Overview of Windows Hello for Business
In this tutorial, we will learn everything related to Windows Hello for Business.
On PCs and mobile devices, Windows Hello for Business replaces passwords with powerful two-factor authentication in Windows 10. Furthermore, this authentication entails the use of a biometric or PIN in conjunction with a new form of user credential on a device.
However, Windows Hello addresses the following problems with passwords:
- Firstly, strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Secondly, server breaches can expose symmetric network credentials (passwords).
- Thirdly, passwords are subject to replay attacks.
- Lastly, users can inadvertently expose their passwords due to phishing attacks.
Windows Hello lets users authenticate to:
- Firstly, a Microsoft account.
- Secondly, an Active Directory account.
- Thirdly, a Microsoft Azure Active Directory (Azure AD) account.
- Lastly, Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication
Biometric sign-in
Windows Hello uses face recognition or fingerprint matching to deliver secure, fully integrated biometric authentication. It also employs a mix of infrared (IR) cameras and algorithms to improve accuracy and prevent spoofing. Major hardware manufacturers are releasing gadgets with built-in Windows Hello cameras. On Windows Hello-enabled computers, however, a simple biometric gesture unlocks users’ credentials.
- Firstly, Facial recognition. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person.
- Secondly, Fingerprint recognition. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone.
Difference between Windows Hello and Windows Hello for Business
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. The use of Windows Hello is unique to the device on which it is set up. But, it can use a simple password hash depending on an individual’s account type. However, this configuration refers to a Windows Hello convenience PIN and has no backup of asymmetric (public/private key) or certificate authentication.
- Further, Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than the Windows Hello convenience PIN.
Windows Hello for Business working: key points
- Firstly, Windows Hello credentials are based on the certificate or asymmetrical key pair.
- Secondly, the Identity provider validates user identity and maps the Windows Hello public key to a user account during the registration step.
- Thirdly, keys generating in hardware or software, depending on the policy.
- Next, authentication is the two-factor authentication with the combination of a key or certificate in a device and something that the person knows (a PIN) or something that the person is (biometrics).
- Then, the private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
- After that, PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. However, the identity provider verifies the user’s identity and authenticates the user.
- Lastly, the Windows Hello container and the Windows Hello gesture can protect the certificate private keys.
Reference: Microsoft Documentation