On October 5, 2021, Microsoft released Windows 11 and with it came some controversy around its hardware requirements. In this post, we’ve summed up how Windows 11 will boost security of billions of PCs by making a tiny chip called “TPM” a must-have requirement for the upgrade.
TPMs, or “Trusted Platform Modules”, have been supported by Windows 10 for quite some time, but with the launch of Windows 11 they are now a requirement and must be implemented by everyone distributing new Windows hardware. This excludes some (mostly older) PCs from the upgrade, and stirred a lot of controversy when first announced earlier this year, so it may seem like a bold move by Microsoft. But the motivation behind this approach seems reasonable: Windows 11 attempts to deliver more security by default. Built-in protection should ensure the user's assets stay secure no matter where work (and play) happens. It is also a move to keep up with security measures long implemented in Apple and Android devices, that all have dedicated hardware security modules.
But how does a tiny TPM chip help to boost security? Let's dive a little deeper into what a TPM actually is. A TPM is a hardware component of your Windows device that is specifically designed to securely generate and store cryptographic keys, also called “private keys”. In short: The TPM’s job is to make sure your private keys stay private. With its ability to also sign digital certificates, the TPM is similar in function to a smartcard, but is not tied to a specific user, but to the associated hardware of the PC. Still, it functions independently of the processor, memory and operating system of your computer.
Why is it even important to store private keys on your device? Cryptographic keys, which are strings of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa, are indispensable for data encryption. They ensure that only someone with that specific key gains access to information, software, account etc. With Windows 11, sensitive data is stored behind additional security barriers, separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering. So if you lose the device, no one can simply plug in your hard drive and access all your files.
Another use for private keys stored in a TPM is user authentication with WebAuthn and FIDO2 (called “Windows Hello” on Windows devices), which are the cutting-edge authentication protocols developed by the W3C and the FIDO Alliance. The FIDO (Fast IDentity Online) Alliance has been working on Multi-Factor Authentication (MFA) protocols and passwordless solutions since 2012. It is a cooperative effort among stakeholders such as Apple, Microsoft, Google and Mozilla and many others. Based on cryptographic key technology (this is where the TPM comes into play), WebAuthn offers a much higher security and also - through biometric authentication - a much better user experience than passwords and other MFA methods.
With WebAuthn, private keys are used to assert ownership of your device. Meaning if someone wants to hack your accounts, they would need access to your private keys. But an attack that needs physical access to your device and the ability to compromise its TPM would be much more sophisticated, expensive, and unlikely to happen than e.g. Phishing, today’s most common attack on user accounts.
The good news is: Most PCs already have a TPM embedded. In the past, many manufacturers chose to disable it, though, as it was not explicitly required by Windows before and was seen more as an enterprise/pro user feature. Windows 11 now bringing the tiny chip into the spotlight is changing this. PC manufacturers will most definitely make sure to include TPM support for their devices from now on.
And in the months since the Windows 11 announcement, many more people - including you - learned what a TPM is and why you’d want one.