Passwordless Authentication - Windows Hello for Business

Are you aware that most frequent threat attacks have happened through compromised password credentials ?



Organizations are spending more than ever to protect themselves from cyber-criminals and online threats.


Here is the interesting fact,

IBM’s Cost of Data Breach 2021 report found that the average cost of a data breach for an organization was $4.24 million. Here’s the breakdown of the average cost for different types of attacks:


  • Phishing: $4.65 million

  • Malicious insiders: $4.61 million

  • Social engineering: $4.47 million

  • Compromised credentials: $4.37 million


Online threats have increased a huge margin has organizations are opting for remote work culture and its important to note that passwords play a very crucial role in all the cyber-attacks.


Due to the fact that remote workers access resources on a variety of different devices without the organisation being able to evaluate the risk or security posture of those devices, prices are sometimes substantially higher for companies employing remote employees.


On any malware-infected device, users may simply enter their username and password to access sensitive data, giving hackers access to the network.


When the workforce is distributed, it can also take longer to find breaches, which gives malevolent attackers more time to cause damage and increase the expense of the recovery procedure.


Those with more remote workers (over 50%) took 316 days longer to find and stop breaches than companies with more office workers (258 days). The most difficult breaches to find were those brought on by stolen credentials.


As technology grows, the online threats and cyber-attacks also grows along with it. Large tech companies are implementing varied methods to reduce cyber threats. With Windows Hello for Business (WHfB), Microsoft has introduced passwordless authentication through biometric sign-in to Business and Enterprise users.


Lets see what is Windows Hello for Business and how does it work ?


Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.



Device Based Mechanism

A strong credentials in Windows Hello for Business are linked to specific devices either through private keys or certificates. For trust, it may depend on an enterprise's public key infrastructure (PKI) or certificate-based authentication. Which is preferable varies depending on whether a company wants to issue end-entity certificates to its users and what version of Windows Server Domain Controllers it has. Certificate-oriented deployments are similar to smart cards/virtual smart cards in that expirations and renewals are managed.


Exploring all possible implementation options is beyond the scope of this article, so let's focus on just one method. For a hardware-oriented setup with PKI, Windows Hello for Business will generate and sign certificates using the device's unique, tamper-proof trusted platform module (TPM) chip.


The authentication server, which may use Active Directory, Azure Active Directory, or a Microsoft account as its identity provider, is also mapping a Windows Hello for Business public key to the device. The resulting user key, comprising of the server-registered public key and the TPM-protected private key on an enrolled device, is one component of Windows Hello for Business's secure second-factor authentication system.


The pairing of the two keys authenticates the user into their account, but only after they have given another piece of evidence, such as a PIN or biometric credential, to prove that they are the trusted owners of the private key. The entire combination makes sure that each login requires a factor that the user either has (the device or private key), is familiar with (the PIN), or both (biometrics).

Windows Hello for Business - PIN

A PIN is first connected to a particular device. Even if someone had the PIN, they would also need the associated devices. Passwords, on the other hand, can be used to log in from practically anywhere and on any device.


On top of that, the PIN is kept locally and is never sent to a remote server. There is therefore no chance of a significant data breach that would reveal the PIN. The private key that signs the request to the authentication server is simply unlocked by a valid PIN.


Since a Windows Hello for Business PIN is text-based and requires memorization, it may initially appear that it is just a password by another name. But in actual use, they diverge significantly.


In the event that a device with TPM chips gets lost or stolen, a built-in anti-hammering safeguards prevent even easy PINs from being brute-force-guessed. The devices will lock after several inaccurate attempts, making the private key inaccessible.


Like with passwords, administrators can define PIN complexity requirements within Microsoft Intune. Even though biometric sign-in is preferable, the PIN is necessary as a backup in case the fingerprint sensor or other specialised technology breaks down or is otherwise unavailable.


Windows Hello for Business - BIOMETRIC

The most efficient and secure second factor for Windows Hello for Business is enabled via biometric authentication. The primary gesture for obtaining device-specific credentials is a user's fingerprint or face/iris scan, with the PIN serving as a necessary backup option.


Using biometric devices that are Windows Hello for Business compatible is advantageous for several reasons:

  • A person's fingerprint or face shape cannot be reliably stolen or impersonated since they are personal characteristics that are unique to them.


With biometrics, logging in is really simple and only requires a brief glance or finger print positioning.


The actual biometric information is never transferred to a server and is only ever stored locally on the device, preventing the development of a remotely accessible and vulnerable credential repository.

Compatible for Legacy and Cloud deployments


Windows Hello for Business (WHfB) deployment configuration for businesses include on-premises, cloud, and hybrid deployments that combine both infrastructures. The applicable identity providers and the kinds of additional factors that can be utilised for Multi-factor authentication (MFA) during the initial provisioning of the strong credential will depend on the implementation type.


Azure Active Directory will be used for cloud and hybrid deployments, and Windows Server 2016 Active Directory Federation Services(ADFS) will be used for on-premises installations. To ensure that the private key is issued to a device in the control of a trusted user, cloud and hybrid implementations of Windows Hello for Business can accept a wider range of extra elements during strong credential setup.

Integration with Single sign on (SSO)

SSO is supported by Windows Hello for Business since it can authenticate users into Active Directory or Azure Active Directory accounts. Users can sign into various services using a single set of credentials with SSO, saving them from having to enter their credentials repeatedly for each application.


The Windows 10 & 11 VPN Client works flawlessly with certificate-based Windows Hello for Business. The VPN utilises the certificate to validate the user's connection once the correct biometric gesture or PIN has been provided.


IT Security burden reduced

Except for the initial one-time provisioning of its strong credentials, Windows Hello for Business replaces passwords in every common situation. That means IT won't have to spend as much time resetting passwords and verifying users' identities.


Every minute the help desk spends on password resets is time away from more strategic projects. Windows Hello for Business is not only more secure than password-based authentication, but it is also more scalable, sustainable, and cost-effective.


In my next blog, we would demonstrate different deployment methods about Windows Hello for Business, stay tuned by subscribing to our community.

9 views0 comments