Microsoft's commitment to biometrics has taken another leap forward with the release of Windows 8.1. As a result of changes to the Windows Biometric Framework, particularly around fingerprint-based authentication, biometric functionality is now better integrated into Microsoft's operating system.
The Windows 8.1 Preview includes a registration and management application that supports fingerprint authentication when logging onto Windows and accessing various services. The Windows Biometric Framework (WBF) also provides integration with purchasing and running Windows Store apps. Users still need fingerprint scanners to take advantage of these new features, but Windows 8.1 makes those scanners easier to implement and safer to use.
The Windows Biometric Framework
Microsoft has put a lot of effort into biometrics as a way to improve the authentication process and Windows 8 security. Such technologies ensure the identities of people accessing sensitive resources by checking their unique traits. Characteristics including irises, faces, palms and fingerprints are common biometric keys. Microsoft's Windows 8 biometric research has focused primarily on the desktop and fingerprint-based authentication.
Support for biometrics is nothing new for Windows. Microsoft introduced the WBF in Windows 7 and Windows Server 2008 R2. The framework includes a set of services and interfaces that provide a standardized environment for biometric devices and their supporting software. The WBF enables device manufacturers to build client applications that can store and manage the biometric data captured by their components.
In Windows 8.1 Preview, Microsoft introduced a number of changes to the WBF, many of which are not apparent at first glance. For example, the WBF no longer includes the Biometric Input Device-class driver for USB fingerprint readers.
In addition, users will no longer find the biometrics applet in Control Panel. Instead, Windows 8.1 provides other mechanisms for managing fingerprint-related functionality. Plus, the OS includes new application programming interfaces (APIs) specific to Windows Store apps.
However, the WBF Win32 client API has not changed, nor have the driver and adapter specifications.
Windows 8.1 Preview comes with the software necessary to register and manage fingerprint-based authentication on the desktop. This removes the need for hardware manufacturers to provide their own apps, helping to avoid problems introduced with third-party software.
For example, in the past, a number of computer manufacturers -- including Acer, Dell, Gateway, Lenovo and Toshiba -- had shipped their laptops with UPEK's scanner and software. Last year, ElcomSoft, a certified Microsoft partner in Russia, discovered that UPEK's fingerprint-reader program was storing Windows account passwords in the registry as plain text. The passwords were scrambled, but not encrypted, making them an easy target for hackers and cybercriminals.
The new registration and management application in Windows 8.1 Preview is now integrated into the system's account settings. If a WBF-supported fingerprint reader and its driver are installed on a PC, the fingerprint option is automatically made visible to the user.
The Windows 8.1 security improvements make it easy to set up a fingerprint-scanning device and use fingerprint-based authentication. Once users have registered their fingerprints, they need only scan them to authenticate to their Windows accounts and log on to the OS.
Users can also use fingerprint-based authentication for other types of software and services, such as when establishing a Remote Desktop connection. However, if during the initial Windows sign-in an individual submits too many consecutive fingerprint scans that do not match a registered user, the fingerprint sign-in option is disabled. The user must try another method to log on to the computer or reboot the system.
Windows 8.1 Preview also supports a number of group policies that control fingerprint-based authentication for domain users. For example, administrators can disable fingerprint sign-in for users logging onto Windows. The users can still register their fingerprints and use them for other operations that prompt for passwords, but not to sign on to the operating system.
In addition, Group Policy can be configured to prevent users from running the registration application or to specifically disable fingerprint-based authentication altogether.
Biometrics and Windows Store apps
Windows 8.1 Preview extends fingerprint-based authentication to the Windows Store and its apps. Individuals can use their fingerprints to purchase apps as long as the Microsoft account authorizing the transaction is associated with a Windows user on the PC where the transaction is being conducted.
The user account must also be registered for fingerprint sign-in. However, the account authorizing the purchase does not need to be the currently logged-in user.
The WBF in Windows 8.1 Preview also provides two new Windows RT APIs that developers can use in their Windows Store apps to authenticate users before granting access to sensitive resources. When an app uses these APIs, they call the fingerprint scan to verify whether it matches the signed-in user.
The Windows 8 biometric push
Windows 8.1 Preview reflects the importance that Microsoft now places on biometrics. The Windows Biometric Framework has been updated, and fingerprint-based authentication is better integrated into the OS.
Enterprise IT can enable Windows devices to take advantage of fingerprint-scanning functionality so users can sign into Windows, purchase Windows Store apps, and provide credentials for Windows and Windows RT apps.
As biometric authentication becomes more common, organizations should have an easier time integrating the technology into their Windows 8 security strategies. First, evaluate which systems and users require Windows 8 biometric protection and how to best manage third-party devices and apps.
This was first published in October 2013