Microsoft Passwordless Biometric Authentication Is Now FIDO2 Certified

Windows 10

Microsoft has announced that Windows Hello, its password-free biometric authentication system, has been FIDO2 certified, according to reports.

FIDO2 is a cryptography-based authentication standard, and using it makes it easier to sign into services and apps securely. It was originally developed by Google and Yubico, before the Fast IDentity Online (FIDO) alliance took it over.

This new system will replace passwords, which can be hard to remember and easy to hack.

“No one likes passwords (except hackers),” Yogesh Mehta, group manager of Microsoft’s crypto, identity and authentication team in Azure Core OS, wrote in a Microsoft blog post. “People don’t like passwords because we have to remember them. As a result, we often create passwords that are easy to guess — which makes them the first target for hackers trying to access your computer or network at work.”

There’s been movement lately toward a passwordless web, and several browsers, including Mozilla Firefox, Opera and Google Chrome, have added support for WebAuthn, which is a key standard for authentication.

The technology makes use of key encryption, which involves the use of two keys: one private and one public. The idea is hat users can send a message to someone using their public key, and when they receive the message they use their private key to decrypt it. Basically, it’s a JavaScript code autofill that will act as an intermediary between the user and a site.

Now, to generate and authenticate the keys, users can choose things like facial recognition, a smartphone or even an external authenticator.

Once the authenticator confirms the biometric information, it encrypts using a private key and sends it back to the browser, which sends it back to the website’s client-side JavaScript code. From there, it goes back to the server.

This technology is still fairly nascent, so the issue developers may run into is picking a decided set of protocols on how the browsers and authenticators talk to each other. Collectively, those rules are called CTAP (Client to Authenticator Protocol).


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.