Windows 8.1 bolsters biometrics for authentication

Microsoft Windows 8.1, due for release in preview form late this month, demonstrates the company's belief that PC and mobile phone makers are ready to make fingerprint readers a mainstream feature for authentication.

The Windows 8 upgrade will contain the driver necessary to run the hardware, Chris Hallum, senior product manager at Microsoft, told CSO. This marks a change from when third-party software was needed to run fingerprint scanners on Windows.

The change to native operating system support reflects Microsoft's focus on biometrics as a way to bolster authentication, which is heavily dependent today on the use of passwords. Hackers have become very good at stealing credentials from websites, and then cracking the encryption.

"Biometrics is an area that we're putting a ton of energy in," Hallum said. "In fact, this is one of the most noteworthy areas [in Windows 8.1.]"

Microsoft has had biometrics technology in Windows for years, but it has all been frameworks that required third-party software to drive the fingerprint readers. Today, Microsoft is working closely with hardware makers to help them deliver "what we consider modern, touch-based reader devices," Hallum said.

Microsoft's interest in biometrics is spurred in part by Apple's $356 million acquisition last year of AuthenTec, analysts say. () While no announcements have been made, Apple is expected to use AuthenTec's fingerprint recognition technology for unlocking mobile devices.

Windows 8 comes in versions for PCs, tablets and smartphones.

Also, by taking control of the reader software, Microsoft can avoid paying for the mistakes made by third-party vendors, experts say. For example, security researchers last year found that AuthenTec's application contained a flaw that a hacker could exploit to steal Windows passwords.

Market trends such as the falling price of the hardware and consumers' willingness to use touch as a way to interact with computing devices are helping to drive interest in fingerprint readers, said analyst Jack Gold with J. Gold Associates.

"Because so many devices are touch now anyway, people will just use a finger swipe to log in," Gold said.

[Also see: Google biometrics tests show there's no magic pill for passwords]

Microsoft expects more websites to use fingerprints as a means of two-factor authentication with passwords, as the reader technology is embedded in more hardware. The software in Windows 8.1 will make it possible to use fingerprint authentication for specific functions in an application, such as transferring funds from an online banking site, Hallum said.

In general, banks like biometrics for authentication, said Al Pascual, a security analyst for Javelin Strategy & Research, which specializes in the financial industry. While fingerprint authentication is considered the most reliable form of biometrics, banks are also experimenting with facial and voice recognition.

"Banks are looking at biometrics hard," Pascual said. "There's been a huge push for voice in the past year, year in a half or so, because it has broad applicability. You can use it online and you can use it in a call center. It's a big value proposition for them."

While banks have sometimes issued fingerprint readers to commercial customers, they have not been as generous toward consumers. However, if the hardware gets embedded in more devices, then banks will likely adopt it for consumers, Pascual said.

Some security experts doubt that Microsoft's push in Windows 8.1 will have much impact in the adoption of fingerprint biometrics. "Fairly high-quality fingerprint reading capabilities have been distributed in the laptop form factor for a long while, but supply for this authentication method has been higher than demand," said Eve Maler, an analyst with Forrester Research.

Other options, such as software-based tokens and sending one-time login codes to a mobile phone, are more popular as a form of two-factor authentication, Maler said.

In addition, fingerprint recognition has serious privacy implications, if a hacker can implant malware that steals an image of the print.

"If a user's fingerprint gets spoofed by an attacker, it's identity theft in a very real sense, and it's hard to undo the damage," Maler said. "How do you revoke your own fingerprints?"

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Identity & Access | Access ControlMicrosoftNetworkingsecuritybiometricsAccess control and authenticationWindows 8.1access controlIdentity & AccessmanagementApple

More about AppleAuthenTecCSOForrester ResearchGoogleJavelinMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts