Windows Unlock Authentication Detailed In Docs Ahead Of Windows 10 Anniversary Update Launch

Microsoft has several goodies in store for Windows 10 users with its forthcoming Anniversary Update, things like subtle Start Menu tweaks and better pen support. One of the more anticipated additions, at least for anyone who values security, is a Windows Unlock feature that will work in conjunction with companion devices.

Let's say you're sitting at a PC that doesn't have a webcam for face authentication or fingerprint reader. That rules out Windows Hello, though with Windows Unlock, you can still have a two-factor authentication scheme for logging in. The first of course is your trusty password, and hopefully it's more secure than 1-2-3-4-5 (save that for your luggage). And the second could be any number of companion devices.

Windows Unlock

"Use your Microsoft Band 2, or other devices that integrates with Windows 10 Companion Device Framework (CFD), as companion device for Microsoft Passport based authentication," Microsoft said about its Windows Unlock feature. "With this a device like Microsoft Band 2 or other third-party device, they can become an external second factor authentication which can be used to unlock your Windows 10 PCs."

Microsoft likes to use its Band 2 wearable as an example, but that's not the only external gadget that can be used as a companion device. So can your smartphone, though it must be a Windows Phone or Android handset—there doesn't appear to be any love for iOS, at least not at the outset.

How exactly will this work? Microsoft published some documentation on Monday that provides further details. Here are some of the use case scenarios Microsoft describes:
  • Attach their companion device to PC via USB, touch the button on the companion device, and automatically unlock their PC.
  • Carry a phone in their pocket that is already paired with PC over Bluetooth. Upon hitting the spacebar on their PC, their phone receives a notification. Approve it and the PC simply unlocks.
  • Tap their companion device to an NFC reader to quickly unlock their PC.
  • Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a special gesture (like clapping), the PC unlocks.
According to Microsoft, each companion device will be combined with an app that supports three user signals. Those signals are what ultimately serve as the second factor of authentication, and they can be in the form of an action or gesture. Here's a look:]
  • Intent signal: Allows the user to show his intent for unlock by, for example, hitting a button on the companion device. The intent signal must be collected on companion device side.
  • User presence signal: Proves the presence of the user. The companion device might, for instance, require a PIN before it can be used for unlocking PC (not to be confused with PC PIN), or it might require press of a button.
  • Disambiguation signal: Disambiguates which Windows 10 desktop the user wants to unlock when multiple options are available to the companion device.
Logging into Windows might not be the only place where this two-factor authentication comes into play. Though Microsoft hasn't revealed the full extent of Windows Unlock, it's possible that it could be used for things like verifying purchases in the Windows Store.

From a security standpoint, Microsoft lists several requirements to prevent against misuse. There are several safeguards against malware and malicious users, though as always, we'll have to see how it performs in the real-world.