Microsoft Ignite /16/2017 4:55 PM

Slides:



Advertisements
Similar presentations
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Advertisements

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
请点击以下链接下载 WinHEC 的演讲材料 Download WinHEC presentations here:
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
National Institute of Science & Technology Fingerprint Verification Maheswar Dalai Presented By MHESWAR DALAI Roll No. #CS “Fingerprint Verification.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Liveness Testing Shivankush Aras. Threats to Biometric System Artificially created biometrics: e.g. image of a face or iris, lifted latent fingerprints,
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
FACE RECOGNITION BY: TEAM 1 BILL BAKER NADINE BROWN RICK HENNINGS SHOBHANA MISRA SAURABH PETHE.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Authentication Approaches over Internet Jia Li
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Lack of control for mobile devices Different tools for phone & PC Policy conflict Inconsistent user experience… Granular mobile device mgmt Converged.
Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Week #7 Objectives: Secure Windows 7 Desktop
PIN-on-Card New contact-less smart card with integrated PIN pad for secure user verification at unparalleled cost effectiveness.
Passwords are not able to keep user safe.
BIOMETRICS.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
Biometrics Stephen Schmidt Brian Miller Devin Reid.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.
Deploying Windows 10 in the Enterprise Introduction and Windows as a Service Michael blogs.technet.com/mniehaus.
Are cybersecurity threats keeping you up at night? Your people go everywhere with devices, do the apps and data they need go with them? Can you adopt.
Secure Windows App Development. Authentication.
INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.
BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.
Digital Disruption, Alfresco, and Digital Signatures Brian LaPointe VP Sales, Americas CoSign by ARX.
Biometric ATM Created by:. Introduction Biometrics refers to the automatic identification of a person based on his physiological/behavioral characteristics.
Information Systems Design and Development Security Precautions Computing Science.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
Modern User and Device Authentication  Biometric Fingerprints: Moving beyond Login  TPM Key Attestation: Binding a user and machine identities  Strong.
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
of employees use personal devices for work purposes.* of employees that typically work on employer premises, also frequently work away from their desks.***
WINDOWS 10 HELPS STUDENTS AND EDUCATORS DO GREAT THINGS ALL AGES AND SUBJECTS WELCOME Better learning outcomes Fast, familiar and productive to power.
Identity Standards Architect, Microsoft
Implementing and Managing Azure Multi-factor Authentication
2 Factor & Multi Factor Authentication
A National e-Authentication Service
Microsoft Passport and Windows Hello Developer’s Guide to Windows 10 Build SDK Update Andy Wigley
Do you know who your employees are sharing their credentials with
Secure authentication with Windows Hello
6/17/2018 3:45 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Deploy Windows 10 Mobile for the mobile workforce
6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Microsoft’s guide for going password-less
Microsoft’s guide for going password-less
Chromebooks and Cloud Computing
Windows Hello Sam Chang Senior Program Manager WinHEC 2015
Building hardware-based security with a Trusted Platform Module (TPM)
Windows Hello in Microsoft Edge
Windows Unlock with IoT Devices
Biometric technology.
Only Windows 10 Pro devices
Ones Technology Products & Solutions
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Microsoft Ignite 2015 4/16/2017 4:55 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Secure Authentication with Windows Hello BRK2324 Secure Authentication with Windows Hello Nelly Porter Principal Program Manager Lead OS Security

shhh! Shared secrets Easily breached, stolen, or phished

Replace passwords with a private key made available solely through a “user gesture” (PIN, Windows Hello, remote device, etc.) introducing Microsoft "Passport" Support both local Passport and Passport2Go (phone, USB dongle, etc.) Introduce MSFT Passport because of its convenience first and security first, UX must be at least as good as with passwords GOALS:

To IT it’s familiar as it’s based on certificate or asymmetrical key pair using Microsoft "Passport" To the user, it’s familiar, Windows Hello or PIN user gesture Proof-able with OTP, Code and PhoneFactor … Public key of Passport is mapped to an user account THE CREDENTIAL

Keys are ideally generated in hardware (TPM) first, software as a last resort using Microsoft "Passport" Hardware-bound keys can be attested Single “unlock gesture” provides access to multiple credentials origin isolated THE USAGE Browser support via JS/Webcrypto apis to create and use Passport for users

Authentication For Orgs & Consumers 4/16/2017 Create Account or Proves Identity User 1 IDP Active Directory Azure Active Directory Microsoft Account Other IDP’s Create and trust my unique key or Authenticate me by validating this signed request User Unlock Windows identity container w/ PIN or Bio 2 Here is your authentication token I trust tokens from IDP Intranet Resource 4 Windows 10 3 A NEW APPROACH: KEY BASED Intranet Resource So do I 4 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Authentication For Orgs & Consumers 4/16/2017 Authentication For Orgs & Consumers Hardware Secured Keys TPM Default Container Microsoft Account Consumer IDP 1 Consumer IDP 2 Enterprise Container Enterprise IDP © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2015 4/16/2017 4:55 PM Why Windows Hello? A baby can identify its mother by the time it's a month old Our devices could not do it None of our senses operated in the digital world until recently © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Biometric Authentication in Windows 10 Microsoft Ignite 2015 4/16/2017 4:55 PM Biometric Authentication in Windows 10 Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Biometrics…… Windows Hello introduces system support for biometric authentication – using your face, iris, or fingerprint to unlock your devices Convenient device logon and strong user authentication Enterprise level security and access to High Business Impact data and resources via Microsoft Passport Consistent inbox user enrolment and usage across Windows enabled biometric devices © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Biometrics Steps Face, iris and fingerprint share the same design language for enrollment, usage, and recovery with Windows Hello Enrollment Usage authentication and presence monitoring Recovery

Enrollment :) Find a Face Detect Head Orientation Discover Landmarks Build & Secure Vector based Template

Usage :) Build Vector based Representation Detect head Find a Face Build Vector based Representation Detect head Orientation Discover Landmarks Does it match a Template?

Recovery :) Type a PIN to verify your identity Does not Match Template Find a Face Type a PIN to verify your identity Does not Match Template

Authentication vs. Identification Microsoft Ignite 2015 4/16/2017 4:55 PM Authentication vs. Identification Not every biometric modality is created equal False Acceptance rate (FAR) False Rejection Rate (FRR) “Liveness” and anti-spoofing © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Hello Security Requirements Demonstrate False Acceptance Rate (FAR): 1/100,000 With False Rejection Rate: 2-4%, Provide live-ness measures Enable anti-spoofing detection Integrated with Windows Biometric Framework

False Acceptance Rate, What is that?

The Face Authentication Microsoft Ignite 2015 4/16/2017 4:55 PM The Face Authentication Machine learned 1/100,000 False Accept Rate Threshold Over 4.3 million test combinations Machine learning based accuracy threshold Validated against ~2,000 unique faces Large representative sample over 13,000 unique faces captured so far (Target 30k) Mix of ethnicities, height, weight, skin color, glasses, etc. Variety of possible angles and lighting conditions Captured on reference hardware © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

False Rejection Rate, What is that?

Live-ness and Anti-spoofing? Microsoft Ignite 2015 4/16/2017 4:55 PM Live-ness and Anti-spoofing? © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Biometric as a second factor System will only authorize use of Microsoft Passport keys when User submits a matching biometric sample at the moment of authorization, and The system determines that the sample is “live” Our goal is to make Biometrics non-susceptible to Spoofing and replay attacks Attacks by privileged code on a compromised system Offline attacks

Windows Biometrics Framework, What is that?

Windows Biometric Framework Enrollment Biometric Credential Provider Win32 Apps UAP apps Windows Runtime (WinRT) Windows Biometric Client API (WinBio.DLL) Windows Biometric Service Storage Adapter (inbox but can be replaced by 3rd party if needed) Engine Adapter Sensor Adapter (inbox but can be replaced by 3rd party if needed) Windows Biometric Device Interface (WBDI) Driver Sensor OS component 3rd party application 3rd party driver and companion components

Windows Hello with Iris and Face Inbox functionality Works across a variety of devices running Windows 10 Integrated anti-spoofing countermeasures to mitigate physical attacks Consistent image (via IR) in diverse lighting conditions allows for subtle changes in appearance -- including facial hair, cosmetic makeup, eyewear, etc.

State of the Art – Windows Hello Fingerprints The World is moving towards small, touch based Sensors. These sensors can fit on almost any device Taken from www.fingerprints.com – image of the Huawei’s Ascend Mate 7 Fingerprint Sensor FPC1021 Fingerprint Sensor FPC1150 Next Biometrics NB-1010-S Thermal Capacitive (CMOS) Ultrasound

State of the Art – Windows Hello Fingerprints So why do we need to change our experiences?

Summary Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Windows Hello…… Windows Hello introduces system support for biometric authentication your face, iris, or fingerprint convenient device logon and strong user authentication enterprise level security and access to High Business Impact (HBI) data and resources via Microsoft Passport consistent inbox user enrolment and usage experiences

Goodbye Ignite!

Please evaluate this session 4/16/2017 4:55 PM Please evaluate this session Your feedback is important to us! Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/16/2017 4:55 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.