Microsoft’s Windows 10 adds a number of new security features, including application whitelisting. to help users lock down a system. The latest technologies to be included in Windows 10 will be Device Guard, Windows Hello (Fig. 1) and Microsoft Passport. Device Guard provides application whitelisting support while Windows Hello is the new login face for Windows 10 that also includes face detection support. Microsoft Passport is in the mix because it uses the authentication support to provide access to other services in a secure fashion.
Although these new security features are targeted at the end user, the underlying implementations need to be done by vendors and third parties. Likewise, the integration with applications is key. For embedded developers, the changes make additional security considerations mandatory.
For example, Device Guard is one new feature that embedded developers will really appreciate since applications on embedded devices tend to change very infrequently if at all. Normally changes are limited to applications updates. Device Guard allows developers to specify what applications can run.
Device Guard does not eliminate the need for antivirus (AV) software, although it makes its job easier. AV is still needed to check dynamic JIT and scripting applications that will be part of many embedded applications.
Windows Hello will unify the login security devices that are becoming available. This includes existing technologies like fingerprint identification. Many of these were already available, but the integration of third-party technologies like iris and facial identification has been a challenge for developers and users. Windows 10 will provide a more consistent interface as well as improved hardware integration. It will also provide access to technologies like Intel’s 3D RealSense cameras that will be showing up on devices like Lenovo’s B50 Touch, an all-in-one PC (Fig. 2).
The RealSense camera can be used for facial recognition that does the job in 3D rather than 2D available with current cameras. The 3D approach makes it more difficult to fool the system as well as reducing false negatives as well as false positive identification.
Although all the new biometric support can eliminate passwords, it has limitations. For example, the RealSense time-of-flight camera uses an infrared system that can be compromised in outdoors. Likewise, fingerprints are a tough sell if you need to wear gloves in a rugged environment. What Microsoft’s latest support will do is provide more alternatives with better vendor integration.
Microsoft Passport has actually existed for some time. Windows 10 will improve upon the existing implementation. It is designed to provide authenticated access to services without the need to store passwords by each service. Services can be spread across the Internet, so not having passwords all over the place reduces the possibility of compromising a user’s information. Essentially the approach is similar to Kerberos, which provides encrypted tickets to services that have authenticated themselves to a central database. The tickets provide access to services, but the tickets are only usable by the authenticated user with the matching services. Services can be anything from a virtual wallet to the ability to view a web page on a web server.
Microsoft Passport will use Microsoft Hello for the initial authentication and then work with remote services. The latter occurs without exchanging passwords or biometric data, but it does require that the device be authenticated initially. Passport support is already incorporated into the Azure Active Directory services that target enterprise installations.
Also of note is that Microsoft has joined the Fast IDentity Online (FIDO) Alliance. The FIDO 2.0 Technical Specifications include standards for Passwordless UX (UAF) and and Second Factor UX (U2F) support. FIDO’s registration and identification procedures (Fig. 3) are the same as Microsoft will include in Windows 10.