build 2016 - p491 - windows unlock with iot devices
TRANSCRIPT
#Build2016
Windows Unlock with IoT DevicesAnoosh SabooriSenior Program Manager
MICROSOFT CONFIDENTIAL
DemosMicrosoft Band Sign In
Microsoft Passport & Windows HelloA two-factor authentication system built for you and your users
Achieve higher levels of security while reducing costs
Increase user convenience with simple
unlock gestures
PIN
Private keys secured in TPM
Windows HelloBiometric
or
Second Factor in Previous Release
First Factor
Second Factor
PIN
Private keys secured in TPM
Windows HelloBiometric
or
First Factor
Second Factor
Second Factor in Upcoming Release
or
Companion Devices
Overview
An app or service Companion UWP App
Companion Device
Companion Device Authentication Service
Companion Device Credential Provider
Trigger Start
Registration/Authentication
PC
Device specific transport protocol
Make Companion Device Sociable via Signals Intent signal a signal that allows the user to show his intent for unlock
Disambiguation signala signal to disambiguate which Windows 10 desktop the user wants to unlock when multiple options are available to the Companion Device
User presence signala signal that proves presence of user, like a device PIN
User Flow OverviewSet up a PC PIN on each of target Windows 10 desktop she wants to unlock with that Companion Device.
Download and run the companion app on Windows 10 desktop to register the Companion Device with Windows 10 desktop
Collect the signals and unlock PCwhen PC is in locked state
Messaging
Protocol Overview
Register Unlock
Security Principles1. PC unlock requires
registered companion device being present
2. Companion device only talks to PC with which it was registered
HMAC key 1 (stored on Companion Device)
HMAC key 2 (stored on both PC and Companion Device)
Register
Prepare
• Register background task• Establish two HMAC keys, signals, and device
capabilities
Start• Call RequestStartRegisteringDeviceAsync
Finish• Call FinishRegisteringDeviceAsync
Clean up
• Companion Device stores HMAC keys• Companion app discards its copies
Code WalkthroughRegister
RequestStartRegisteringDeviceAsync API HRESULT RequestStartRegisteringDeviceAsync( [in] HSTRING deviceId, [in] SecondaryAuthenticationFactorDeviceCapabilities capabilities, [in] HSTRING deviceFriendlyName, [in] HSTRING deviceModelNumber, [in] Windows.Storage.Streams.IBuffer* deviceKey, [in] Windows.Storage.Streams.IBuffer* mutualAuthenticationKey, [out, retval] Windows.Foundation.IAsyncOperation<SecondaryAuthenticationFactorRegistrationResult*>** operation);
FinishRegisteringDeviceAsync API HRESULT FinishRegisteringDeviceAsync( [in] Windows.Storage.Streams.IBuffer* deviceConfigurationData, [out, retval] Windows.Foundation.IAsyncAction** result);
Unlock
Wait• WaitingForUserConfirmation, OR• CollectingCredential
Start• Call StartAuthenticationAsync
Compute
• Communicate with Companion Device to perform required HMAC operations
Finish
• Call FinishAuthenticationAsync• Wait for CredentialAuthenticated to start success flow• Wait for StoppingAuthentication to kill your background task
Two API calls should be made within 20 seconds
PC was locked
All signals collected
Code WalkthroughUnlock
StartAuthenticationAsync API HRESULT StartAuthenticationAsync( [in] HSTRING deviceId, [in] Windows.Storage.Streams.IBuffer* serviceAuthenticationNonce, [out, retval] Windows.Foundation.IAsyncOperation<SecondaryAuthenticationFactorAuthenticationResult*>** operation);
FinishAuthenticationAsync API HRESULT FinishAuthenticationAsync( [in] Windows.Storage.Streams.IBuffer* deviceHmac, [in] Windows.Storage.Streams.IBuffer* sessionHmac, [out, retval] Windows.Foundation.IAsyncOperation<SecondaryAuthenticationFactorFinishAuthenticationStatus>** result);
Security, Management, and Policy
A Word on SecurityProtect HMAC keys, at rest and on fly
offline attackcloningexportability
Verify user presence securelyanti spoofinguniquenessanti hammeringreliable
ManagementVia Windows
Windows performs A/AD or MSA authenticationWindows does not provide a portal to view, audit, revoke, or manage these devicesWindows does not provide roaming
Via app From the app, user can
unregister a Companion Device
MICROSOFT CONFIDENTIAL
IT Admin Concepts
PolicyAn on/off switch for Companion DevicesAllowed list of Companion Device apps via Windows app locker
RevocationRemove a device type from companion app allowed list when a breach is detected in that device type
MICROSOFT CONFIDENTIAL
© 2016 Microsoft Corporation. All rights reserved.