How to Extend Windows Hello in Your Journey to Passwordless

In this vlog, our CSO, Michael Engle, joins our CMO, Michael Cichon, to discuss how to extend Windows Hello in your journey to passwordless. If you are interested in learning more, please register for our upcoming webinar.

Michael Cichon:
Hi, good morning everybody. This is Michael Cichon. I’m the Chief Marketing Officer here at 1Kosmos. I’m here today with Mike Engle, our Chief Strategy Officer and co-founder to talk about Windows. Hello Mike, welcome to the vlog.

Mike Engle:
So excited to be here, Michael.

Michael Cichon:
It’s awesome. It’s really good to have you. Let’s start with the basics. What is Windows Hello?

Mike Engle:
Yeah, it’s actually been around for quite a while. It is a way for you to really unlock your Windows workstation or laptop using your biometrics. And as the two typical options are your face or your finger, depending on the hardware. So where we’ve all been typing passwords in for years and years, this is a way to get around that in some situations.

Michael Cichon:
Okay. So you said Windows workstations, obviously this is centric to Microsoft. How does it fit into a more complicated environment?

Mike Engle:
Yeah, obviously Microsoft is big in every fortune, 1000 type shop and beyond. So they offer a lot of options in the infrastructure. For those organizations that have Windows managed desktops that are joined to their cloud service called Azure AD, they can now give those employees a way to authenticate into the domain with the finger or the face. So it really helps. It’s a nice tool in an authentication strategy. Some of the things it doesn’t cover though, we should talk about some of those things, but where it does work, it reduces a lot of friction.

Michael Cichon:
Okay. So strategically I know that we have several customers that are using 1Kosmos Block ID in conjunction with Windows Hello. So what does the combination look like?

Mike Engle:
Well, there’s a couple reasons why you would compliment Windows Hello with 1Kosmos Block ID. First of all, you need a username and password to set it up. So as you know, painful as that sounds, it’s still the only way. So one of the challenges with any password less strategy is when you do need that password, say, I got a new machine. You have to go figure out how to handle that situation.

Mike Engle:
So what we bring is a way for you to push a button in an app and reset your active directory password. So you can go set up Windows Hello. The other thing we bring to the table is the ability to log into machines that aren’t Windows Hello, right? So Windows Hello works only on a machine that you’re sitting in front of. It doesn’t work on domain controllers, which are kind of your keys to the kingdom machines. It’s where all the user accounts sit and it does not work in remote access environments.

Michael Cichon:
Got it.

Mike Engle:
So commonly Citrix, virtual desktops and things like that. It’s still logging into Windows, but remotely. And we can use our agent to log into those machines, which are of course very important use cases as well.

Michael Cichon:
Okay, great. So we are extending the password less use case beyond Microsoft so that opens up the question, what other environments, operating systems platforms do we support with Block ID?

Mike Engle:
Really any. So it’s not just a Windows world. I happen to be a Windows guy, but there’s more and more Mac people out there. So we will cover the Mac platform. We also cover Linux, Unix, et cetera. And one of the really neat features of the platform is we can take your Windows Hello and inject it into other websites. We turn Windows Hello into a very easy to use authenticator that I can touch on that sometime. But so Windows is only one part of a typical infrastructure and you have to have a solution for the whole picture.

Michael Cichon:
Got it. Okay. So I have heard from several people that, and I’m sure it’s an oversimplification, but they say, “Look, I’ve got my biometrics on my device, on my iPhone. What do I need any of this for? How does Block ID and Windows Hello fit into device level biometrics or the other way around, how does do device biometrics fit into this picture?”

Mike Engle:
Yeah, well, it really comes down to identity, right? How do you identify yourself to all these systems? So Windows Hello will get you into this machine sitting in front of you. And on your phone, Windows Hello is not going to work on your iPhone and conversely your iPhone can’t log you into your Windows workstation. By leveraging the Block ID platform, your identity is in your hand and can be used anywhere. So you can use it to get into that Windows workstation, those remote access machines, into your iPhone, into your single sign on app, so your privileged access management. So really introduces this layer of identity to be able to get down into all these other systems that are struggling with passwords today, so that’s one of the major differences.

Michael Cichon:
I see. Okay. So I’ve heard passwordless often described with zero trust.

Mike Engle:
Yeah.

Michael Cichon:
So how do device biometrics Windows Hello password less access to other systems, how does that fit into zero trust?

Mike Engle:
Yeah. Zero trust is all the rage. And it’s really important. So there’s six pillars of zero trust. And one of the most important ones is what they call identity. Identity and password less are not the same. Password less is a way to get into a system without a password, but it doesn’t necessarily mean the same thing as identifying the user. So username does not equal identity. Password does not equal identity and neither does password less.

Michael Cichon:
Got it.

Mike Engle:
So we introduce identity and real biometrics. So that little touch ID, face ID that billions of people do every day is not real biometrics in terms that it does not identify a real person. We have something called live ID. This is unique to 1Kosmos. Other authenticators do not have this, that lets your real identity get you into a target system. And in our opinion, that is the true spirit of zero trust. So that when Michael logs into his workstation, you can prove cryptographically and with an imutable audit trail that this was Michael and I had his real biometrics to prove it. So that’s really the big differentiator out there.

Michael Cichon:
Okay. So some people are going to greet you, but let me ask you a question here. You use the term real biometrics. Are you saying that device biometrics are spoofable or can you clarify this?

Mike Engle:
I mean, there’s some people that have done it in a lab with propeller heads on, but the biometrics are good on your Windows workstation, on your phone. They’re good, but they’re not linked back to a real identity. So when I scan my face on my phone, Apple’s not saying that’s Mike Engle. They say, that’s somebody’s face on that phone. And it’s the same face over and over. It’s not an identity. It could be my wife’s face or my kids or coworkers. Or somebody with my six digit apple PIN. When you use real, a live selfie, now you can match that to a real world identity. And that’s what we do. And that’s what we call identity based authentication instead of password less.

Michael Cichon:
Okay. That’s great. Listen, I understand you have an example queued up for us. Can you show that to us?

Mike Engle:
Yeah, I can. So here, you’ll see the launching of a Windows workstation. And you see the traditional username, password. We have a little button here, which invokes our agent, which now can request what we call live ID. So you’ll see a real biometric getting you into that workstation. And as you can see, that is me, right? There’s nobody else that could have presented my face in that scenario. That biometric has been tested for what’s called presentation attacks by the leading independent testing lab called iBeta. So that is our version of zero trust to get you into any of your corporate systems, not just Windows workstations, but any. Including your single sign on, et cetera.

Michael Cichon:
Okay, great. So is this subject to decisioning bias or racial bias?

Mike Engle:
Well, first of all, it’s a one to one match. So very rarely do you have bias issues there, but even if you were doing a one to many match say against corporate photos, our engine is ranked in the top three globally tested by organizations like NIST for that. So got you covered there as well.

Michael Cichon:
Okay. Right. So what are you going to say to people that say, “Look, I just don’t want to put my biometric in a system. What about security and privacy?”

Mike Engle:
Yeah, so the important thing with using biometrics is you have to do it properly. And that means making sure that the user is in control of it. So there’s a lot of biometrics out there that are stored in centralized databases. Ours is not, ours is in control of the user at all times, encrypted with the user’s private key. And so only the user can unlock it and release it through the platform with their consent. And so that’s a huge, we call privacy by design principle. That’ll keep us out of trouble where others have had a lot of bad press in the news lately.

Michael Cichon:
That’s great. Well, listen, Mike, I really appreciate your time today. As usual, it’s a pleasure. Thank you very much. Thanks for the information on Windows Hello, and have a good rest of your day.

Mike Engle:
Pleasures all mine. Have a great weekend.

FIDO2 Authentication with 1Kosmos

Read More