Menu
Windows 10 to get two-factor authentication built-in

Windows 10 to get two-factor authentication built-in

The new OS will feature enhancements in areas like identity protection, data security and malware resistance

Microsoft is continuing its crusade to get CIOs interested in Windows 10, touting new security features that include two-factor authentication built directly into the OS.

The effort to bake two-factor authentication into Windows 10 is intended at doing away with the old single-password method that has proven so insecure in recent years and has led to so many instances of system break-ins and data theft, according to Microsoft. With two-factor authentication, malicious hackers need to be in control of two pieces of information in order to break into a system, such as a password and a code sent to a user's device like a smartphone.

Overall, Windows 10 will offer businesses enhanced security in areas like identity protection and access control, information protection and threat resistance, since security "has been central to many of the customer conversations I've had since we announced the availability of the [Windows 10] Technical Preview," wrote Jim Alkove in the blog post, referring to the pre-release version of Windows 10 that is publicly available for testing.

In the area of identity and access control, Windows 10 will offer IT managers the necessary functions to protect user credentials and devices with two-factor authentication, without having to rely on third-party products, he wrote.

"We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals," Alkove wrote.

More specifically, Windows 10 will let users enroll their devices as one of the two authentication factors, with the second being either a pin or a biometric input, such as the reading of a fingerprint.

"From a security standpoint, this means that an attacker would need to have a user's physical device -- in addition to the means to use the user's credential -- which would require access to the users PIN or biometric information," he wrote.

The credential can be either a key pair generated by Windows, or a certificate provisioned for the device by a company's existing PKI system. "Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn't practical," he wrote.

The new user credentialing system will be supported by Microsoft's Active Directory, Azure Active Directory, and consumer Microsoft Accounts "so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords."

Windows 10 will also have features to protect the user access tokens generated as part of the authentication process, so that they're not vulnerable to techniques like Pass the Hash coupled with advanced persistent threats.

"With Windows 10 we aim to eliminate this type of attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised," he wrote.

In the area of information protection, Windows 10 will have a data loss prevention (DLP) technology baked in that distinguishes between personal and corporate data, and protects the latter using "containment."

"Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations," he wrote.

The DLP technology will also work on Windows Phone, and documents will be covered by this protection as they're accessed from different desktop and mobile devices.

IT managers will be able to establish policies that control which apps can access corporate data, and Windows 10 also extends VPN control options to protect this data in devices owned by employees.

"App-allow and app-deny lists will enable IT professionals to define which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps," he wrote, adding that administrators can also restrict access by specific ports or IP addresses.

Finally, in the area of threat and malware resistance, Windows 10 will have features to lock down devices and only allow users to run apps that have been signed using a Microsoft provided signing service.

"Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM," he wrote. "The lockdown process OEMs will use is similar to what we do with Windows Phone devices."

IT administrators will be able to determine which apps they consider trustworthy, such as those they sign themselves, those signed by ISVs, those available on the Windows Store, or all of them.

"Ultimately, this lockdown capability in Windows 10 provides businesses with an effective tool in the fight against modern threats, and with it comes with the flexibility to make it work within most environments," he wrote.

Microsoft is aiming to ship Windows 10 by mid-2015, and in the meantime it's publicly testing in an open program which recently topped 1 million participants and has generated 200,000 feedback items.

After Windows 8 was thoroughly ignored by Microsoft's enterprise customers, the company is bending over backwards in its attempts to make CIOs and other enterprise IT executives pay attention to Windows 10.

As the OS goes through its pre-release public testing, it'll become clearer whether the Windows 10 security improvements that Alkove is trumpeting today end up being compelling enough for business customers.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags MicrosoftWindowssoftwareoperating systems

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments