Microsoft has been busy releasing news of upcoming Windows 10 features which will improve several age old issues. The password has been a thorn in the side of users since its inception, and with Windows Hello, Microsoft may have an answer to that. They have also detailed the evolution of their System Volume space savings which first debuted last year with WIMBoot. Finally, Microsoft has finally confirmed a launch timeframe for Windows 10, which will ship “this summer” in many countries and languages.

Windows Hello

With Windows Hello, Microsoft is taking a new spin (for them) at authentication. Everyone knows about passwords, and most people are aware of the many issues with passwords, such as password reuse, non-strong passwords, and the like. Passwords are great for computers, but awful for people. Truly strong passwords need to be unique per system or site, and should be long alphanumeric strings. The problem is people are not good with passwords. Windows Hello wants to solve this with multifactor authentication using biometrics and physical devices. Yes, we have seen biometrics before. Even on Windows, device makers like Lenovo have been including fingerprint scanners for many years. We have seen the rise of the TouchID fingerprint reader on the iPhone, which owners have embraced as a much easier way to authenticate themselves to their phone.

Microsoft will be taking a two pronged approach to authentication. The first is the actual authentication. Windows Hello will work with several biometrics, including fingerprint scanners, facial recognition, and iris scanning, as examples. This will be used in conjunction with hardware cryptography on the device to unlock the device. Microsoft is claiming false unlocks at around one in one hundred thousand. Fingerprints are well known, but the facial recognition will not rely on just a webcam, but rather will require new hardware such as the Intel RealSense 3D Cameras to ensure that it is a real person in front of the device and not just a photo. The unlock is tied to the actual device, and none of the unlock information is ever sent off of the device. Existing fingerprint readers can be used with Windows Hello.

Intel RealSense 3D Camera Module

Since this is not even in the latest build of Windows 10, there are a lot of questions still to be answered. Microsoft has said that they have evolved authentication from what they have learned with Kinect, so they do have some background with this technology. However my experience with Kinect is that it is not very good at authenticating, and with something as important as unlocking my PC I will be skeptical until proven otherwise. Regardless, it is hard to deny that the password has outlived its usefulness, so any research and advancement in this area can only be a good thing.

The second prong of the approach is using your device authentication to allow access to services and websites which require authentication. Microsoft is integrating Windows Hello into a new service code named Passport. Passport is a method of authenticating to external services using public-private key cryptography. Rather than login to OneDrive.com (as an example) with a username and password, and possibly a second factor like an authenticator app, you will log in to your device with Windows Hello (which is two factors – your device and your biometrics), and your device will then authenticate to the service using public-private crypto. This way, if a service is ever compromised, the attacker would just get a public key for your user, which would be useless. The private key would be locked on your device. Passport will be integrated with Azure Active Directory on day one, and Microsoft is hoping to expand the capability of the service through the FIDO alliance. As with anything security related, this is a good step, but we need to see the full details.

WIMBoot Evolution

Windows 8.1 Update 1 brought along a piece of technology called WIMBoot, which allowed Windows to save space on the system drive by keeping the system files in a compressed WIM (Windows Imaging) file on the recovery partition. Traditionally, files are kept as the WIM file for recovery and extracted to the C: drive for use by the operating system. WIMBoot allowed system manufacturers to free up space by removing the redundant files and just using the compressed copy. It was not perfect though. OEMs could still add in their own files to the WIM, significantly increasing the size of the recovery partition. These files could never be removed, so if an OEM just stuck a bunch of unnecessary software in the WIM, that space could never be reclaimed. The recovery partition could not be removed on devices with WIMboot. Although the idea of booting off of the WIM file had merit, it was not always ideal.

Microsoft is evolving this process. Instead of keeping system files in a compressed WIM file on the recovery partition, they have instead gotten rid of the recovery partition. This will free up a significant amount of space that is often dedicated to this, even on devices which never used WIMBoot. The new reset and refresh functionality will rebuild the operating system in place using runtime system files. This takes up less space, and it will keep security updates for system files in place to avoid having to download them again after recovery.

Also, Windows 10 will compress system files if appropriate to the system. During the upgrade, the process will look at several factors and compress the system files if doing so will not adversely affect system performance. This likely means that the system has enough processing power and disk speed that impact will be minimal or non-existent. OEMs will be able to determine if their devices can and should have this done as well, and incorporate It into new devices.

Windows Store apps will also benefit from this compression. This will allow more user data to be stored, which is a win, especially on low cost devices with limited storage.

Microsoft is claiming this new compression and lack of a recovery partition can free up over six gigabytes on a 64 bit system. In practice, it could easily be much higher, since the recovery partition can be well over seven gigabytes on its own once the additional software is added. However, their numbers would most likely be comparing to a device which did not leverage WIMBoot in the first place.

Windows 10 Launch Timeframe

The final bit of news from the software company is that Windows 10 is going to ship “this summer” in 190 countries and 111 languages. They have also detailed how they hope to get the free upgrade to Windows 10 underway. In China, partnerships with Lenovo, Tencent, and Qihu 360 will assist customers in getting the upgrade done. Lenovo will offer Windows 10 upgrades at 2,500 service centers and retail stores in China. Tencent will offer free upgrades to Windows 10 for its customers as part of an upgrade pack which also includes some of their own software. They will also be creating a universal app for their QQ app which has over 800 million customers in China, as well as bringing some of their gaming IP such as League of Legends to the Windows Store. Qihu 360 will also be offering Windows 10 to their customers with streamlined installations and accelerated download speeds.

With the current state of the Windows 10 Technical Preview, it seems hard to believe that Windows 10 will be launched by September at the latest. However we have not seen a new build for Windows Insiders since the January build came, so internally employees may be working on much more stable code. Hopefully this is the case, and hopefully the speed of new builds is increased as well. There has been news in the Windows 10 Insider Hub that the rollout of new builds is going to increase, but that has not happened yet. I would get a quote from the Insider Hub, but the app will not currently launch on my Windows 10 desktop which explains my surprise at the launch timeframe being so soon.

If Microsoft can hit the back to school crowd, it would certainly help out with both PC sales and Windows 10 market penetration, but that is not something that they have hit with either Windows Vista or Windows 8 or any of its derivatives.

Source:
Windows Blog: Windows Hello, WIMBoot Evolution, Windows 10 Launch Timeframe

POST A COMMENT

50 Comments

View All Comments

  • menting - Wednesday, March 18, 2015 - link

    you mean "current iterations" of biometrics security as being worse than passwords. And that is precisely the reason why more time and money needs to be invested in it, because passwords as it currently stands now, aren't sufficient anymore. Reply
  • cboath - Wednesday, March 18, 2015 - link

    So, because it hasn't worked in the past means it should simply be abandoned completely? Who's to say someone can't make it work properly? Passwords will not last forever. There will be a 'next thing'. Not sure what you have besides biometrics. DNA? gotta swab your mouth to login? Once the DNA's degraded X% it's invalid so you have to get it to the scanner inside of 20 seconds?

    It's very easy to simply say 'that won't work'. It's also pretty unproductive. For a hacker, i'm not sure any amount of protection/password/biometrics/etc is a stopper. Just a delay. For the protection they're really after (personal systems/phones/average guy/disgruntled employees/etc) they actually are better. There are numerous people here who write their company pw's down on post it's and stick in their unlocked desks. If my parents had pw's when I was a kid i'd have been able to get around them PDQ....If it was a biometric setup, I wouldn't have had a chance.

    I'm not saying they don't have their issues, but you have to allow for the fact that they've improved it. You also have to allow for the fact that it's not MS pushing it but rather enterprise. Regardless - hard to trash it before it's tested in a final form.
    Reply
  • Hrel - Wednesday, March 18, 2015 - link

    The biggest change I'd like to see from Microsoft would be to release only ONE version of Windows. Anything else just feels like they're nickle and diming us, which no one enjoys.

    SysAdmins can easily and quickly deploy Windows with various features and functions turned off as they see fit. So the only thing Microsoft accomplishes by releasing a "business" version of Windows is taking those choices away from SysAdmins.

    Furthermore, in a market with ever increasing competition, easily the most competition Windows has ever faced, they are only hurting themselves by exposing ANYONE to anything less than "full windows".

    The one caveat being, low power/mobile devices. I'd prefer "full Windows" to just be as little resource intensive as possible, but if that would require cutting features then it should only be done on mobile platforms. I'm talking backend here, not front end. Your average user should still think there is only one version of Windows.
    Reply
  • extide - Wednesday, March 18, 2015 - link

    Well, they usually remove the ability to join a domain from the "Home" versions -- and make you buy a "Pro" version if you need to join a domain. That, at least, makes sense. Reply
  • FlushedBubblyJock - Wednesday, March 25, 2015 - link

    Doesn't make any sense when the end users buy "the pro version!" and have absolutely no idea what a domain is and would never, ever use one, and never ever have - but boy they gots them that PRO version and are they ever a great person and a smart user cause of it...

    I'm telling you man, these are people that brag about their IQ's.
    It's shiny, it's PROFESSIONAL...
    They should market one with a racing stripe on the box
    Reply
  • zodiacfml - Wednesday, March 18, 2015 - link

    Sigh, when I was just about to finish working on a WimBoot Image. But yeah, I'm still figuring out if it there's significant space saved as the default applications, drivers, and windows updates for my image are huge. Reply
  • TallestJon96 - Wednesday, March 18, 2015 - link

    Don't see why passwords are suddenly outdated. Been working fine for quite a while. Reply
  • mkozakewich - Wednesday, March 18, 2015 - link

    As computers become better, brute force attacks become easier. At this point, you need more than 8 characters to be safe, and that number will only increase. Soon we'll all need 12-character alphanumeric passwords. They may work now, but there *will* be a time when passwords just don't work for the majority of humans. Reply
  • Etsp - Wednesday, March 18, 2015 - link

    Um, no.

    You're forgetting an aspect of it. The effectiveness of brute force methods relies on the number of possible combinations (password length/complexity) AND how much time it takes to generate the cryptographic hash.

    As time moves on, we will use higher-strength hashes, or use more iterations. A password hashed in 1995 is trivial to brute force compared to the same password hashed in 2015 (assuming typical strength hash functions of the time).

    The real problem with passwords is that people cannot remember a separate password for every online service they use, and when the same password is used in multiple places and is broken (due to one of the sites using cheap hashes and poor security), suddenly they are open to attack on MANY fronts.

    Having a password for a device, and having that device authenticate the user to the online service mostly resolves that issue.
    Reply
  • moozoo - Wednesday, March 18, 2015 - link

    WIMBoot sounds great... until you download and install 800MB of patches and a couple of service packs. At which point a lot of system files are no long compressed.
    It only works if you repeatedly regenerate the WIMBoot file over time.
    I have a Pendo Windows 8 tablet. It has 16GB of storage and that is what I have had to do.
    In the end it does work. But I had to buy a third party tool in order to achieve that.
    Reply

Log in

Don't have an account? Sign up now