October 28th 2014
Microsoft has revealed a number of significant new security features that will be built into its forthcoming Microsoft 10 operating system.
Firstly, the new operating system's multi-factor authentication solution – built into both operating system and devices – will eliminate the need for additional hardware security peripherals. Once the user has enrolled, the device itself will become one of two factors for authentication … the second factor being PIN entry or biometric reader, probably fingerprint. This means that a cybercriminal would need to actually have the physical device as well as the user's PIN or biometric data.
Leader of Microsoft's Windows Enterprise Programme Management Team Jim Alkove blogged: “With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection and threat resistance. With this release, we will have nearly everything in place to move the world away from the use of single-factor authentication options, like passwords.”
Users will be able to enroll each of their devices with their new credentials or just a single device. If this were a mobile phone, this would effectively become their mobile credential, enabling them to sign in to all of their PCs, networks and web services as long as their mobile phone is in close proximity. The phone would act as a remote smartcard for two-factor authentication via Wi-Fi or Bluetooth.
The credential itself can be either a cryptographically-generated key pair (private and public keys) generated by Windows itself, or a certificate provisioned to the device from existing public key infrastructures (PKI).
Mr Alkove continued: “Providing both of these options makes Windows 10 great for organisations with existing PKI investments and it makes it viable for the web and consumer scenarios, where PKI backed identity isn’t practical. Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of the box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords. This technology is intentionally being designed so that it can be adopted broadly across other platforms, the web and other infrastructures.”
Windows 10's corporate protection data capabilities will enable automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. Other features include a data loss prevention solution that separates corporate and personal data and helps protect it using containment. Users can define which files are corporate or personal as they arrive on the device, and organisations can designate all new content created on the device as corporate by policy.
The operating system will also provide the ability to lock down devices, enabling additional threat and malware resistance. It will also allow only trusted apps – signed using a Microsoft-provided signing service – to be run on specially configured devices. These could be apps signed by the organisation itself, those signed by independent software vendors and / or those from the Windows Store.