Microsoft offers two-factor authentication in Windows 10

Microsoft will bake two-factor authentication into its new Windows 10 operating system in an effort to avoid the data theft and systems break-ins that arise from the insecure single-password approach, the company said.

Windows 10 users will be able to enrol a PIN or biometric input - such as the reading of a fingerprint - as their secondary authentication factor alongside their computing device.

"From a security standpoint, this means that an attacker would need to have a user's physical device -- in addition to the means to use the user's credential -- which would require access to the users PIN or biometric information," Windows enterprise program management team Jim Alkove wrote in a blog post.

The secondary credential can either be a certificate provisioned for the specific device by the company's public key infrastructure (PKI) system, or a key pair generated by Windows.

"Providing both of these options makes Windows 10 great for organisations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn't practical," Alkove wrote.

The new two-factor authentication system will be supported by Active Directory, Azure Active Directory, and consumer Microsoft Accounts.

Microsoft will also offer protection for access tokens generated as part of the authentication process with an "architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology".

This approach ensures tokens aren't able to be extracted from devices even when the Windows kernel itself has been compromised, Alkove wrote.

"Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. Once an attacker has these tokens they can access resources by effectively impersonating the user’s identity without needing the user’s actual credentials," he said.

"The technique is frequently coupled with advanced persistent threats (APT) and thus it’s a technique that we eagerly want to eliminate from the attacker’s playbook."

Two-factor authentication is one of three new technologies Microsoft sees as fundamental in Windows 10 for offering added protection.

After the user has successfully logged in to the system, Microsoft will also sandbox and encrypt each file used with containerisation technology working alongside the PC's trusted platform module to distinguish between corporate and personal data.

"Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations," Alkove wrote.

The feature will also work on Windows Phone. Windows 10 extends VPN control options for IT managers to protect the corporate data accessed on user's personal devices. 

"App-allow and app-deny lists will enable IT professionals to define which apps are authorised to access the VPN and can be managed through MDM solutions for both desktop and universal apps," Alkove said.

Thirdly, Microsoft will offer a code-signing system for software targeted at threat and malware resistance.

Windows 10 will provide IT managers with the ability to only allow end-users to run apps that have been checked for malware by the service and signed off as safe for use. IT managers will have the ability to sign apps themselves, or use apps signed by ISVs or those available on the Windows Store.

"Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM," Alkove wrote.

"The lockdown process OEMs will use is similar to what we do with Windows Phone devices."

Windows 10 is expected to be made available by the middle of next year. It is currently in technical preview.