Education Center, Windows Hello
Windows Hello for Business
Windows Hello for Business resolves various security challenges associated with traditional password-based authentication by offering advanced biometric authentication methods, such as facial recognition and fingerprint scanning. It enhances user convenience, reduces password-related vulnerabilities, lowers helpdesk costs, and addresses issues related to remote work security and compliance requirements.
Requirements and Plan for Hello
1. Deployment Options
Organizations considering Windows Hello for Business deployment must evaluate deployment options based on their identity infrastructure. Three main deployment models cater to different organizational scenarios:
| Deployment Model | Use Case |
| Cloud Only | Ideal for organizations with a fully cloud-based identity, accessing resources like SharePoint Online. |
| Hybrid | Suited for organizations with a mix of cloud and on-premises resources, enabling SSO for both. |
| On-Premises | Designed for organizations relying solely on on-premises applications integrated with Active Directory. |
2. Active Directory Integration
Integration with Active Directory involves careful consideration of trust types and authentication methods:
| Trust Type | Authentication Method | Use Case |
| Key Trust | Device-bound key | Suitable for enhanced security scenarios, requiring users to authenticate using a key. |
| Certificate Trust | Authentication certificates | Ideal for organizations emphasizing certificate-based authentication for added security. |
| Cloud Kerberos | Microsoft Entra Kerberos | Offers a simpler deployment experience, recommended when not requiring certificate auth. |
3. PKI Requirement
The Public Key Infrastructure (PKI) requirement varies based on trust types:
| Trust Type | PKI Requirement | Considerations |
| Cloud Kerberos | No PKI requirement | Simplifies deployment, recommended for scenarios without PKI needs. |
| Key Trust | PKI required | Suitable for scenarios where certificate-based authentication is key. |
| Certificate Trust | PKI required | Requires PKI for both user and domain controller certificates. |
4. Device Registration
Device registration differs based on deployment type:
| Deployment Type | Device Registration Provider | Use Case |
| Cloud/Hybrid | Microsoft Entra ID | Seamless registration for devices in both cloud-only and hybrid deployment models. |
| On-Premises | Active Directory Federation Services (AD FS) | Device registration for on-premises deployment managed through AD FS. |
5. Configuration Options
Organizations can configure Windows Hello for Business through Group Policy (GPO) or Configuration Service Provider (CSP), depending on their device management approach.
| Deployment Model | Configuration Option | Management Approach | Use Case |
| Cloud Only | CSP | Mobile Device Management (MDM) | Ideal for organizations managing devices through MDM solutions like Microsoft Intune. |
| Hybrid | GPO | Active Directory or local | Suited for domain-joined devices and scenarios where MDM is not the primary management. |
| On-Premises | CSP | Managed through MDM | Configuration through CSP for on-premises deployment with MDM management. |
6. OS Requirements
Organizations should ensure compatibility with the required operating systems:
| Deployment Model | Trust Type | Windows Version | Use Case |
| Cloud Only | N/A | All supported versions | Compatible with all supported Windows versions, making it suitable for cloud-only environments. |
| Hybrid | Cloud Kerberos | Windows 10 21H2, with KB5010415 and later Windows 11 21H2, with KB5010414 and later | Requires specific Windows versions for Cloud Kerberos trust in hybrid deployment. |
| Hybrid | Key | All supported versions | Compatible with all supported Windows versions for Key Trust in hybrid deployment. |
| Hybrid | Certificate | All supported versions | Compatible with all supported Windows versions for Certificate Trust in hybrid deployment. |
| On-Premises | Key | All supported versions | Compatible with all supported Windows versions for Key Trust in on-premises deployment. |
| On-Premises | Certificate | All supported versions | Compatible with all supported Windows versions for Certificate Trust in on-premises deployment. |
Windows Hello vs Windows Hello for Business
Understanding the distinction between Windows Hello and Windows Hello for Business is crucial for organizations:
| Features | Windows Hello | Windows Hello for Business |
| Target Audience | Consumer use | Geared towards enterprise environments |
| Authentication | Consumer-grade biometrics, PIN | Enterprise-grade MFA, smart card support, certificate-based auth |
| Identity Management | Device-centric | Integrated with enterprise identity systems |
| Security Features | Consumer-level | Enhanced security, anti-spoofing, key-based protection |
Authentication Methods
1. Process Overview
The Windows Hello authentication process involves two-step verification during enrollment, establishing a secure and trusted relationship:
| Authentication Step | Description |
| Provisioning Process | Involves establishing a trusted relationship, creating a cryptographic key pair bound to the device’s TPM. |
| Key Pair Protection | Involves establishing a trusted relationship, and creating a cryptographic key pair bound to the device’s TPM. |
2. Authentication IDs
| Authentication ID | Description |
| Microsoft 365 Account | Utilized for authentication within the Microsoft 365 ecosystem. |
| Microsoft Entra ID | Serves as the primary authentication identifier within the Windows Hello system. |
| FIDO v2.0 | Supports password-less authentication, enhancing security. |
3. MFA Verification
Multi-Factor Authentication (MFA) provides an additional layer of security beyond just a username and password. Azure supports various types of MFA methods to enhance authentication:
-
Text Message (SMS)
-
Description: A one-time passcode is sent to the user’s registered mobile phone via text message.
-
Usage: Suitable for users with mobile phones who prefer a simple and widely accessible method.
-
-
Voice Call
-
Description: A phone call delivers a spoken one-time passcode to the user’s registered phone.
-
Usage: Useful for users who may have difficulty receiving or reading text messages.
-
-
Mobile App Notification
-
Description: Users receive a notification on their mobile device prompting them to approve or deny the login request.
-
Usage: Provides a convenient and quick method for users with smartphones.
-
-
Mobile App Verification Code
-
Description: A time-sensitive verification code is generated within a mobile authentication app (e.g., Microsoft Authenticator).
-
Usage: Suitable for users who prefer using authentication apps and have them installed on their smartphones.
-
-
Email
-
Description: A one-time passcode is sent to the user’s registered email address.
-
Usage: Appropriate for users who prefer receiving authentication codes through email.
-
4. Biometric Authentication
Windows Hello for Business offers various biometric sign-in methods, each with specific configuration requirements and associated hardware components:
| Biometric Method | Configuration Options | Hardware Requirements |
| Facial Recognition | Utilizes infrared (IR) cameras for reliable biometric authentication. Requires IR camera-equipped devices. | Infrared (IR) Camera |
| Fingerprint Recognition | Employs capacitive sensors for scanning fingerprints. Available in external devices and integrated systems. | Capacitive Sensors |
| Iris Recognition | Introduced with HoloLens 2, this method involves scanning the iris for a secure authentication experience. | Iris Scanner (e.g., available in HoloLens 2 devices) |
Biometric Sign-in Methods
1. Facial Recognition
-
Mechanism
-
Infrared Cameras
Utilized to capture facial features beyond naked-eye visibility.
-
Anti-Spoofing Measures
Implemented to differentiate between real persons and attempts to use non-living representations.
-
-
Functionality
-
Enrollment
Users register facial features, creating a unique template.
-
Authentication
Involves real-time comparison of captured facial features with the stored template.
-
-
Hardware Requirements
-
Infrared (IR) Camera
Necessary for accurate capture of facial features.
-
-
Reliability
-
Facial recognition offers a convenient and contactless authentication method suitable for diverse organizational environments.
-
IR cameras enhance reliability, making it challenging for attackers to spoof the system with static images.
-
2. Fingerprint Recognition
-
Mechanism
-
Capacitive Sensors
Employed to capture the unique ridges and valleys of fingerprints.
-
Pattern Matching
Compares scanned fingerprints with stored templates for authentication.
-
-
Functionality
-
Enrollment
Users register fingerprints, creating a unique template.
-
Authentication
Involves scanning fingerprints and comparing them to stored templates.
-
-
Hardware Requirements
-
Capacitive Sensors
Essential for accurate capture of fingerprint patterns.
-
-
Reliability
-
Fingerprint recognition offers a reliable and widely accepted biometric method.
-
Implementation options include external fingerprint scanners or integration into devices like laptops and keyboards.
-
