Image credit: Microsoft
Microsoft released the new Windows 10 Insider Preview build 18936 in the Fast Ring. One of the main features of this new build is passwordless login, which Windows 10 users will be able to use by default to login into their Windows accounts. The feature will be available in Windows 10 20H1.
Windows Hello Passwordless Login
In the new Windows 10 Insiders Preview build, Microsoft has added the "Make your device passwordless" option, which makes Windows Hello (Face, Fingerprint, or PIN) authentication the only way to get into Microsoft accounts. That means once users will upgrade to Windows 10 20H1, they’ll no longer need to use their Microsoft account passwords.
Back in 2015, Microsoft announced Windows Hello, its biometric authentication solution, as well as "Passport," which was a solution for logging in to third-party apps and websites without a password (or biometric authentication). You would still need a PIN, which according to Microsoft should be more secure than using a password, especially since the PIN isn’t stored on the device (presumably only a cryptographic hash of it is, similar to how passwords are “stored” on secure servers).
The PIN isn’t used to log in to the website, but to give the Passport protocol local access to the locally-stored private-public key pair that the third-party website to which the user wants to login needs. Microsoft announced soon after that Passport functionality would be integrated into Windows Hello.
Passport was an early version of the FIDO2 specification, developed by the FIDO Alliance in collaboration with Microsoft (a member of the FIDO Alliance) and the Web Wide Consortium, which released the WebAuthentication specification that websites will need to implement in order to allow users to login without passwords via FIDO2.
The FIDO2 specification was finalized earlier this year, so now it’s up to websites to adopt it and make it ubiquitous. Presumably this solution should be more appealing to website developers than FIDO’s Universal 2nd Factor (U2F) for two-factor authentication was, because users will not need a separate device to use this option.
Device makers and OS vendors will also have to develop their products in such a way that the locally-stored private keys can’t be hacked remotely or even locally by malicious actors, before people can trust this solution.
FIDO2 logins should make logging in to websites easier, while also eliminating the problem of password re-use and decentralizing credential storing so that we’ll no longer hear about data breaches exposing hundreds of millions of accounts. In a FIDO2 future, if a hacker wants to steal hundreds of millions of passwords, they’ll need a way to hack into hundreds of millions of devices.