Story image

Microsoft: Saying goodbye to passwords and saying 'Hello' to better encryption

27 Oct 16

Molly Dalton, has a very specific role at Microsoft: She and her team are working to say goodbye to traditional passwords and 'hello' to Windows Hello. She works with the browser team on Microsoft Edge, specifically on partner relations and developer relationships. The primary goal is to improve user and developer experiences on Edge.

When it comes to passwords, they're something of a bygone era. And Dalton says there are much better ways to do things now.

"I think as the internet becomes more and more common and people are forced to authenticate over various devices and accounts, we start to value convenience over security. So this causes people to use very poor password choices, on top of that, people are reusing passwords across accounts," she says.

"The problem with that is when passwords are stored on a database, they're essentially a bag full of passwords. Of course they're encrypted, but as computers get faster, and attackers get smarter, that bag of passwords is easier and easier to get hacked."

"No matter what kind of devices we use, if people are inputting their authentication information and it's being stored somewhere other than their personal machine, that's just opening the portal of all the information that could possibly be taken at once. So it's multiple accounts versus one single account," she says.

She says that there will never be a perfect solution to the password conundrum - either passwords or machines will always become easier to hack. Instead, constant mitigation is the key.

Two-factor authentication is also far better than using a straight password as it puts more blockers in front of attackers, she says.

"Having someone call your phone, well now a hacker has to have your phone, log in to your phone, be able to access your email on your phone or whatever system you're using, and then on top of that, know your password."

She says this is a far better method of protection than single-factor authentication, and she recommends users enable two-factor authentication.

"One thing that's important to understand is that biometrics are actually used to verify that the user is in fact who they say they are, and then the actual authentication process happens in a later step."

"So this says 'the person sitting at the computer is Molly, she has the right to do this transaction, or this authentication. In a lot of ways, I think biometrics are a good alternative to a PIN, password - any kind of system like that."

Moving on to how Windows Hello works, Dalton says it's a fairly linear process. The first is 'gestures', such as fingerprints, PINS or facial recognition. Windows Hello is the authenticator, which verifies that the person is who they say they are.

It then opens a secure device, which Windows calls the TPM. It protects the private key - something that is stored on the actual platform. The key is released and a challenge will come in from the website, which is essentially a signature.

After what Dalton calls some 'cryptomagic', eventually the user is authenticated. But the most important factor?

"All authentication happens on the user's personal machine, versus a whole slew of users in a database. So even if somebody was able to hack something like biometrics, that would literally mean they would have to physically steal the machine, versus taking a database over."

Dalton also works extensively with Microsoft Edge, the browser that she says was built from the ground up.

"The goal with Microsoft Edge was to make sure that we had interoperability amongst other browser vendors. That's been a massive push on my overall team."

As a woman in technology, Dalton echoes the sentiments of evangelists such as Jennifer Marsman about how Microsoft supports and encourage growth.

"Microsoft has a really amazing support system for women. We have a conference, we have a mentorship programme, we have all the resources in place to make being a woman in tech easier. In general, there's not a lot of women in tech, which is unfortunate.

Looking at the tech industry, Dalton says she's sometimes overwhelmed by the amount of things going on.

"It's actually interesting just thinking about the problems that users struggle with daily. That's what my passion is. It's user experience and being interested to see how to create a better user experience for products," she says.

"And what is a better user experience than having to remove the pain of passwords?"

Wine firm uses AR to tell its story right on the bottle
A Central Otago wine company is using augmented reality (AR) and a ‘digital first’ strategy to change the way it builds its brand and engages with customers.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.