IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Microsoft: Saying goodbye to passwords and saying 'Hello' to better encryption
Thu, 27th Oct 2016
FYI, this story is more than a year old

Molly Dalton, has a very specific role at Microsoft: She and her team are working to say goodbye to traditional passwords and 'hello' to Windows Hello. She works with the browser team on Microsoft Edge, specifically on partner relations and developer relationships. The primary goal is to improve user and developer experiences on Edge.

When it comes to passwords, they're something of a bygone era. And Dalton says there are much better ways to do things now.

"I think as the internet becomes more and more common and people are forced to authenticate over various devices and accounts, we start to value convenience over security. So this causes people to use very poor password choices, on top of that, people are reusing passwords across accounts," she says.

"The problem with that is when passwords are stored on a database, they're essentially a bag full of passwords. Of course they're encrypted, but as computers get faster, and attackers get smarter, that bag of passwords is easier and easier to get hacked."

"No matter what kind of devices we use, if people are inputting their authentication information and it's being stored somewhere other than their personal machine, that's just opening the portal of all the information that could possibly be taken at once. So it's multiple accounts versus one single account," she says.

She says that there will never be a perfect solution to the password conundrum - either passwords or machines will always become easier to hack. Instead, constant mitigation is the key.

Two-factor authentication is also far better than using a straight password as it puts more blockers in front of attackers, she says.

"Having someone call your phone, well now a hacker has to have your phone, log in to your phone, be able to access your email on your phone or whatever system you're using, and then on top of that, know your password."

She says this is a far better method of protection than single-factor authentication, and she recommends users enable two-factor authentication.

"One thing that's important to understand is that biometrics are actually used to verify that the user is in fact who they say they are, and then the actual authentication process happens in a later step."

"So this says 'the person sitting at the computer is Molly, she has the right to do this transaction, or this authentication. In a lot of ways, I think biometrics are a good alternative to a PIN, password - any kind of system like that."

Moving on to how Windows Hello works, Dalton says it's a fairly linear process. The first is 'gestures', such as fingerprints, PINS or facial recognition. Windows Hello is the authenticator, which verifies that the person is who they say they are.

It then opens a secure device, which Windows calls the TPM. It protects the private key - something that is stored on the actual platform. The key is released and a challenge will come in from the website, which is essentially a signature. After what Dalton calls some 'cryptomagic', eventually the user is authenticated. But the most important factor? "All authentication happens on the user's personal machine, versus a whole slew of users in a database. So even if somebody was able to hack something like biometrics, that would literally mean they would have to physically steal the machine, versus taking a database over."

Dalton also works extensively with Microsoft Edge, the browser that she says was built from the ground up. "The goal with Microsoft Edge was to make sure that we had interoperability amongst other browser vendors. That's been a massive push on my overall team."

As a woman in technology, Dalton echoes the sentiments of evangelists such as Jennifer Marsman about how Microsoft supports and encourage growth.

"Microsoft has a really amazing support system for women. We have a conference, we have a mentorship programme, we have all the resources in place to make being a woman in tech easier. In general, there's not a lot of women in tech, which is unfortunate.

Looking at the tech industry, Dalton says she's sometimes overwhelmed by the amount of things going on.

"It's actually interesting just thinking about the problems that users struggle with daily. That's what my passion is. It's user experience and being interested to see how to create a better user experience for products," she says.

"And what is a better user experience than having to remove the pain of passwords?"