Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite /16/2017 4:55 PM

Published byChristopher Hamilton Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite /16/2017 4:55 PM"— Presentation transcript:

1 Microsoft Ignite 2015 4/16/2017 4:55 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Secure Authentication with Windows Hello
BRK2324 Secure Authentication with Windows Hello Nelly Porter Principal Program Manager Lead OS Security

3 shhh! Shared secrets Easily breached, stolen, or phished

4 Replace passwords with a private key made available solely through a “user gesture” (PIN, Windows Hello, remote device, etc.) introducing Microsoft "Passport" Support both local Passport and Passport2Go (phone, USB dongle, etc.) Introduce MSFT Passport because of its convenience first and security first, UX must be at least as good as with passwords GOALS:

5 To IT it’s familiar as it’s based on certificate or asymmetrical key pair
using Microsoft "Passport" To the user, it’s familiar, Windows Hello or PIN user gesture Proof-able with OTP, Code and PhoneFactor … Public key of Passport is mapped to an user account THE CREDENTIAL

6 Keys are ideally generated in hardware (TPM) first, software as a last resort
using Microsoft "Passport" Hardware-bound keys can be attested Single “unlock gesture” provides access to multiple credentials origin isolated THE USAGE Browser support via JS/Webcrypto apis to create and use Passport for users

7 Authentication For Orgs & Consumers
4/16/2017 Create Account or Proves Identity User 1 IDP Active Directory Azure Active Directory Microsoft Account Other IDP’s Create and trust my unique key or Authenticate me by validating this signed request User Unlock Windows identity container w/ PIN or Bio 2 Here is your authentication token I trust tokens from IDP Intranet Resource 4 Windows 10 3 A NEW APPROACH: KEY BASED Intranet Resource So do I 4 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Authentication For Orgs & Consumers
4/16/2017 Authentication For Orgs & Consumers Hardware Secured Keys TPM Default Container Microsoft Account Consumer IDP 1 Consumer IDP 2 Enterprise Container Enterprise IDP © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Microsoft Ignite 2015 4/16/2017 4:55 PM Why Windows Hello? A baby can identify its mother by the time it's a month old Our devices could not do it None of our senses operated in the digital world until recently © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Biometric Authentication in Windows 10
Microsoft Ignite 2015 4/16/2017 4:55 PM Biometric Authentication in Windows 10 Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Biometrics…… Windows Hello introduces system support for biometric authentication – using your face, iris, or fingerprint to unlock your devices Convenient device logon and strong user authentication Enterprise level security and access to High Business Impact data and resources via Microsoft Passport Consistent inbox user enrolment and usage across Windows enabled biometric devices © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Biometrics Steps Face, iris and fingerprint share the same design language for enrollment, usage, and recovery with Windows Hello Enrollment Usage authentication and presence monitoring Recovery

12 Enrollment :) Find a Face Detect Head Orientation Discover Landmarks
Build & Secure Vector based Template

13 Usage :) Build Vector based Representation Detect head
Find a Face Build Vector based Representation Detect head Orientation Discover Landmarks Does it match a Template?

14 Recovery :) Type a PIN to verify your identity Does not Match Template
Find a Face Type a PIN to verify your identity Does not Match Template

15 Authentication vs. Identification
Microsoft Ignite 2015 4/16/2017 4:55 PM Authentication vs. Identification Not every biometric modality is created equal False Acceptance rate (FAR) False Rejection Rate (FRR) “Liveness” and anti-spoofing © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Windows Hello Security Requirements
Demonstrate False Acceptance Rate (FAR): 1/100,000 With False Rejection Rate: 2-4%, Provide live-ness measures Enable anti-spoofing detection Integrated with Windows Biometric Framework

17 False Acceptance Rate, What is that?

18 The Face Authentication
Microsoft Ignite 2015 4/16/2017 4:55 PM The Face Authentication Machine learned 1/100,000 False Accept Rate Threshold Over 4.3 million test combinations Machine learning based accuracy threshold Validated against ~2,000 unique faces Large representative sample over 13,000 unique faces captured so far (Target 30k) Mix of ethnicities, height, weight, skin color, glasses, etc. Variety of possible angles and lighting conditions Captured on reference hardware © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 False Rejection Rate, What is that?

20 Live-ness and Anti-spoofing?
Microsoft Ignite 2015 4/16/2017 4:55 PM Live-ness and Anti-spoofing? © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Biometric as a second factor
System will only authorize use of Microsoft Passport keys when User submits a matching biometric sample at the moment of authorization, and The system determines that the sample is “live” Our goal is to make Biometrics non-susceptible to Spoofing and replay attacks Attacks by privileged code on a compromised system Offline attacks

22 Windows Biometrics Framework, What is that?

23 Windows Biometric Framework
Enrollment Biometric Credential Provider Win32 Apps UAP apps Windows Runtime (WinRT) Windows Biometric Client API (WinBio.DLL) Windows Biometric Service Storage Adapter (inbox but can be replaced by 3rd party if needed) Engine Adapter Sensor Adapter (inbox but can be replaced by rd party if needed) Windows Biometric Device Interface (WBDI) Driver Sensor OS component 3rd party application 3rd party driver and companion components

24 Windows Hello with Iris and Face
Inbox functionality Works across a variety of devices running Windows 10 Integrated anti-spoofing countermeasures to mitigate physical attacks Consistent image (via IR) in diverse lighting conditions allows for subtle changes in appearance -- including facial hair, cosmetic makeup, eyewear, etc.

25 State of the Art – Windows Hello Fingerprints
The World is moving towards small, touch based Sensors. These sensors can fit on almost any device Taken from – image of the Huawei’s Ascend Mate 7 Fingerprint Sensor FPC1021 Fingerprint Sensor FPC1150 Next Biometrics NB-1010-S Thermal Capacitive (CMOS) Ultrasound

26 State of the Art – Windows Hello Fingerprints
So why do we need to change our experiences?

27 Summary Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Windows Hello…… Windows Hello introduces system support for biometric authentication your face, iris, or fingerprint convenient device logon and strong user authentication enterprise level security and access to High Business Impact (HBI) data and resources via Microsoft Passport consistent inbox user enrolment and usage experiences

28 Goodbye Ignite!

29 Please evaluate this session
4/16/2017 4:55 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 4/16/2017 4:55 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite /16/2017 4:55 PM"

Similar presentations

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
请点击以下链接下载 WinHEC 的演讲材料 Download WinHEC presentations here:

请点击以下链接下载 WinHEC 的演讲材料 Download WinHEC presentations here:
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
National Institute of Science & Technology Fingerprint Verification Maheswar Dalai Presented By MHESWAR DALAI Roll No. #CS200127358 “Fingerprint Verification.

National Institute of Science & Technology Fingerprint Verification Maheswar Dalai Presented By MHESWAR DALAI Roll No. #CS “Fingerprint Verification.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Liveness Testing Shivankush Aras. Threats to Biometric System Artificially created biometrics: e.g. image of a face or iris, lifted latent fingerprints,

Liveness Testing Shivankush Aras. Threats to Biometric System Artificially created biometrics: e.g. image of a face or iris, lifted latent fingerprints,
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
FACE RECOGNITION BY: TEAM 1 BILL BAKER NADINE BROWN RICK HENNINGS SHOBHANA MISRA SAURABH PETHE.

FACE RECOGNITION BY: TEAM 1 BILL BAKER NADINE BROWN RICK HENNINGS SHOBHANA MISRA SAURABH PETHE.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Lack of control for mobile devices Different tools for phone & PC Policy conflict Inconsistent user experience… Granular mobile device mgmt Converged.

Lack of control for mobile devices Different tools for phone & PC Policy conflict Inconsistent user experience… Granular mobile device mgmt Converged.
Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.

Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
© 2005-07 NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop

Similar presentations

Ads by Google