Slide 1

Slide 2

Slide 3

Shared secrets shhh ! Easily breached, stolen, or phished

Slide 4

introducing Microsoft "Passport" Replace passwords with a private key made available solely through a user gesture (PIN, Windows Hello, remote device, etc.) GOALS: Support both local Passport and Passport2Go (phone, USB dongle, etc.) Introduce MSFT Passport because of its convenience first and security first, UX must be at least as good as with passwords

Slide 5

using Microsoft "Passport" THE CREDENTIAL Public key of Passport is mapped to an user account Proof-able with OTP, Code and PhoneFactor To the user, its familiar, Windows Hello or PIN user gesture To IT its familiar as its based on certificate or asymmetrical key pair

Slide 6

using Microsoft "Passport" THE USAGE Keys are ideally generated in hardware (TPM) first, software as a last resort Hardware-bound keys can be attested Browser support via JS/Webcrypto apis to create and use Passport for users Single unlock gesture provides access to multiple credentials origin isolated

Slide 7

Authentication For Orgs & Consumers IDP Active Directory Azure Active Directory Microsoft Account Other IDPs 1 User 2 Windows 10 3 Intranet Resource 44 Intranet Resource A NEW APPROACH: KEY BASED

Slide 8

Hardware Secured Keys

Slide 9

A baby can identify its mother by the time it's a month old Our devices could not do it None of our senses operated in the digital world until recently

Slide 10

Slide 11

Slide 12

Enrollment :) Find a Face Discover Landmarks Detect Head Orientation Build & Secure Vector based Template

Slide 13

Usage :) Find a Face Discover Landmarks Detect head Orientation Build Vector based Representation Does it match a Template?

Slide 14

Recovery :) Find a Face Does not Match Template Type a PIN to verify your identity

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Windows Biometric Service Biometric Credential Provider Windows Biometric Client API ( WinBio.DLL ) Win32 Apps UAP apps Windows Runtime (WinRT) Engine Adapter Storage Adapter (inbox but can be replaced by 3 rd party if needed) Sensor Adapter (inbox but can be replaced by 3 rd party if needed) Windows Biometric Device Interface (WBDI) Driver Sensor Enrollment OS component 3 rd party application 3 rd party driver and companion components

Slide 24

Inbox functionality Works across a variety of devices running Windows 10 Integrated anti-spoofing countermeasures to mitigate physical attacks Consistent image (via IR) in diverse lighting conditions allows for subtle changes in appearance -- including facial hair, cosmetic makeup, eyewear, etc. Windows Hello with Iris and Face

Slide 25

Fingerprint Sensor FPC1021Fingerprint Sensor FPC1150Next Biometrics NB-1010-S Thermal The World is moving towards small, touch based Sensors. These sensors can fit on almost any device Taken from www.fingerprints.com image of the Huaweis Ascend Mate 7www.fingerprints.com Ultrasound Capacitive (CMOS)

Slide 26

So why do we need to change our experiences?

Slide 27

Slide 28

Slide 29

Slide 30