Will Windows 10 mean the end of malware?

More secure than ever before

Windows 10

Think Windows 8 was a big step forward in security? So did Microsoft – at the time. Looking back though, Chris Hallum, who manages the security features in Windows and Windows Phone, now thinks it had incremental improvements tackling a subset of the problem.

That's not helped by the fact that PC makers didn't start putting the same kind of touch sensor fingerprint readers as seen on the iPhone on their devices the way he'd hoped they would.

He's still hoping to see fingerprint sensors become common, but he's also bullish about what's coming next. "In Windows 10," he says confidently, "you'll see we actually decisively address entire classifications of issues with solutions that maybe in some ways can eradicate the issue in its entirely."

Password crisis

The first issue to tackle is passwords. "We're no longer thinking about passwords as a problem," he admits freely. "Passwords are actually a real-time crisis. You have to move to something better."

And that would be the 'next-generation credential'. It's going to use two-factor authentication, with the second factor being either the Trusted Platform Module security chip which is in many modern PCs and will be in every single Windows device in 2015, or your phone (where the equivalent of the TPM is "pretty close to pervasive") – or, he suggests mysteriously, "devices we're not talking about yet".

When you first make your account, your PC will create a key that's stored in a secure container, protected by the TPM – you might have one key for your personal account, another for your online bank and another for your work account that has a longer PIN.

"The user unlocks their Windows container with an unlock gesture, which could be a PIN or a password or biometrics, and they get access to it," says Hallum. That PIN isn't the usual four digits – it can be up to 20 characters long and it can include numbers, symbols, spaces and upper and lower case letters.

Finger printing good

Or you could use a fingerprint. Hallum expects readers that can tell whether your finger is a real finger and whether it's still alive, looking not just at the pattern but "the 3D image with the peaks and valleys" which flatten out on dead fingers and fake fingerprints.

He'd like to see a 9mm sensor that doesn't have a big chrome border around it so you can just press your whole fingertip on it once instead of multiple times like the iPhone, but OEMs may pick smaller, cheaper sensors. "We're going to get the cost down to where it can go mainstream," he says with cautious optimism. "We have an OEM signalling – not committing but signalling – that they may put it across their entire consumer range. Although I hope I don't get burned again because I talked about this for Windows 8…"

With or without fingerprint readers, the new password-replacing credentials are coming – not just from Microsoft but from fellow FIDO Alliance members like Google. Google's similar secure key proposal has already been ratified and Hallum says Microsoft is committed to getting its own system ratified by FIDO too.

Flexibility first

Hallum believes the flexibility of the Windows 10 credential is an advantage. "The differentiator for us is you will be able to use existing devices to authenticate for this; you can use your PC or your phone.

"That means your phone – including Windows Phone, Android, an iPhone with its fingerprint reader and maybe one day a BlackBerry – could store your credentials and pair to your PC via Bluetooth to sign you in. That means two-factor authentication will become ubiquitous, without people needing multiple fobs and physical tokens."

He's confident the credentials will be adopted by a range of services, and says Microsoft is evangelising it to both business and consumer services. "This is going to succeed. You're going to see a lot of consumer services like Netflix. They see how important this is for banking, for content, for consumer services." Business apps that you log into with a Windows username and password today will just work with them too. "Every app should be able to take advantage of it, unless you've done something that is not best practice."