Windows Hello vs Windows Hello for Business

The road to being passwordless is a journey. Almost everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by many challenges and frustrations.

Photo by XPS on Unsplash
  • The knowledge factor is something you know such as username and password.
  • The possession factor is something you have such as OTP (One-Time Password or PIN or token).
  • The inherence factor is essentially any biological traits you got such as fingerprint, facial recognition, voice recognition, retina scan etc. In other words, it’s something you are.

The difference between Windows Hello and Windows Hello for Business

Windows Hello

  • Users can create a so called “Windows Hello convenience PIN” or biometric gesture on their personal devices for convenient sign-in. If you sign into Windows 10 with fingerprint or face recognition, then you are already using Windows Hello.
  • This use of Windows Hello is unique to the device in which it’s setup. Basically it means that if someone else knows the PIN you use to login to your Windows 10 device, that PIN is theoretically useless on another device, since that PIN is device specific and stored locally.
  • It’s backed by asymmetric (public/private key) or certificate-based authentication.
  • Both Windows Hello and Hello for Business requires Windows 10 device which either includes built-in support for biometric logins or else you’ll need to install a compatible biometric login device such as a webcam or a fingerprint reader.
  • Windows Hello reduces the risk of keyloggers or password phishing, but the login process still uses your password hash. As you are normally not joined to a domain and your hash cannot harm other devices, this is a reduced risk.
  • It leverages the Trusted Platform Module (TPM) chip.
  • Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. Ouch!
  • In a nutshell, Windows Hello for Business =Windows Hello + the Asymmetric Authentication method (combines biometric and PKI mechanisms). It replaces passwords with strong two-factor authentication on PCs and mobile devices. And lets user authenticate to an Active Directory or Azure Active Directory account.
  • Windows Hello for Business incorporates minimum two factors: something you have (i.e., user’s private key protected by the device’s TPM) and something you know (i.e. PIN) and/or biometric.
  • Windows Hello for Business uses key-based or certificate based authentication and is considered MFA authentication. It registers a credential to Azure AD or Active Directory.
  • If you’re a business owner, your employees can use fingerprint or facial recognition as an alternative method to unlocking a device. This type of authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If your multiple employees share a device(max is 10), each of them will use his or her own biometric data on the device.
  • You can configure this by Group Policy or mobile device management (MDM)policy, always uses key-based or certificate-based authentication. It’s much more secure than Windows Hello convenience PIN.
  • It addresses several problems with passwords such as strong passwords can be difficult to remember and most of us use the same password on multiple sites, passwords are subjected to replay attacks and most importantly business users can expose their passwords due to phishing attacks. As you might aware phishing attacks are on the rise as people working from home.

How can a PIN more secure than a password?’.

The answer is that

  • the PIN is tied to the specific device on which it was setup. The PIN is useless to anyone whithout that specific hardware (i.e. laptop, mobile etc.). However, someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they’d have to steal your physical device too!
  • Your login password is transmitted over the network to server which means it can be intercepted in tramsission or stolen from a server whereas a PIN is local to a device and it isn’t transmitted anywhere and stored on any server.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Ye

Michael Ye


A husband and a father. A Solutions Architect specialized in EUC/ infrastructure services. An aspiring data scientist.