Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending Windows Hello with trusted signals

Published byCharity Howard Modified over 6 years ago

Similar presentations

Presentation on theme: "Extending Windows Hello with trusted signals"— Presentation transcript:

1 Extending Windows Hello with trusted signals
6/8/2018 1:44 AM BRK2075 Extending Windows Hello with trusted signals Karanbir Singh Senior Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2

3

4 Extending Windows Hello with trusted signals
6/8/2018 1:44 AM Extending Windows Hello with trusted signals Karanbir Singh Senior Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Session objectives and takeaways
Tech Ready 15 6/8/2018 Session objectives and takeaways Session objectives Quick recap of Windows Hello Trusted signals Introduce new features Demos! Takeaways What’s new with Windows Hello How to configure, deploy, and manage these features in your enterprise © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 TURBULENT TIMES 160 MILLION customer records compromised
6/8/2018 1:44 AM TURBULENT TIMES 160 MILLION customer records compromised 229 DAYS between infiltration and detection $3 MILLION of cost/business impact per breach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 “ “ The hits keep on coming…
6/8/2018 1:44 AM Equifax data breach may affect half US population Thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million people… Alfred Ng, CNET September The hits keep on coming… Source: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 6/8/2018 1:44 AM Windows Hello © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 UTILIZE FAMILIAR DEVICES
6/8/2018 Windows Hello for Business USER CREDENTIAL An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 UTILIZE FAMILIAR DEVICES SECURED BY HARDWARE © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

10 Windows 10 Hello for Business provisioning
6/8/2018 1:44 AM Windows 10 Hello for Business provisioning 1 User authenticates with password + MFA, provides bio-gesture Windows generates private & public key in the Trusted Platform Module (TPM) protected with bio-gesture + attestation blob 2 4 3 Windows sends public key + attestation blob 3 5 Azure AD verifies public key with attestation blob and registers the key with the user 4 5 Azure AD returns key ID to client 1 2 Windows 10 device For security reasons, we require additional information to verify your account. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. User begins to log in Authenticating service shows sign-on challenge User authenticates using FIDO-compliant device Service completes authentication with service

11 Windows 10 Hello for Business sign in
6/8/2018 1:44 AM Windows 10 Hello for Business sign in 1 User sign-in with bio-gesture unlocks TPM holding private key 2 Windows sends “hello” 3 Azure AD sends back nonce 3 5 4 Windows uses private key to sign nonce and returns to Azure AD with key ID 2 4 6 5 Azure AD returns PRT + encrypted session key protected in TPM Windows returns the signed PRT and derived session key to Azure AD to verify 6 1 Windows 10 device + © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Windows Hello Adoption
6/8/2018 1:44 AM [Windows 10] Windows Hello Adoption 37M active Windows Hello users enterprises have deployed Windows Hello for Business >25K Largest customer enterprise deployment BRK2076: Windows Hello for Business: What’s new in 2017 BRK2078: Microsoft’s guide for going password-less © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 FIDO Alliance Example board level members 6/8/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

14

15 a more human way to do

16 Extending Windows Hello…
Devices & Sensors Environmental awareness Behavioral patterns Better Trust Decisions

17 Landscape “The next wave of mobile identity is context-based, with authentication identifying not only the user and device, but also where and how a user connects to the network (that is, in the office, at home, on a public Wi-Fi or out of the country), and based on these contextual values granting the user different levels of access. Over the next, three years, Gartner expects context-based mobile identity to become standard functionality within EMM products.” Gartner’s Magic Quadrant for Enterprise Mobility Management Suites June 2016

18 Trust Decisions Is someone there? Is it you?
Are you in a trusted environment? Presence vs authentication Authentication using multiple signals to ascertain a user’s identity Determine if your device is in a safe location by looking at Geolocation and wireless signals (Bluetooth, Wi-Fi, etc.)

19 Extending Windows Hello…
Build 2015 6/8/2018 1:44 AM Extending Windows Hello… A more human way to authenticate Supplement explicit authentication with passive signals Signals derived from user behavior, sensors, devices, application usage, etc. Signals collected without interrupting or challenging the user Signals combined, even weak ones, to create a network of detectors © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Multi-factor Device Unlock Is it you?
6/8/2018 1:44 AM Multi-factor Device Unlock Is it you? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Multi-Factor Device Unlock
Inbox solution for multi-factor device unlock e.g. PIN + Face/Fingerprint, PIN + BT Phone to sign-in/unlock a PC If you: Have expressed that PINs alone do not meet your security needs Want your organization to comply with regulatory MFA policy Want to retain the familiar Windows logon UX and not settle for a custom solution

22 Companion Device Framework
Supported Factors Windows Hello PIN Fingerprint Face Companion Device Framework Trusted signals Bluetooth Phone Network Location

23 and/or trusted signals)
Unlock Policy Definition First Unlock Factors (Windows Hello) Second Unlock Factors (Windows Hello and/or trusted signals) AND

24 At work, Abby can just sign in using Face because she is in
a trusted location. But when she is at a coffee shop, she needs to either have her phone in proximity or use her PIN as a second factor in order to unlock her PC.

25 At work, Abby can just sign in using Face because she is in
a trusted location. But when she is at a coffee shop, she needs to either have her phone in proximity or use her PIN as a second factor in order to unlock her PC.

26 How does it work? AND Policy Resultant Policy:
“At work, Abby can just sign in using Face because she is in a trusted location. But when she is at a coffee shop, she needs to either have her phone in proximity or use her PIN as a second factor in order to unlock her PC.” Policy PIN Face BT Phone Network Location PIN Face AND Resultant Policy: (PIN AND BT Phone) OR (PIN AND Network Location) OR (PIN AND Face) (Face AND BT Phone) OR (Face AND Network Location)

27 Demo Multi-factor Device Unlock
6/8/2018 1:44 AM Demo Multi-factor Device Unlock © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Configure and Deploy Local Group Policy Editor
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business Configure device unlock factors Enable the feature Configure the device unlock policy Deploy the policy Configure device unlock factors

29 Factors Credential Provider GUID First Unlock Factors:
PIN {D D2F-4EB2-B FA96B} Fingerprint {BEC09223-B D-A0AC B639F5} Face {8AF662BF-65A0-4D0A-A540-A338A999D36F} Trusted Signals (Phone proximity, Network location) {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} First Unlock Factors: {D D2F-4EB2-B FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F}, {BEC09223-B D-A0AC B639F5} Second Unlock Factors: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D D2F-4EB2-B FA96B}

30 Trusted Signals Network location Phone proximity
<rule schemaVersion="1.0"> <signal type="bluetooth" scenario="Authentication"/> </rule> Network location IP, DNS suffix, default gateway, subnet, WiFi SSID, etc. <rule schemaVersion="1.0"> <signal type="ipConfig"> <dnsSuffix>corp.contoso.com</dnsSuffix> </signal> </rule>

31 Troubleshoot Launch Event Viewer Task category = Device Unlock
Windows Logs>>Applications and Service Logs>>Microsoft>>Windows>>HelloForBusiness>>Operational Task category = Device Unlock Event ID Details 3520 Unlock attempt initiated. Example: Attempting device unlock using provider {8AF662BF-65A0-4D0A-A540-A338A999D36F}. The list of acceptable providers are: Group A: {D D2F-4EB2-B FA96B}, {8AF662BF-65A0-4D0A-A540-A338A999D36F}, {BEC09223-B D-A0AC B639F5} Group B: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}, {D D2F-4EB2-B FA96B} 5520 No Policy Device unlock policy is not configured on this device. 6520 Warning Provider is not in the acceptable provider list. 7520 Failure Failed to authenticate the user's credential. Error: The user name or password is incorrect. (0x E) Correlation vector: qf/ugLLYq0Wp+e7K.1.0 Processing time: 50 milliseconds. 8520 Success Successfully authenticated the user's credential. Processing time: xx milliseconds.

32 Companion Device Framework
Supported Factors Windows Hello PIN Fingerprint Face Companion Device Framework Trusted signals Bluetooth Phone Network Location

33 Intel® Authentication Factors Integrated With Hello
Intel adds two authentication factors as trusted signals to Windows 10 Hello A hardware-enhanced, extensible framework using hardened factors Smartphone Intel AMT Logical Location Consolidates authentication implementation, management, and enforcement under one umbrella Integrates with existing corporate infrastructure Plugs in to Windows Hello for business Strong on Security Multifactor Secure Bluetooth Phone Android iOS Intel® AMT Logical Location Proximity Bluetooth, BLE Easy on IT AMT Location The factors are called into Windows 10 Hello, allowing IT to set the policy on both Hello and Intel factors

34 Dynamic Lock Is someone there?
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Ted gets coffee… Build 2015 6/8/2018 1:44 AM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Ted gets coffee…w Dynamic Lock
Build 2015 6/8/2018 1:44 AM Ted gets coffee…w Dynamic Lock © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 Dynamic Lock Automatically locks your Windows PC when you are not around Improves upon the existing inactivity based timer lock It is not a replacement for explicit device lock (e.g. Win + L)

38 How does it work? Detects user’s presence based on two factors
Proximity of a paired Bluetooth phone Supported Windows Hello Companion device Bluetooth Phone proximity lock If there is no user activity, Windows checks for device’s presence every 30 seconds If the phone is not found, Windows turns of the screen, and locks the PC after 5 seconds. Companion device based lock Companion device issues an explicit lock signal to the PC based on device specific locking logic.

39 Demo: Dynamic Lock Karanbir Singh TechReady 23 6/8/2018 1:44 AM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 How to try it out? Install the latest Windows Insider Build
Pair your phone over Bluetooth via Settings Enable Dynamic Lock via Settings Settings >> Accounts >> Sign-in options >> Dynamic lock This can also be managed via SCCM/MDM Computer Configuration >> Administrative Templates >> Windows Components >> WindowsHelloForBusiness >> Configure dynamic lock factors Turn off BT on your phone to simulate you walking away, your PC will lock in secs (Settings>>Accounts>>Sign-in options>> Dynamic lock)

41 How to try it out? Install the latest Windows Insider Build
Pair your phone over Bluetooth via Settings Enable Dynamic Lock via Settings Settings >> Accounts >> Sign-in options >> Dynamic lock This can also be managed via SCCM/MDM Computer Configuration >> Administrative Templates >> Windows Components >> WindowsHelloForBusiness >> Configure dynamic lock factors Turn off BT on your phone to simulate you walking away, your PC will lock in secs Via Local GP Editor

42 Dynamic Management Are you in a trusted environment?
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 https://technet. microsoft. com/en-us/mt809106. aspx

44 Dynamic Management Dynamic Management
6/8/2018 Dynamic Management Dynamic Management MDM Policies adapt to your environment Allows IT admins to apply policies dynamically based on: Policy configuration & enforcement is local to device Time Location Network BRK3073: New modern management features for IT Pros © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

45 Trust Decisions Is someone there? Is it you?
Are you in a trusted environment? Presence vs authentication Authentication using multiple signals to ascertain a user’s identity Determine if your device is in a safe location by looking at Geolocation and wireless signals (Bluetooth, Wi-Fi, etc.)

46 In review: session objectives and takeaways
Tech Ready 15 6/8/2018 In review: session objectives and takeaways Extending Windows Hello with trusted signals Combine sensors, signals, behavioral patterns to name better trust decisions Multifactor device unlock Inbox multi-factor device unlock solution Dynamic Lock Automatically locks your PC when you’re not around Deploy Now! Provide us your feedback Report gaps so we can address them © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47 Tech Ready 15 6/8/2018 Ignite Resources BRK2076: Windows Hello for Business: What’s new in 2017 BRK2078: Microsoft’s guide for going password-less THR2259: Microsoft’s guide for going password-less BRK2017: Saying goodbye to passwords BRK3073: New modern management features for IT Pros BRK2077: Credential protection in Windows: An Overview © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48

49 Please evaluate this session
Tech Ready 15 6/8/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50 6/8/2018 1:44 AM Thank you © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Extending Windows Hello with trusted signals"

Similar presentations

04 | Business Analyzer Brian Meier| Senior Lead Program Manager.

04 | Business Analyzer Brian Meier| Senior Lead Program Manager.
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
Successfully migrate existing databases to Azure SQL Database

Successfully migrate existing databases to Azure SQL Database
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
How To Deliver Apps Faster And Secure Them The Microsoft Way

How To Deliver Apps Faster And Secure Them The Microsoft Way
Use any Amazon S3 application with Azure Blob Storage

Use any Amazon S3 application with Azure Blob Storage
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
6/17/2018 3:45 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

6/17/2018 3:45 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/17/2018 10:27 AM BRK3341 Unlock extensibility by connecting your service to PowerApps and Microsoft Flow Theresa (Tessa) Palmer–Sr. Program Manager Sunay.

6/17/ :27 AM BRK3341 Unlock extensibility by connecting your service to PowerApps and Microsoft Flow Theresa (Tessa) Palmer–Sr. Program Manager Sunay.
THR Using Outlook in Office 365 for Education

THR Using Outlook in Office 365 for Education
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
Azure SDKs and Tools for You

Azure SDKs and Tools for You
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,

6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
What a Real, Functioning DevOps Team Looks Like

What a Real, Functioning DevOps Team Looks Like

Similar presentations

Ads by Google