Windows Hello vs Windows Hello for Business
Is it the end game for Passwords and Credential Theft?
In this article, i’ll try to explain some of the key points of Windows Hello and Hello for business and why are they important for passwordless environment.
The road to being passwordless is a journey. Almost everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by many challenges and frustrations.
Before i start explaining Windows Hello and Hello for Business, let me give you some background story of why every tech companies are pushing for passwordless journey as part of digital transformation.
The cyberattack landscape is getting sophisticated. As you might have heard recently Microsoft confirmed it was also breached in recent SolarWinds supply chain hack. It’s the most wide spread and complex events cybersecurity history. It was a clear remider of what they are all up against.
One of the main identity related topic during Microsoft Ignite 2021 was also about passwordless strategy and they are urging their customers to start passwordless journey.
If you’re a nerd like me, you might know MFA (Multi Factor Authentication). It’s a Cybersecurity 101. To break it down, MFA typically have 3 separate categories of authentication factors such as the knowledge, possession and inherence categories.
Before you ask what the heck are those, let me explain.
- The knowledge factor is something you know such as username and password.
- The possession factor is something you have such as OTP (One-Time Password or PIN or token).
- The inherence factor is essentially any biological traits you got such as fingerprint, facial recognition, voice recognition, retina scan etc. In other words, it’s something you are.
So, going passwordless means they will get rid of passwords for good. The idea is that they are getting rid of something you know part and replace it with something you have and/or something you are (i.e. biometric authentication available on Windows 10 devices).
The end goal of most tech companies is to transition into a passwordless world. A world where users never type their password, never change their password and do not know their password. Sounds interesting?
This is the part where i explain about the different between Windows Hello vs Hello for Business.
The difference between Windows Hello and Windows Hello for Business
- Users can create a so called “Windows Hello convenience PIN” or biometric gesture on their personal devices for convenient sign-in. If you sign into Windows 10 with fingerprint or face recognition, then you are already using Windows Hello.
- This use of Windows Hello is unique to the device in which it’s setup. Basically it means that if someone else knows the PIN you use to login to your Windows 10 device, that PIN is theoretically useless on another device, since that PIN is device specific and stored locally.
- It’s backed by asymmetric (public/private key) or certificate-based authentication.
- Both Windows Hello and Hello for Business requires Windows 10 device which either includes built-in support for biometric logins or else you’ll need to install a compatible biometric login device such as a webcam or a fingerprint reader.
- Windows Hello reduces the risk of keyloggers or password phishing, but the login process still uses your password hash. As you are normally not joined to a domain and your hash cannot harm other devices, this is a reduced risk.
- It leverages the Trusted Platform Module (TPM) chip.
- Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. Ouch!
Windows Hello for Business
- In a nutshell, Windows Hello for Business =Windows Hello + the Asymmetric Authentication method (combines biometric and PKI mechanisms). It replaces passwords with strong two-factor authentication on PCs and mobile devices. And lets user authenticate to an Active Directory or Azure Active Directory account.
- Windows Hello for Business incorporates minimum two factors: something you have (i.e., user’s private key protected by the device’s TPM) and something you know (i.e. PIN) and/or biometric.
However, most companies replace this ‘something you know’ authentication factor with the something you are which is biometric.
- Windows Hello for Business uses key-based or certificate based authentication and is considered MFA authentication. It registers a credential to Azure AD or Active Directory.
- If you’re a business owner, your employees can use fingerprint or facial recognition as an alternative method to unlocking a device. This type of authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If your multiple employees share a device(max is 10), each of them will use his or her own biometric data on the device.
- You can configure this by Group Policy or mobile device management (MDM)policy, always uses key-based or certificate-based authentication. It’s much more secure than Windows Hello convenience PIN.
- It addresses several problems with passwords such as strong passwords can be difficult to remember and most of us use the same password on multiple sites, passwords are subjected to replay attacks and most importantly business users can expose their passwords due to phishing attacks. As you might aware phishing attacks are on the rise as people working from home.
Before i end this, a lot of people asked this question
‘How can a PIN more secure than a password?’.
The answer is that
- the PIN is tied to the specific device on which it was setup. The PIN is useless to anyone whithout that specific hardware (i.e. laptop, mobile etc.). However, someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they’d have to steal your physical device too!
- Your login password is transmitted over the network to server which means it can be intercepted in tramsission or stolen from a server whereas a PIN is local to a device and it isn’t transmitted anywhere and stored on any server.
If you’re planning for WHB (Windows Hello for Business), i suggest you go through this documentation below from Microsoft.
If you enjoy this article and want to read more, please support me by giving claps or responses. Thank you!