Device Guard safeguards Windows 10 with hardware authentication

Reducing friction and maximizing security

So while Device Guard addresses the problem of malicious code on a system, data still needs to be protected. Short passcodes are not secure, but requiring strong passwords increases friction.

Another problem is that enterprises may only issue secure log-ins - like RSA's keyfob - for a subset of users or only for certain apps, like logging into VPNs. Additionally, there is no good version for consumers currently, and there isn't a system-wide log-in that delivers the enterprise-grade security.

To combat this, Microsoft introduced Passport and Windows Hello.

Hi, Windows Hello

With Windows Hello, Microsoft is relying on enterprise-level biometric authentication. Depending on the machine, users can log in with a fingerprint, face scan with advanced cameras like Intel's RealSense 3D Camera, and iris scan.

This eliminates the need for a PIN or complex passcode requirements, and makes securing a system easy. Microsoft hopes that security will come without friction for Windows users.

Beyond Windows

After logging into Windows with Hello, Passport allows users to also log into trusted apps.

In a demonstration at RSA 2015, Hallum showed me that it took less than a second for the Intel RealSense 3D Camera, which was attached to a Lenovo ThinkPad X1 Carbon Ultrabook via USB, to recognize his face. After he logged into Windows with hello, Hallum was also instantly logged into other apps - like the Azure service - that would normally require a password.

As Microsoft is part of the FIDO Alliance for security authentication, it will allow third-party apps to support Passport login.

For consumers, this means that in the future, once you log onto Windows, you can also log onto your Bank of America or Wells Fargo banking account, access your eBay auction and payments on PayPal, and check the status of your Amazon order without having to log into these individual services, provided they support Passport.

Enterprise applications

For enterprises who may want to keep things even more secure, Microsoft could also deliver multi-device authentication with Windows Hello.

In a demonstration, Hallum showed that business customers can use their phones to log into Windows Hello on their PCs. This means that if a computer was stolen, the user cannot log into the system unless they have the phone and PIN.

With a Windows Phone-powered Lumia connected to the Lenovo ThinkPad over Wi-Fi or Bluetooth, Hallum typed his PIN into the phone, rather than onto the computer, to log into his PC.

Passport, Ingalls says, is a hardware-bound solution that's similar to a smart card.

The Windows 10 family

Even though Microsoft executives remain tight-lipped about their plans for Passport on other devices and screens inside the Windows 10 family, Ingalls admitted that Xbox, Windows 10 for phones, and Windows 10 all share the same code, meaning that it's just as easy to run Passport on those devices.

The possibility for Passport is endless, and the technology makes computing even more personal and secure. One potential use could be unlocking parental controls on an Xbox for gaming or TV watching with a face scan, or securely logging into mobile apps on a Windows 10 phone with a new 3D camera on a future Lumia phone.