It is finally official: Windows 10 is getting rid of passwords. What’s more, the move to a passwordless experience has already begun. Starting this week, Microsoft is rolling out a preview build (20H1 Build 18936 to be precise) of Windows 10 to members of the Windows Insider fast track ring that brings passwordless account sign-in right now.
I have previously reported how Microsoft was dumping the advice to force users to make periodic password changes under the security baseline recommendations for Windows. Then there was the Microsoft May update that promised to put the 800 million people who use Windows 10 “one step closer to a world without passwords.” Now the passwordless world of Windows 10 is a reality, for a lucky few at least.
The confirmation came in a July 10 Windows Insider Program blog post that detailed the features of the latest preview build that is “currently being rolled out to a small portion of Insiders.” Other Insiders may get the opportunity to experience passwordless sign-in to Microsoft accounts shortly and are being advised to check back “in a week or so.”
The way that this “more seamless sign-in experience,” as Microsoft calls it, will work is that by merely toggling a “make your device passwordless” option in the Settings|Accounts menu brings the ability to use modern authentication methods instead. Which means what, exactly? Well, Microsoft is referring to biometrics in the shape of Windows Hello facial recognition and your good old fingerprint scan, as well as a PIN. Yep, that’s right, a PIN.
Diana Huang, director of engineering for Windows security at Microsoft, explains that while a PIN is “usually a more simple form (of authentication) than a password” the answer is to do with symmetry. “Password is a symmetric key,” Huang said, “and there is always a server which keeps track of your password or the symmetric key.” She goes on to explain that a Windows Hello PIN is not a symmetric key but an entropy, is not tracked in a server and the Windows client does not keep a copy, so it is not as exposed to server compromise.
Whether this feature will make it into the next big Windows 10 update towards the end of the year is not known. However, given that currently, it’s only available to a minimal number of users within that Windows Insider fast track ring, I’m inclined to think that the other 800 million or so ordinary users might have to wait until 2020 to see the back of passwords in Windows 10.