Windows Hello for Business – no more Passwords in 2019?
In the US, businesses are projected to spend more than $65 billion on cybersecurity solutions. With good reason too. Cyberattacks may have abated from 2017’s high of 1.6 billion, but they still remain quite elevated in this ever-connected digital world.
Fortunately, new security solutions such as Windows Hello for Business can help make companies more secure. IT managers will be happy to know that solutions like this don’t need to eat up a big part of the tech budget either.
What is Windows Hello for Business?
Microsoft has stated that it is, “committed to its vision of a world without passwords.” While this may seem counterintuitive to the need for increased security, the company’s no-password world relies on other security measures that address the inherent weaknesses of passwords. Passwords can be:
- Difficult to remember, leading users to write them down in an unsecure location or to use the same password on multiple sites
- At risk for phishing attacks and replay attacks
- Easily exposed in server breaches
With Windows 10 devices, users can now use Microsoft’s new Windows Hello service, designed to help address these password flaws. The business version of this innovation replaces passwords with stronger authentication based on a device and a biometric or a pin. Windows Hello for Business delivers maximum protection through the combination of biometric authentication, Group Policy or mobile device management (MDM) and key- and certification-based authentication.
With this new type of credential, users can gain secure access to an Active Directory or Azure Active Directory.
How Does Hello for Business Get Rid of Passwords?
During enrollment, users will have to complete an initial two-step verification. After this step, they won’t have to perform this step again. To finish set-up, users will then have to set a gesture. The gesture can be a biometric or a pin.
A biometric is a way to sign in based on fingerprint matching, iris scan or facial recognition. Your Windows 10 device must have a way to read these biometric indicators, such as a fingerprint scanner or infrared-capable camera (to differentiate a human face in person from a photograph). Increasingly, devices are coming standard with these features, or they can be purchased separately. Note that with current technology, iris scans work best on mobile devices, so enterprise solutions may want to focus on fingerprints and facial recognition.
It’s important to note that this biometric data is stored locally so it’s not as if a central location storing all the biometric data could be hacked.
A pin might not sound much different than a password, but it is more secure. A pin is tied to the specific hardware, so it is not useful to a hacker unless he has the hardware. As with biometric data, pins aren’t transmitted anywhere.
A pin is more secure than a password because it creates an asymmetric key pair for authentication. As an administrator, you can set policies for pins – for example, characters that aren’t allowed or lock out periods after brute-force attempts to gain access. As a standard, the service does not allow pins that have a constant delta (rate of change) from one digit to the next.
What is Multi-factor Authentication?
Multi-factor authentication is used to describe security measures that rely on three factors:
- Something you have
- Something you know
- Something you are
Windows Hello for Business can satisfy all of these requirements if you have the right equipment. The thing you have is the private key or token that is protected by your device’s security. The thing you know is the pin you set up. The thing you are is your fingerprint, iris or face, aka the biometric gesture you use.
Although you only really need two of these factors to unlock your device, you can set up your device to require an additional factor in order to access your desktop.
Given these extra layers, multi-factor authentication is more secure than other measures of protection. Biometric data, in particular, is difficult to hack. An attacker would not only have to get your device but would also need you present in order to scan your finger, face or eye.
How Does Windows Hello Integrate with Third-Party
If you already have a third-party authentication system set up, you can still benefit from this new Windows service. Windows Hello for Business can be configured to work with third-party authenticators in Active Directory Federation Services (AD FS). Currently, Microsoft lists twelve outside offerings that work with Hello for Business.
These offerings include services such as:
- Duo Security’s Duo Authentication for AD FS
- Gemalto’s Identity & Security Services
- One Identity’s Defender AD FS
You can also build your own custom authentication method.
What are the Basic Technical Requirements?
Beyond a Windows 10 device – either desktop or mobile – fingerprint sensors and software or facial recognition devices with infrared sensors and software, the basic technical requirements will vary based on your deployment strategy.
If you are doing a cloud-only deployment, then you’ll need:
- Windows 10, version 1511 or later
- Microsoft Azure Account
- Azure Active Directory
- Azure Multi-factor authentication
Modern Management and Azure AD Premium subscription are optional in cloud deployments.
If you are doing an on-premise deployment, then you’ll need:
- Windows 10, version 1703 or later
- Windows Server 2016 Schema
- Windows Server 2008 R2 Domain/Forest functional level
- Windows Server 2016 Domain Controllers
- Windows Server 2012 or later Certificate Authority
- Windows Server 2016 AD FS with KB4088889 update
- AD FS with Azure MFA Server, or AD FS with 3rd Party MFA Adapter
In this deployment, an Azure Account is optional for Azure MFA billing.
Hybrid deployments are more complicated.
Is it Right for My Business?
Most businesses, especially those that still rely on cumbersome and cyberattack-prone passwords, would probably benefit from implementing Windows Hello for Business. It is a relatively cost-effective and easy way to increase your security. It will require some set-up and perhaps some initial investments in hardware for biometric scans, but the long-run gains in security will likely outweigh these set up costs.
2019 may be too early to declare the end of passwords. However, technology seems to be headed in that direction and adopting Windows Hello for Business may help you stay ahead of this technological shift.