Welcome to my first blog post on askpfeplat! My name is Milad Aslaner and I’m a Premier Field Engineer specialized in Windows Reliability. Some of you might know me from my sessions TechEd, TechNet and Microsoft Virtual Academy, for those who don’t know me yet, you can call me the "Windows Guy".
Passwords are not sufficient anymore to keep data secure. Let me provide you some facts around this:
- Consumer Reports survey 2013 9.8 million Adult Facebook users had their account used by an unauthorized person; had their reputation harmed; or were harassed, threatened, or defrauded. - Deloitte Study 2013 I a recent study of six million actual user passwords, the 10,000 most common passwords would have accessed 98.1 percent of accounts.
- Consumer Reports survey 2013 9.8 million Adult Facebook users had their account used by an unauthorized person; had their reputation harmed; or were harassed, threatened, or defrauded.
- Deloitte Study 2013 I a recent study of six million actual user passwords, the 10,000 most common passwords would have accessed 98.1 percent of accounts.
Now for me personally the last case study is the scariest one. Basically it means that every time I visit a customer and talk about IT Security we could use that list and access a majority of corporate machines.
Biometrics has a long history in Windows. We first introduced biometrics capabilities in Windows XP, later with Windows 7 we added the Windows Biometrics Framework but we always had a dependency on 3rd parties to provide enrollment tools and drivers.
When we look at the adoption rate it was just not there where it should be. Biometrics is not available in most PC’s, OEM’s use to differentiate and really just a few users has experienced it.
Moving forward we want to provide the best experience for modern authentication with biometrics. Users love the idea of simplicity, and they really see it a as solution for the above mentioned problems.
In simple term fingerprint is composed of two elements. We got ridges; raised areas of the skin and valleys; lower areas of skin that separate the ridges. Those two elements combined make two features
Local features also known as minutiae
Raw Binary Pruned Minutiae located
Processing an fingerprint means that it starts with the raw image of the fingerprint, then the computer converts it to a binary format, it then removes all the extra information’s which are not required and then lastly identifies the minutiae identifiers to create a pattern or unique representation of the fingerprint.
So when the user enters his fingerprint the enrollment process begins. The computer extracts the local minutiae and builds a template out of that. Btw. the actual fingerprint is not stored on the computer it’s always a digital representation of it. You could call it a one way hash.
This template gets then stored in a template storage. Once the user is enrolled and a user tries to identify afterwards, the computer extracts again the relevant data and try to match against the template storage database. So that’s how in general fingerprint enrollment and identification works.
It starts with the fingerprint sensor (bottom right) then directly above that we got the WBDI driver which is responsible to talk with the sensor. Then we got 3 adapter: storage adapter to store data, engine adapter which is an important element because that adapter is responsible for most of the tasks and then we got the sensor adapter which is utilized together with the storage adapter by the engine.
Next we got the Windows Biometric Service this service is also a system level component. But don’t worry it looks complicated but in reality for Apps to use biometrics in Windows 8.1 its very convenient because on top of the system level components we got the Windows Biometric Client API which takes all the “talking” between apps and the sensor.
So on the very top we got then the apps such as Fingerprint Enrollment Application, Biometric Credential Provider, Win32 Applications and new in Windows 8.1 Windows Runtime (WinRT) and with that the support for Windows Modern Apps.
That’s a big no. While we see that primary of OEM devices implement swipe sensors there are many other kinds. We got optical readers, thermal readers, capacitive readers and even ultrasound readers.
You might have seen a Microsoft representative talking about modern readers as well. But what is a modern reader? In Microsoft terminology modern readers are readers who are touch-based and offer liveness detection. These are the readers we are evangelizing and we would like to see going mainstream.
In Exchange ActiveSync we have ‘convenience logon’. When you had disabled this in Windows 8 it was also disabling biometrics logon and removed any credentials saved by previous enrollments. The default group policy settings also disables domain logon with fingerprint.
Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
With Windows 8.1 there were some significant changes to the Exchange ActiveSync policies. Now when you disable convenience logon, the in-box registration is still allowed but the credentials won’t be saved.
If the machine is protected with BitLocker, then we will allow the storage of credentials. If it’s a domain user who has local admin rights and he decides to enroll for fingerprint, domain logon will be enabled without having to dig through group policy settings.
We introduce new APIs for our developers which can be utilize to implement biometrics into their Windows Modern Apps. You can use these APIs to confirm purchases, profile changes or to support your in-app experiences.
Windows Biometrics Sign-In
• Windows sign-in • Remote Access sign-in • All remaining authentication prompts (e.g.: UAC)
• Windows sign-in
• Remote Access sign-in
• All remaining authentication prompts (e.g.: UAC)
“Touch to Buy” added to:
• Windows Store • Xbox Music • Xbox Video
• Windows Store
• Xbox Music
• Xbox Video
I hope that this first blog post showed you the benefits of biometrics in Windows 8.1 and help to drive awareness around the importance of modern authentication.