Windows Hello for Business: passwordless authentication for Windows stores

If you are a Windows administrator, you know how frustrating it can be to manage your users’ passwords. Passwords are often forgotten, stolen or compromised, leading to security risks and lost productivity. You may have tried implementing password policies, such as enforcing complexity, expiration and rotation, but these can also lead to user dissatisfaction and increased help desk costs.

What if there was a better way to authenticate your users without passwords? A way that is more secure, convenient and cost-effective? A way that leverages the latest biometric and cryptographic technologies to provide a seamless, user-friendly experience?

Eso es lo que ofrece Windows Hello para empresas (WHfB). WHfB es una característica de Windows 10 y Windows 11 que permite la autenticación sin contraseña para dispositivos unidos a un dominio o a Azure AD. Con WHfB, los usuarios pueden iniciar sesión en sus dispositivos y aplicaciones utilizando su rostro, huella digital o PIN, en lugar de una contraseña. WHfB también admite claves de seguridad FIDO2, que son dispositivos físicos que se pueden utilizar como factor de autenticación adicional o alternativo.

WHfB is not only a substitute for passwords, but a significant improvement in terms of security and usability. These are some of the benefits of WHfB:

– Security: WHfB uses asymmetric encryption to protect the user’s identity and credentials. The user’s biometric or PIN data is never stored on the device or sent over the network. Instead, WHfB creates a public-private key pair for each user and device, and registers the public key with the identity provider (such as Active Directory or Azure AD).

The private key is securely stored in the device’s Secure Platform Module (TPM), which is a hardware chip that protects against tampering and malware. When the user authenticates, WHfB uses the private key to sign an identity provider challenge, proving the user’s identity without revealing credentials. This prevents common attacks such as phishing, replay and credential theft.

– Convenience: WHfB simplifies the user experience by eliminating the need to remember and type passwords. Users can quickly and easily unlock their devices and applications with a glance or tap, or by inserting a security key. WHfB also reduces the frequency of authentication requests by supporting single sign-on (SSO) on Windows devices and applications, as well as Microsoft 365 and other cloud services that support Azure AD authentication. Users can also enjoy passwordless authentication across different devices and platforms, as WHfB supports iOS, Android, macOS and Linux devices that support FIDO2.

– Cost-effectiveness: WHfB can help reduce the operational costs associated with password management. According to a Forrester Research study, password resets account for 20% to 50% of help desk calls, costing an average of $70 per incident. By eliminating passwords, WHfB can reduce the number of password-related problems and requests, freeing up IT resources and improving user productivity. WHfB can also reduce the risk of data breaches and compliance violations, which can have significant financial and reputational impacts.

If you are interested in implementing WHfB in your organization, you will need to meet some prerequisites and follow a few steps. First, you will need to ensure that your devices are running Windows 10 version 1703 or later, or Windows 11, and that they have TPM 2.0 or higher.

You will also need to configure your identity provider to support WHfB, either through Active Directory Federation Services (AD FS) or Azure AD. Next, you will need to enable WHfB on your devices using Group Policy or Mobile Device Management (MDM) tools. Finally, you will need to enroll your users in WHfB by configuring their biometric or PIN credentials or issuing them security keys.

For more details on how to implement WHfB in your environment, please refer to this documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity -verification

Windows Hello for Business is a powerful solution that can transform the way you authenticate your users and protect your data. By adopting WHfB, you can eliminate passwords and embrace a password-free future that is more secure, convenient and cost-effective.

Microsoft wants to eliminate the common practice of using sticky notes to remember passwords in office environments. Many employees resort to this insecure method because the passwords they must use are too complex and difficult to memorize. They must include a combination of letters, numbers and special characters, and they must be changed frequently. This leads to frustration and poor password hygiene.

However, there is a better way to protect your identity and access your resources without relying on passwords. Microsoft has introduced a solution that leverages biometric technology and is integrated with Windows 10 and 11. It’s called Windows Hello for Business and allows you to use your face, fingerprint or PIN to sign in to your devices, apps and online services. It is more convenient, secure and easier to use than passwords and does not require expensive hardware or infrastructure.

Windows Hello for enterprise works with existing identity providers, such as Azure Active Directory or Active Directory, and supports multi-factor authentication and conditional access policies. It also supports passwordless scenarios, such as FIDO2 security keys or phone sign-on. With Windows Hello for Business, you can say goodbye to sticky notes and welcome a modern, seamless authentication experience.

How Windows Hello works for businesses

Windows Hello is the most common and well-known biometric authentication scheme supported by Windows. It allows Windows 10 and 11 users who have devices with fingerprint readers or special cameras to sign into Windows using facial or fingerprint recognition. The consumer version of Windows Hello is a device-specific mechanism and does not carry across a user’s devices, so you will need to create a PIN or gesture on each device you want to use.

Windows Hello for Business takes the idea of Hello and combines it with management tools and enforcement techniques to ensure a uniform security profile and enterprise security posture. WHFB uses group policies or mobile device management (MDM) policies, typically enforced with Microsoft Intune, for management and enforcement, and leverages key and certificate-based authentication in most cloud-centric scenarios for maximum protection. User-created PINs and gestures work on all WFHB model devices.

Windows Hello acts on one of two fronts: it can scan the fingerprint, or it can take an infrared image of a user’s face and run a scan on it. (Hello also supports iris scanning, but since iris cameras are better suited to phones than to laptops or desktop displays, the first two methods are more practical for enterprises.)

[REGISTER NOW for the last FutureIT event of the year! Exclusive

—

Why you should use Windows Hello for business

If you are looking for a secure and convenient way to authenticate users in your organization, you should consider using Windows Hello for Business. Windows Hello for Business is a modern and innovative solution that offers several benefits over traditional password-based authentication methods.

Here are some of the reasons why you should use Windows Hello for business:

– Improved security: Windows Hello for Business uses biometric factors unique to each user, such as fingerprint or facial recognition, to verify their identity. This reduces the risk of phishing, credential theft or brute force attacks that rely on guessing or stealing passwords. In addition, Windows Hello for Business uses asymmetric encryption to protect user credentials from being exposed on the network or compromised by malware.

– Improves user experience: Windows Hello for Business simplifies the login process by allowing users to access their devices and applications with a simple gesture, such as touching a sensor or looking at a camera. This eliminates the need to remember and type complex passwords, which can be frustrating and time-consuming. Users can also enjoy a consistent and seamless experience across all of their devices, as their PINs and gestures work on any device that supports Windows Hello for Business.

– Increases productivity: Windows Hello for Business enables users to sign in more quickly and easily, which can save valuable time and effort. Users can also switch between devices and applications without having to re-enter their credentials, which can increase efficiency and collaboration. In addition, Windows Hello for Business reduces the need to reset passwords and call for help desk assistance, which can reduce IT costs and resources.

– Supports compliance: Windows Hello for Business complies with security standards and regulations that apply to many industries and sectors, such as healthcare, finance, education, government, and more. Windows Hello for enterprise supports multi-factor authentication (MFA), which is often required by compliance policies to enhance data protection and privacy. Windows Hello for Business also integrates with Azure Active Directory (AAD) and Microsoft 365 services, which provide integrated security features and auditing capabilities.

How to start using Windows Hello for Business

If you want to deploy Windows Hello for Business in your organization, you will need to meet some prerequisites and follow a few steps. Here is a brief overview of what you need to do:

– Prerequisites: You will need to have devices running Windows 10 or 11 Pro, Enterprise or Education editions and have supported biometric hardware (fingerprint readers or infrared cameras). You will also need to have an Azure Active Directory (AAD) Premium subscription or a Microsoft 365 subscription that includes AAD Premium. You will also need to have an identity provider that supports Windows Hello for Business, such as AAD, Active Directory Federation Services (ADFS) or a third-party identity provider.

– Steps: You will need to configure your identity provider to enable Windows Hello for Business for your users. You will also need to configure your device management solution, such as Group Policy or Microsoft Intune, to apply Windows Hello for Business policies and settings. You will then need to enroll your users’ devices in Windows Hello for Business by configuring their PINs and gestures. You will also need to enroll your users’ biometric factors in AAD using the Microsoft Authenticator app or the Settings app on your devices.

Conclusion

Windows Hello for Business is a powerful and convenient way to authenticate users in your organization. It offers several benefits over password-based authentication methods, such as enhanced security, improved user experience, increased productivity and compliance support. If you would like to learn more about Windows Hello for Business and how to deploy it in your organization, you can visit the Microsoft Docs website or contact us for more information.