Story image

Microsoft: Saying goodbye to passwords and saying 'Hello' to better encryption

27 Oct 2016

Molly Dalton, has a very specific role at Microsoft: She and her team are working to say goodbye to traditional passwords and 'hello' to Windows Hello. She works with the browser team on Microsoft Edge, specifically on partner relations and developer relationships. The primary goal is to improve user and developer experiences on Edge.

When it comes to passwords, they're something of a bygone era. And Dalton says there are much better ways to do things now.

"I think as the internet becomes more and more common and people are forced to authenticate over various devices and accounts, we start to value convenience over security. So this causes people to use very poor password choices, on top of that, people are reusing passwords across accounts," she says.

"The problem with that is when passwords are stored on a database, they're essentially a bag full of passwords. Of course they're encrypted, but as computers get faster, and attackers get smarter, that bag of passwords is easier and easier to get hacked."

"No matter what kind of devices we use, if people are inputting their authentication information and it's being stored somewhere other than their personal machine, that's just opening the portal of all the information that could possibly be taken at once. So it's multiple accounts versus one single account," she says.

She says that there will never be a perfect solution to the password conundrum - either passwords or machines will always become easier to hack. Instead, constant mitigation is the key.

Two-factor authentication is also far better than using a straight password as it puts more blockers in front of attackers, she says.

"Having someone call your phone, well now a hacker has to have your phone, log in to your phone, be able to access your email on your phone or whatever system you're using, and then on top of that, know your password."

She says this is a far better method of protection than single-factor authentication, and she recommends users enable two-factor authentication.

"One thing that's important to understand is that biometrics are actually used to verify that the user is in fact who they say they are, and then the actual authentication process happens in a later step."

"So this says 'the person sitting at the computer is Molly, she has the right to do this transaction, or this authentication. In a lot of ways, I think biometrics are a good alternative to a PIN, password - any kind of system like that."

Moving on to how Windows Hello works, Dalton says it's a fairly linear process. The first is 'gestures', such as fingerprints, PINS or facial recognition. Windows Hello is the authenticator, which verifies that the person is who they say they are.

It then opens a secure device, which Windows calls the TPM. It protects the private key - something that is stored on the actual platform. The key is released and a challenge will come in from the website, which is essentially a signature.

After what Dalton calls some 'cryptomagic', eventually the user is authenticated. But the most important factor?

"All authentication happens on the user's personal machine, versus a whole slew of users in a database. So even if somebody was able to hack something like biometrics, that would literally mean they would have to physically steal the machine, versus taking a database over."

Dalton also works extensively with Microsoft Edge, the browser that she says was built from the ground up.

"The goal with Microsoft Edge was to make sure that we had interoperability amongst other browser vendors. That's been a massive push on my overall team."

As a woman in technology, Dalton echoes the sentiments of evangelists such as Jennifer Marsman about how Microsoft supports and encourage growth.

"Microsoft has a really amazing support system for women. We have a conference, we have a mentorship programme, we have all the resources in place to make being a woman in tech easier. In general, there's not a lot of women in tech, which is unfortunate.

Looking at the tech industry, Dalton says she's sometimes overwhelmed by the amount of things going on.

"It's actually interesting just thinking about the problems that users struggle with daily. That's what my passion is. It's user experience and being interested to see how to create a better user experience for products," she says.

"And what is a better user experience than having to remove the pain of passwords?"

Yamaha unveils simplified UC deployments
"In this fast-paced world, meeting participants need to be able to feel comfortable and hear those on the far end clearly to brainstorm new ideas and accomplish goals."
French cloud giant sets up shop in two APAC data centres
OVH Infrastructure has expanded its public cloud services in the Asia Pacific (APAC) market operating from two data centres within the region.
Jobs of the future: Will humans outmatch AI co-workers
"Regardless of how the workforce changes, automation, data and algorithms will complement rather than replace human employees."
How IBM’s acquisition of Red Hat could impact your business
The acquisition is pending regulatory approval, but IBM expects the deal to close in the second half of 2019. 
SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Google doubles down on hybrid cloud strategy
CSP is a platform that aims to simplify building, running, and managing services both on-premise and in the cloud.
Why NSP adoption of ECX Fabric is on the rise
ECX Fabric aims to enable networks to streamline their access to the world’s largest cloud providers.
Cloud data warehouse trends and best practices
"TDWI sees a wide range of data-driven IT systems moving to the cloud aggressively, and this includes the data warehouse."