Windows Hello for Business - no more Passwords in 2019?

In the US, businesses are projected tospend more than $65billion on cybersecurity solutions. With good reason too.Cyberattacks may have abated from 2017’s high of 1.6 billion, but they stillremain quite elevated in this ever-connected digital world.

Fortunately, new security solutions such asWindows Hello for Business can help make companies more secure. IT managerswill be happy to know that solutions like this don’t need to eat up a big partof the tech budget either.

Whatis Windows Hello for Business?

Microsoft has stated that it is, “committedto its vision of a world withoutpasswords.” While this may seem counterintuitive to the need forincreased security, the company’s no-password world relies on other securitymeasures that address the inherent weaknesses of passwords. Passwords can be:

  • Difficult to remember, leadingusers to write them down in an unsecure location or to use the same password onmultiple sites
  • At risk for phishing attacksand replay attacks
  • Easily exposed in serverbreaches

With Windows 10 devices, users can now useMicrosoft’s new WindowsHello service, designed to help address these password flaws. Thebusiness version of this innovation replaces passwords with strongerauthentication based on a device and a biometric or a pin. Windows Hello forBusiness delivers maximum protection through the combination of biometricauthentication, Group Policy or mobile device management (MDM) and key- and certification-basedauthentication.

With this new type of credential, users cangain secure access to an Active Directory or Azure Active Directory.

HowDoes Hello for Business Get Rid of Passwords?

During enrollment, users will have tocomplete an initial two-step verification. After this step, they won’t have toperform this step again. To finish set-up, users will then have to set agesture. The gesture can be a biometric or a pin.

A biometric is a way to sign in based onfingerprint matching, iris scan or facial recognition. Your Windows 10 devicemust have a way to read these biometric indicators, such as a fingerprintscanner or infrared-capable camera (to differentiate a human face in personfrom a photograph). Increasingly, devices are coming standard with thesefeatures, or they can be purchased separately. Note that with currenttechnology, iris scans work best on mobile devices, so enterprise solutions maywant to focus on fingerprints and facial recognition.

It’s important to note that this biometricdata is stored locally so it’s not as if a central location storing all thebiometric data could be hacked.

A pin might not sound much different than apassword, but it is more secure. A pin is tied to the specific hardware, so itis not useful to a hacker unless he has the hardware. As with biometric data,pins aren’t transmitted anywhere.

A pin is more secure than a passwordbecause it creates an asymmetric key pair for authentication. As anadministrator, you can set policies for pins – for example, characters thataren’t allowed or lock out periods after brute-force attempts to gain access. Asa standard, the service does not allow pins that have a constant delta (rate ofchange) from one digit to the next.

Whatis Multi-factor Authentication?

Multi-factor authentication is used todescribe security measures that rely on three factors:

  • Something you have
  • Something you know
  • Something you are

Windows Hello for Business can satisfy allof these requirements if you have the right equipment. The thing you have isthe private key or token that is protected by your device’s security. The thingyou know is the pin you set up. The thing you are is your fingerprint, iris orface, aka the biometric gesture you use.

Although you only really need two of thesefactors to unlock your device, you can set up your device to require anadditional factor in order to access your desktop.

Given these extra layers, multi-factorauthentication is more secure than other measures of protection. Biometricdata, in particular, is difficult to hack. An attacker would not only have toget your device but would also need you present in order to scan your finger,face or eye.

How Does Windows Hello Integrate with Third-PartyAuthentication?

If you already have a third-party authenticationsystem set up, you can still benefit from this new Windows service. WindowsHello for Business can be configured to work with third-party authenticators inActive Directory Federation Services (AD FS). Currently, Microsoft lists twelveoutside offerings that work with Hello for Business.

These offerings include services such as:

You can also build your own customauthentication method.

Whatare the Basic Technical Requirements?

Beyond a Windows 10 device – either desktopor mobile – fingerprint sensors and software or facial recognition devices withinfrared sensors and software, the basic technical requirements will vary basedon your deployment strategy.

If you are doing a cloud-only deployment,then you’ll need:

  • Windows 10, version 1511 orlater
  • Microsoft Azure Account
  • Azure Active Directory
  • Azure Multi-factorauthentication

Modern Management and Azure AD Premiumsubscription are optional in cloud deployments.

If you are doing an on-premise deployment,then you’ll need:

  • Windows 10, version 1703 orlater
  • Windows Server 2016 Schema
  • Windows Server 2008 R2Domain/Forest functional level
  • Windows Server 2016 DomainControllers
  • Windows Server 2012 or laterCertificate Authority
  • Windows Server 2016 AD FS withKB4088889 update
  • AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter

In this deployment, an Azure Account isoptional for Azure MFA billing.

Hybrid deployments are more complicated.

Isit Right for My Business?

Most businesses, especially those thatstill rely on cumbersome and cyberattack-prone passwords, would probablybenefit from implementing Windows Hello for Business. It is a relatively cost-effectiveand easy way to increase your security. It will require some set-up and perhapssome initial investments in hardware for biometric scans, but the long-rungains in security will likely outweigh these set up costs.

2019 may be too early to declare the end ofpasswords. However, technology seems to be headed in that direction andadopting Windows Hello for Business may help you stay ahead of thistechnological shift.


Prior releases