Extending Windows Hello with trusted signals 6/8/2018 1:44 AM BRK2075 Extending Windows Hello with trusted signals Karanbir Singh Senior Program Manager karans@microsoft.com Twitter: @_karanbir © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Extending Windows Hello with trusted signals 6/8/2018 1:44 AM Extending Windows Hello with trusted signals Karanbir Singh Senior Program Manager karans@microsoft.com Twitter: @_karanbir © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Session objectives and takeaways Tech Ready 15 6/8/2018 Session objectives and takeaways Session objectives Quick recap of Windows Hello Trusted signals Introduce new features Demos! Takeaways What’s new with Windows Hello How to configure, deploy, and manage these features in your enterprise © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TURBULENT TIMES 160 MILLION customer records compromised 6/8/2018 1:44 AM TURBULENT TIMES 160 MILLION customer records compromised 229 DAYS between infiltration and detection $3 MILLION of cost/business impact per breach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
“ “ The hits keep on coming… 6/8/2018 1:44 AM Equifax data breach may affect half US population “ Thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million people… Alfred Ng, CNET September 7 2017 “ The hits keep on coming… Source: https://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population/ © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/8/2018 1:44 AM Windows Hello © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
UTILIZE FAMILIAR DEVICES 6/8/2018 Windows Hello for Business USER CREDENTIAL An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 UTILIZE FAMILIAR DEVICES SECURED BY HARDWARE © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Windows 10 Hello for Business provisioning 6/8/2018 1:44 AM Windows 10 Hello for Business provisioning 1 User authenticates with password + MFA, provides bio-gesture Windows generates private & public key in the Trusted Platform Module (TPM) protected with bio-gesture + attestation blob 2 4 3 Windows sends public key + attestation blob 3 5 Azure AD verifies public key with attestation blob and registers the key with the user 4 5 Azure AD returns key ID to client 1 2 Windows 10 device For security reasons, we require additional information to verify your account. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. User begins to log in Authenticating service shows sign-on challenge User authenticates using FIDO-compliant device Service completes authentication with service
Windows 10 Hello for Business sign in 6/8/2018 1:44 AM Windows 10 Hello for Business sign in 1 User sign-in with bio-gesture unlocks TPM holding private key 2 Windows sends “hello” 3 Azure AD sends back nonce 3 5 4 Windows uses private key to sign nonce and returns to Azure AD with key ID 2 4 6 5 Azure AD returns PRT + encrypted session key protected in TPM Windows returns the signed PRT and derived session key to Azure AD to verify 6 1 Windows 10 device + © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Hello Adoption 6/8/2018 1:44 AM [Windows 10] Windows Hello Adoption 37M active Windows Hello users 200+ enterprises have deployed Windows Hello for Business >25K Largest customer enterprise deployment BRK2076: Windows Hello for Business: What’s new in 2017 BRK2078: Microsoft’s guide for going password-less © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
FIDO Alliance Example board level members 6/8/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
a more human way to do
Extending Windows Hello… Devices & Sensors Environmental awareness Behavioral patterns Better Trust Decisions
Landscape “The next wave of mobile identity is context-based, with authentication identifying not only the user and device, but also where and how a user connects to the network (that is, in the office, at home, on a public Wi-Fi or out of the country), and based on these contextual values granting the user different levels of access. Over the next, three years, Gartner expects context-based mobile identity to become standard functionality within EMM products.” Gartner’s Magic Quadrant for Enterprise Mobility Management Suites June 2016
Trust Decisions Is someone there? Is it you? Are you in a trusted environment? Presence vs authentication Authentication using multiple signals to ascertain a user’s identity Determine if your device is in a safe location by looking at Geolocation and wireless signals (Bluetooth, Wi-Fi, etc.)
Extending Windows Hello… Build 2015 6/8/2018 1:44 AM Extending Windows Hello… A more human way to authenticate Supplement explicit authentication with passive signals Signals derived from user behavior, sensors, devices, application usage, etc. Signals collected without interrupting or challenging the user Signals combined, even weak ones, to create a network of detectors © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Multi-factor Device Unlock Is it you? 6/8/2018 1:44 AM Multi-factor Device Unlock Is it you? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Multi-Factor Device Unlock Inbox solution for multi-factor device unlock e.g. PIN + Face/Fingerprint, PIN + BT Phone to sign-in/unlock a PC If you: Have expressed that PINs alone do not meet your security needs Want your organization to comply with regulatory MFA policy Want to retain the familiar Windows logon UX and not settle for a custom solution
Companion Device Framework Supported Factors Windows Hello PIN Fingerprint Face Companion Device Framework Trusted signals Bluetooth Phone Network Location
and/or trusted signals) Unlock Policy Definition First Unlock Factors (Windows Hello) Second Unlock Factors (Windows Hello and/or trusted signals) AND
At work, Abby can just sign in using Face because she is in a trusted location. But when she is at a coffee shop, she needs to either have her phone in proximity or use her PIN as a second factor in order to unlock her PC.
At work, Abby can just sign in using Face because she is in a trusted location. But when she is at a coffee shop, she needs to either have her phone in proximity or use her PIN as a second factor in order to unlock her PC.
How does it work? AND Policy Resultant Policy: “At work, Abby can just sign in using Face because she is in a trusted location. But when she is at a coffee shop, she needs to either have her phone in proximity or use her PIN as a second factor in order to unlock her PC.” Policy PIN Face BT Phone Network Location PIN Face AND Resultant Policy: (PIN AND BT Phone) OR (PIN AND Network Location) OR (PIN AND Face) (Face AND BT Phone) OR (Face AND Network Location)
Demo Multi-factor Device Unlock 6/8/2018 1:44 AM Demo Multi-factor Device Unlock © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Configure and Deploy Local Group Policy Editor Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business Configure device unlock factors Enable the feature Configure the device unlock policy Deploy the policy Configure device unlock factors
Factors Credential Provider GUID First Unlock Factors: PIN {D6886603-9D2F-4EB2-B667-1971041FA96B} Fingerprint {BEC09223-B018-416D-A0AC-523971B639F5} Face {8AF662BF-65A0-4D0A-A540-A338A999D36F} Trusted Signals (Phone proximity, Network location) {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} First Unlock Factors: {D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F}, {BEC09223-B018-416D-A0AC-523971B639F5} Second Unlock Factors: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}
Trusted Signals Network location Phone proximity <rule schemaVersion="1.0"> <signal type="bluetooth" scenario="Authentication"/> </rule> Network location IP, DNS suffix, default gateway, subnet, WiFi SSID, etc. <rule schemaVersion="1.0"> <signal type="ipConfig"> <dnsSuffix>corp.contoso.com</dnsSuffix> </signal> </rule>
Troubleshoot Launch Event Viewer Task category = Device Unlock Windows Logs>>Applications and Service Logs>>Microsoft>>Windows>>HelloForBusiness>>Operational Task category = Device Unlock Event ID Details 3520 Unlock attempt initiated. Example: Attempting device unlock using provider {8AF662BF-65A0-4D0A-A540-A338A999D36F}. The list of acceptable providers are: Group A: {D6886603-9D2F-4EB2-B667-1971041FA96B}, {8AF662BF-65A0-4D0A-A540-A338A999D36F}, {BEC09223-B018-416D-A0AC-523971B639F5} Group B: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}, {D6886603-9D2F-4EB2-B667-1971041FA96B} 5520 No Policy Device unlock policy is not configured on this device. 6520 Warning Provider is not in the acceptable provider list. 7520 Failure Failed to authenticate the user's credential. Error: The user name or password is incorrect. (0x8007052E) Correlation vector: qf/ugLLYq0Wp+e7K.1.0 Processing time: 50 milliseconds. 8520 Success Successfully authenticated the user's credential. Processing time: xx milliseconds.
Companion Device Framework Supported Factors Windows Hello PIN Fingerprint Face Companion Device Framework Trusted signals Bluetooth Phone Network Location
Intel® Authentication Factors Integrated With Hello Intel adds two authentication factors as trusted signals to Windows 10 Hello A hardware-enhanced, extensible framework using hardened factors Smartphone Intel AMT Logical Location Consolidates authentication implementation, management, and enforcement under one umbrella Integrates with existing corporate infrastructure Plugs in to Windows Hello for business Strong on Security Multifactor Secure Bluetooth Phone Android iOS Intel® AMT Logical Location Proximity Bluetooth, BLE Easy on IT AMT Location The factors are called into Windows 10 Hello, allowing IT to set the policy on both Hello and Intel factors
Dynamic Lock Is someone there? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Ted gets coffee… Build 2015 6/8/2018 1:44 AM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Ted gets coffee…w Dynamic Lock Build 2015 6/8/2018 1:44 AM Ted gets coffee…w Dynamic Lock © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Dynamic Lock Automatically locks your Windows PC when you are not around Improves upon the existing inactivity based timer lock It is not a replacement for explicit device lock (e.g. Win + L)
How does it work? Detects user’s presence based on two factors Proximity of a paired Bluetooth phone Supported Windows Hello Companion device Bluetooth Phone proximity lock If there is no user activity, Windows checks for device’s presence every 30 seconds If the phone is not found, Windows turns of the screen, and locks the PC after 5 seconds. Companion device based lock Companion device issues an explicit lock signal to the PC based on device specific locking logic.
Demo: Dynamic Lock Karanbir Singh TechReady 23 6/8/2018 1:44 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How to try it out? Install the latest Windows Insider Build Pair your phone over Bluetooth via Settings Enable Dynamic Lock via Settings Settings >> Accounts >> Sign-in options >> Dynamic lock This can also be managed via SCCM/MDM Computer Configuration >> Administrative Templates >> Windows Components >> WindowsHelloForBusiness >> Configure dynamic lock factors Turn off BT on your phone to simulate you walking away, your PC will lock in 45-60 secs (Settings>>Accounts>>Sign-in options>> Dynamic lock)
How to try it out? Install the latest Windows Insider Build Pair your phone over Bluetooth via Settings Enable Dynamic Lock via Settings Settings >> Accounts >> Sign-in options >> Dynamic lock This can also be managed via SCCM/MDM Computer Configuration >> Administrative Templates >> Windows Components >> WindowsHelloForBusiness >> Configure dynamic lock factors Turn off BT on your phone to simulate you walking away, your PC will lock in 45-60 secs Via Local GP Editor
Dynamic Management Are you in a trusted environment? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
https://technet. microsoft. com/en-us/mt809106. aspx https://technet.microsoft.com/en-us/mt809106.aspx?f=255&MSPPError=-2147217396
Dynamic Management Dynamic Management 6/8/2018 Dynamic Management Dynamic Management MDM Policies adapt to your environment Allows IT admins to apply policies dynamically based on: Policy configuration & enforcement is local to device Time Location Network BRK3073: New modern management features for IT Pros © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Trust Decisions Is someone there? Is it you? Are you in a trusted environment? Presence vs authentication Authentication using multiple signals to ascertain a user’s identity Determine if your device is in a safe location by looking at Geolocation and wireless signals (Bluetooth, Wi-Fi, etc.)
In review: session objectives and takeaways Tech Ready 15 6/8/2018 In review: session objectives and takeaways Extending Windows Hello with trusted signals Combine sensors, signals, behavioral patterns to name better trust decisions Multifactor device unlock Inbox multi-factor device unlock solution Dynamic Lock Automatically locks your PC when you’re not around Deploy Now! Provide us your feedback Report gaps so we can address them © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Tech Ready 15 6/8/2018 Ignite Resources BRK2076: Windows Hello for Business: What’s new in 2017 BRK2078: Microsoft’s guide for going password-less THR2259: Microsoft’s guide for going password-less BRK2017: Saying goodbye to passwords BRK3073: New modern management features for IT Pros BRK2077: Credential protection in Windows: An Overview © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session Tech Ready 15 6/8/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/8/2018 1:44 AM Thank you © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.