Score: 1

The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.

--
errr....umm...*whooosh* *whoosh* Is this thing on ?
1. Re:What is safer by bobstreo · 2018-04-17 09:44 · Score: 1
  
  The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.
  Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.
2. Re:What is safer by fahrbot-bot · 2018-04-17 10:41 · Score: 1
  
  The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.
  Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.
  IANAL, but using it would probably generate an obstruction of justice, or destruction of evidence, charge against you.
  The law says you don't have to help LEOs, but you can't hinder.
  
  --
  It must have been something you assimilated. . . .
3. Re: What is safer by c6gunner · 2018-04-17 13:23 · Score: 2
  
  How about a duress password/etc that loads in "fake/misleading data" mode? You could have eg a drive with two encrypted partitions, password silently selects which one gets loaded, other one remains hidden (and encrypted).
  Congrats, you just described TrueCrypt.
4. Re:What is safer by StormReaver · 2018-04-18 01:27 · Score: 1
  
  The law says you don't have to help LEOs, but you can't hinder.
  Or how about developing systems that work only on something you know (passwords), which can't be compelled, and induce a complete wipe if authenticating with something you have (which can all be compelled). Naturally, architect the system with no back doors or failsafes.
  Then, in court, you argue against having to provide the, "something you have", on the grounds that it violates your rights. When you inevitably lose, the courts compel you to use the, "something you have". Then, when the wipe is done and there is nothing left, there is nothing for the courts to charge you with; You complied with all court orders.
  If they had the foresight to ask you ahead of time if such a mechanism exists, you invoke your fifth amendment right against self-incrimination. After all, it's well known that law enforcement and the court system view self-protection mechanisms as a defacto indication of guilt (even today, they promote the idea that only criminals want unbreakable encryption), so you're covered.
  If they don't have the foresight to ask you ahead of time, you're still covered. You didn't lie about anything, and you're not obligated to volunteer any information which could be used against you.
5. Re:What is safer by Archfeld · 2018-04-18 09:14 · Score: 1
  
  You have a legal right to refuse to provide a password under your 5th amendment rights. Purposefully wiping the drive would get you an obstruction of justice charge. You can refuse to speak but lying is a crime. When in doubt just do nothing.
  
  --
  errr....umm...*whooosh* *whoosh* Is this thing on ?
2009 just called by scdeimos · 2018-04-17 10:01 · Score: 1

They want their SmartCard Authentication technology back. FIDO itself has been around since 2013.
What they really mean: by techno-vampire · 2018-04-17 11:18 · Score: 1

They're replacing something that you can forget with something that you can lose or have stolen.

--
Good, inexpensive web hosting
FIDO? by PPH · 2018-04-17 13:12 · Score: 1

On the Internet, nobody knows you are a dog.

--
Have gnu, will travel.
Retina anyone ?? by rojash · 2018-04-17 13:18 · Score: 1

What happened to retina scan ?
Fingerprint reading support by DrXym · 2018-04-17 22:47 · Score: 1

I got a new laptop recently with a fingerprint reader integrated into it. It is very cool how I can just place a finger onto the laptop and Windows 10 automatically knows who I am and logs me in. There are obvious pros and cons to this, but it suits my purposes.
However... fingerprint setup requires me enter a secondary PIN code, presumably so if it can't read my print after a number of tries it can challenge for the PIN. This seems extraordinarily dumb to me because I already have a password it could prompt for, and a PIN is far weaker than a password. A chain is as strong as the weakest link. Even if I fail the fingerprint, it should challenge for the password next, or at least allow me to set my policy that way.
I wonder what logic MS is going through to use a PIN here. Are they thinking of integrating print readers into phones or payment systems something? I can see the merit of a PIN challenge there. I don't see the merit on a Windows device.