Introducing Identity Protection Features in Windows 8

In a December 14 blog post authored by Dustin Ingalls, a group program manager on the security and identity team dicucss the architectural improvements to Windows 8 that enable even more secure management of your many passwords.The article first discusses how typical users of Windows in the US have about 25 different online accounts that […]

In a December 14 blog post authored by Dustin Ingalls, a group program manager on the security and identity team dicucss the architectural improvements to Windows 8 that enable even more secure management of your many passwords.

The article first discusses how typical users of Windows in the US have about 25 different online accounts that they are required to sign in to. These accounts range from banks to e-commerce sites and all the way to social networks. The article points out how this is not a great experience for users and that on average people only have 6 different passwords for all those services. Obviously that ratio of different passwords to online accounts isn't very secure.

"Windows 8 includes a number of substantial features in this area that we've already covered in prior blog posts (Secure Boot, SmartScreen and Windows Defender enhancements, etc). However, some attacks (like guessing and cracking) rely only on password strength, so it's important to use strong, complex passwords that are unique to each account," writes Ingalls. Windows 8 simplifies the task of managing unique and complex passwords in two important ways:

Windows 8 allows you to securely store and manage all of your sign-in credentials

"The first is by providing a way to automatically store and retrieve multiple account names and passwords for all the websites and applications you use, and do so in a protected manner. Internet Explorer 10 uses the credentials that we store to remember names and passwords for websites you visit (if you choose). In addition, anyone building a Metro style app can use a direct API to securely store and retrieve credentials for that app. (It is important to note that IE respects instructions from websites about saving your credentials - some websites specifically request that passwords not be saved.)

The second important investment in this area was covered in an earlier post by Katie Frigon, Signing into Windows 8 with a Windows Live ID. One of the great things you get when you sign in to Windows with your Windows Live ID is the ability to sync the credentials you've stored to all of the Windows 8 PCs that you register as your "Trusted PCs."

According to the article, Microsoft plans to "allow a user to have a different password for all the sites they have to log in to and then use Windows 8 to save that password and associate it with that online account. That account information and password would then be saved across all the Windows 8 PCs that the user is logged in on thanks to the use of Windows Live ID to sign in to a Windows 8 account. Windows 8 will automatically submit the credential on your behalf, so you'll never need to remember it yourself. If you need to see the actual password at some point later, you can view it in the credential manager shown here, from any of your Trusted PCs," he said.

Adding "If your Windows Live ID password was stolen somehow, you still have the benefit of a number of Windows Live safety features that are designed to detect compromise and limit your account usage until you can successfully prove that you are the rightful owner of your account and recover your account. The account recovery workflow leverages two-factor authentication features (secondary account proofs) that you set up earlier, such as a mobile phone number or secondary email address (if you haven't already set these up, we'll ask you for them the first time you use your Windows Live ID with Windows 8). Also, even if your Windows Live ID is in a compromised state, you will still have full access to your PC since Windows will cache your last "known good" sign-in password (encrypted, of course) and allow you to use that to continue to sign in," he said.

He notes "Windows 8 has a number of new features that make it much easier for both users and application developers to make use of public/private key methods. Windows already provides fairly extensive support for use of key pairs and certificates; but strong protection of the private key, as I mentioned earlier, typically relied on HSMs or smart cards. Windows 8 includes a new Key Storage Provider (KSP), which provides easy, convenient use of the Trusted Platform Module (TPM) as a way of strongly protecting private keys. A TPM is a trusted execution environment found on many business-class PCs today (and we expect much broader availability of TPMs when Windows 8 ships), which enables a PC to securely store cryptographic keys. Metro-style apps have APIs that make it easy to automatically enroll and manage keys on your behalf. The Windows Dev Center provides a sample banking app that shows developers how to use this API."

The video below shows this in action after it is set up via policy or logon script by your adminsitrator: