Windows 8.1 bolsters biometrics for authentication
Microsoft's next OS update offers native fingerprint reader support
By Antone Gonsalves
June 05, 2013 — CSO — Microsoft Windows 8.1, due for release in preview form late this month, demonstrates the company's belief that PC and mobile phone makers are ready to make fingerprint readers a mainstream feature for authentication.
The Windows 8 upgrade will contain the driver necessary to run the hardware, Chris Hallum, senior product manager at Microsoft, told CSO. This marks a change from when third-party software was needed to run fingerprint scanners on Windows.
The change to native operating system support reflects Microsoft's focus on biometrics as a way to bolster authentication, which is heavily dependent today on the use of passwords. Hackers have become very good at stealing credentials from websites, and then cracking the encryption.
"Biometrics is an area that we're putting a ton of energy in," Hallum said. "In fact, this is one of the most noteworthy areas [in Windows 8.1.]"
Microsoft has had biometrics technology in Windows for years, but it has all been frameworks that required third-party software to drive the fingerprint readers. Today, Microsoft is working closely with hardware makers to help them deliver "what we consider modern, touch-based reader devices," Hallum said.
Microsoft's interest in biometrics is spurred in part by Apple's $356 million acquisition last year of AuthenTec, analysts say. () While no announcements have been made, Apple is expected to use AuthenTec's fingerprint recognition technology for unlocking mobile devices.
Windows 8 comes in versions for PCs, tablets and smartphones.
Also, by taking control of the reader software, Microsoft can avoid paying for the mistakes made by third-party vendors, experts say. For example, security researchers last year found that AuthenTec's application contained a flaw that a hacker could exploit to steal Windows passwords.
Market trends such as the falling price of the hardware and consumers' willingness to use touch as a way to interact with computing devices are helping to drive interest in fingerprint readers, said analyst Jack Gold with J. Gold Associates.
"Because so many devices are touch now anyway, people will just use a finger swipe to log in," Gold said.
Microsoft expects more websites to use fingerprints as a means of two-factor authentication with passwords, as the reader technology is embedded in more hardware. The software in Windows 8.1 will make it possible to use fingerprint authentication for specific functions in an application, such as transferring funds from an online banking site, Hallum said.
In general, banks like biometrics for authentication, said Al Pascual, a security analyst for Javelin Strategy & Research, which specializes in the financial industry. While fingerprint authentication is considered the most reliable form of biometrics, banks are also experimenting with facial and voice recognition.
"Banks are looking at biometrics hard," Pascual said. "There's been a huge push for voice in the past year, year in a half or so, because it has broad applicability. You can use it online and you can use it in a call center. It's a big value proposition for them."
While banks have sometimes issued fingerprint readers to commercial customers, they have not been as generous toward consumers. However, if the hardware gets embedded in more devices, then banks will likely adopt it for consumers, Pascual said.
Some security experts doubt that Microsoft's push in Windows 8.1 will have much impact in the adoption of fingerprint biometrics. "Fairly high-quality fingerprint reading capabilities have been distributed in the laptop form factor for a long while, but supply for this authentication method has been higher than demand," said Eve Maler, an analyst with Forrester Research.
Other options, such as software-based tokens and sending one-time login codes to a mobile phone, are more popular as a form of two-factor authentication, Maler said.
In addition, fingerprint recognition has serious privacy implications, if a hacker can implant malware that steals an image of the print.
"If a user's fingerprint gets spoofed by an attacker, it's identity theft in a very real sense, and it's hard to undo the damage," Maler said. "How do you revoke your own fingerprints?"
Read more about access control in CSOonline's Access Control section.