The current methods of authentication with
passwords alone are not sufficient to keep users safe. Users reuse and forget
passwords. Passwords are breachable, phishable, prone to cracks, and guessable.
They also get difficult to remember and prone to attacks like “pass the hash”.
What is Windows Hello for Business?
Windows Hello for Business is a
private/public key or certificate-based authentication approach for
organizations and consumers that goes beyond passwords. This form of
authentication relies on key pair credentials that can replace passwords and
are resistant to breaches, thefts, and phishing.
Windows Hello for Business lets a user
authenticate to a Microsoft account, a Windows Server Active Directory account,
a Microsoft Azure Active Directory (Azure AD) account, or a non-Microsoft
service that supports Fast IDentity Online (FIDO) authentication. After an
initial two-step verification during Windows Hello for Business enrollment,
Windows Hello for Business is set up on the user's device, and the user sets a
gesture, which can be Windows Hello or a PIN. The user provides the gesture to
verify their identity. Windows then uses Windows Hello for Business to
authenticate the user and help them to access protected resources and services.
The private key is made available solely
through a “user gesture” like a PIN, biometrics, or a remote device like a
smart card that the user uses to sign in to the device. This information is
linked to a certificate or an asymmetrical key pair. The private key is
hardware attested if the device has a Trusted Platform Module (TPM) chip. The
private key never leaves the device.
The public key is registered with Azure
Active Directory and Windows Server Active Directory (for on-premises).
Identity Providers (IDPs) validate the user by mapping the public key of the
user to the private key, and provide sign-in information through One Time
Password (OTP), PhoneFactor, or a different notification mechanism.
Why should enterprises adopt Windows Hello for Business?
By enabling Windows Hello for Business,
enterprises can make their resources even more secure by:
Setting up Windows Hello for Business with a hardware-preferred option. This means that keys will be generated on TPM 1.2 or TPM 2.0 when available. When TPM is not available, software will generate the key.
Defining the complexity and length of the PIN, and whether Hello usage is enabled in your organization.
Configuring Windows Hello for Business to support smart card-like scenarios by using certificate-based trust.
How does Windows Hello for Business work?
Keys are generated on the hardware by TPM or software. Many devices have a built-in TPM chip that secures the hardware by integrating cryptographic keys into devices. TPM 1.2 or TPM 2.0 generates keys or certificates that are created from the generated keys.
The TPM attests these hardware-bound keys.
A single unlock gesture unlocks the device. This gesture allows access to multiple resources if the device is domain-joined or Azure AD-joined.
How does the Windows Hello for Business lifecycle work?
The user proves their identity through multiple built-in proofing methods (gestures, physical smart cards, multi-factor authentication) and sends this information to an Identity Provider (IDP) like Azure Active Directory or on-premises Active Directory.
The device then creates the key, attests the key, takes the public portion of this key, attaches it with station statements, signs in, and sends it to the IDP to register the key.
As soon as the IDP registers the public portion of the key, the IDP challenges the device to sign with the private portion of the key.
What is the deployment requirement for Windows Hello for Business?
At the enterprise level
The enterprise has an Azure subscription.
At the user level
The user's computer runs Windows 10 Professional or
-from a document in Microsoft Docs