Windows 10 to get two-factor authentication built-in

The new OS will feature enhancements in areas like identity protection, data security and malware resistance

Microsoft is continuing its crusade to get CIOs interested in Windows 10, touting new security features that include two-factor authentication built directly into the OS.

The effort to bake two-factor authentication into Windows 10 is intended at doing away with the old single-password method that has proven so insecure in recent years and has led to so many instances of system break-ins and data theft, according to Microsoft. With two-factor authentication, malicious hackers need to be in control of two pieces of information in order to break into a system, such as a password and a code sent to a user's device like a smartphone.

Overall, Windows 10 will offer businesses enhanced security in areas like identity protection and access control, information protection and threat resistance, since security "has been central to many of the customer conversations I've had since we announced the availability of the [Windows 10] Technical Preview," wrote Jim Alkove in the blog post, referring to the pre-release version of Windows 10 that is publicly available for testing.

In the area of identity and access control, Windows 10 will offer IT managers the necessary functions to protect user credentials and devices with two-factor authentication, without having to rely on third-party products, he wrote.

"We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals," Alkove wrote.

More specifically, Windows 10 will let users enroll their devices as one of the two authentication factors, with the second being either a pin or a biometric input, such as the reading of a fingerprint.

"From a security standpoint, this means that an attacker would need to have a user's physical device -- in addition to the means to use the user's credential -- which would require access to the users PIN or biometric information," he wrote.

The credential can be either a key pair generated by Windows, or a certificate provisioned for the device by a company's existing PKI system. "Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn't practical," he wrote.

The new user credentialing system will be supported by Microsoft's Active Directory, Azure Active Directory, and consumer Microsoft Accounts "so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords."

Windows 10 will also have features to protect the user access tokens generated as part of the authentication process, so that they're not vulnerable to techniques like Pass the Hash coupled with advanced persistent threats.

"With Windows 10 we aim to eliminate this type of attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised," he wrote.

In the area of information protection, Windows 10 will have a data loss prevention (DLP) technology baked in that distinguishes between personal and corporate data, and protects the latter using "containment."

"Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations," he wrote.

The DLP technology will also work on Windows Phone, and documents will be covered by this protection as they're accessed from different desktop and mobile devices.

IT managers will be able to establish policies that control which apps can access corporate data, and Windows 10 also extends VPN control options to protect this data in devices owned by employees.

"App-allow and app-deny lists will enable IT professionals to define which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps," he wrote, adding that administrators can also restrict access by specific ports or IP addresses.

Finally, in the area of threat and malware resistance, Windows 10 will have features to lock down devices and only allow users to run apps that have been signed using a Microsoft provided signing service.

"Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM," he wrote. "The lockdown process OEMs will use is similar to what we do with Windows Phone devices."

IT administrators will be able to determine which apps they consider trustworthy, such as those they sign themselves, those signed by ISVs, those available on the Windows Store, or all of them.

"Ultimately, this lockdown capability in Windows 10 provides businesses with an effective tool in the fight against modern threats, and with it comes with the flexibility to make it work within most environments," he wrote.

Microsoft is aiming to ship Windows 10 by mid-2015, and in the meantime it's publicly testing in an open program which recently topped 1 million participants and has generated 200,000 feedback items.

After Windows 8 was thoroughly ignored by Microsoft's enterprise customers, the company is bending over backwards in its attempts to make CIOs and other enterprise IT executives pay attention to Windows 10.

As the OS goes through its pre-release public testing, it'll become clearer whether the Windows 10 security improvements that Alkove is trumpeting today end up being compelling enough for business customers.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftWindowssoftwareoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juan Carlos Perez

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?