Windows Hello for Business

October 23, 2022

5 minutes read

In Windows 10 and 11, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credentials linked to a device and using biometrics or a PIN.‎

After an initial two-step user verification during sign-up, Windows Hello is set up on the user’s device and Windows prompts the user to set a gesture, which can be biometric, such as a fingerprint or PIN code.

‎As an administrator in a business, nonprofit, or education center, you can create policies to manage the use of Windows Hello for Business on Windows 10/11 devices that sign in to your organization.‎

Biometric login

Windows Hello provides reliable and fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against identity theft. Major hardware vendors are shipping devices with built-in Windows Hello-enabled cameras. Fingerprint reader hardware can be used or added to devices that currently don’t have it. On devices that support Windows Hello, a simple biometric gesture unlocks user credentials.

Face recognition :

This type of biometric recognition uses special cameras that see in infrared light, allowing them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are also integrating it into their devices.

Fingerprint recognition :

This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors are significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or built into laptops or USB keyboards) work with Windows 10 and Windows 11.

Windows stores biometric data used to implement Windows Hello securely on the local device only. Biometric data does not roam and is never sent to external devices or servers. Since Windows Hello only stores biometric credentials on the device, there is no single collection point that an attacker can compromise to steal biometric data. For more information on biometric authentication with Windows Hello for Business

The difference between Windows Hello and Windows Hello for Business

Individuals can create a PIN code or biometric gesture on their personal devices for convenient login. This use of Windows Hello is unique to the device it is configured on, but may use a simple password hash depending on a person’s account type. This configuration is called Windows Hello convenience PIN and is not supported by asymmetric (public/private key) or certificate-based authentication.

Windows Hello for Business, which is configured by Group Policy or Mobile Device Management (MDM) policy, always uses key or certificate-based authentication. This makes it much more secure than the Windows Hello convenience PIN.

Benefits of Windows Hello

Reports of large-scale identity theft and hacking often make headlines. Nobody wants to know that their username and password have been exposed.

You might be wondering how a PIN can help protect a device better than a password. Passwords are shared secrets; they are captured on a device and transmitted over the network to the server. Since they are stored on the server, a server breach can reveal these stored credentials.

In Windows 11 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a TPM-bound encryption key pair, if a device has a TPM 2.0 or in software. Access to these keys and obtaining a signature to validate the possession of the private key by the user is only enabled by the PIN code or the biometric gesture. The two-step verification that takes place during Windows Hello registration creates a trust relationship between the identity provider and the user when the public part of the public/private key pair is sent to an identity provider. identity and associated with a user account. When a user enters the gesture on the device, the identity provider knows, through the combination of the Hello keys and the gesture, that it is a verified identity and provides an authentication token that allows Windows to access resources and services.

Imagine someone is looking over your shoulder when you receive money from an ATM and sees the PIN code you enter. Having this PIN will not help them access your account because they do not have your ATM card. Similarly, learning your PIN for your device does not allow this attacker to access your account, as the PIN is local to your specific device and does not enable any type of authentication from within. another device.

Windows Hello helps protect user identities and credentials. Since the user does not enter a password (except during provisioning), this helps circumvent phishing and brute force attacks.

How Windows Hello for Business works: key points

Windows Hello credentials are based on a certificate or an asymmetric key pair. Windows Hello credentials can be tied to the device, and the token obtained using the credentials is also tied to the device.
Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprise and TPM 2.0 for consumers) or software, depending on the policy. To ensure that keys are generated in hardware, you must define a policy.
Authentication is two-factor authentication with the combination of a device-bound key or certificate and something the person knows (a PIN) or something the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometric templates are stored locally on a device. The PIN code is never stored or shared.

The private key never leaves a device when using the TPM. The authentication server has a public key that is mapped to the user account during the registration process.
Entering the PIN and the biometric gesture trigger Windows 10 and later to use the private key to cryptographically sign data sent to the identity provider. The identity provider verifies the identity of the user and authenticates it.
Both personal (Microsoft account) and enterprise (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity provider domains to ensure user privacy.

Comparison of key-based authentication and certificate-based authentication

Windows Hello for Business can use keys (hardware or software) or certificates in hardware or software. Organizations that have a public key infrastructure (PKI) for issuing and managing end-user certificates can continue to use (pKI) in combination with Windows Hello. This still uses certificates on domain controllers as the root of trust. Starting with Windows 10 21H2, there is a feature called cloud trust for hybrid deployments that uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello, but does not require certificates on the domain controller.

Windows Hello for Business with a key, including cloud trust, does not support provided credentials for RDP. RDP does not support authentication with a self-signed key or certificate. RDP with Windows Hello for Business is supported with certificate-based deployments as provided credentials. Windows Hello for Business with Key Credential can be used with Windows Defender Remote Credential Guard