Connecting Technology and Business.

Windows Hello for Business

The current methods of authentication with passwords alone are not sufficient to keep users safe. Users reuse and forget passwords. Passwords are breachable, phishable, prone to cracks, and guessable. They also get difficult to remember and prone to attacks like “pass the hash”.

What is Windows Hello for Business?

Windows Hello for Business is a private/public key or certificate-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on key pair credentials that can replace passwords and are resistant to breaches, thefts, and phishing.

Windows Hello for Business lets a user authenticate to a Microsoft account, a Windows Server Active Directory account, a Microsoft Azure Active Directory (Azure AD) account, or a non-Microsoft service that supports Fast IDentity Online (FIDO) authentication. After an initial two-step verification during Windows Hello for Business enrollment, Windows Hello for Business is set up on the user's device, and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello for Business to authenticate the user and help them to access protected resources and services.

The private key is made available solely through a “user gesture” like a PIN, biometrics, or a remote device like a smart card that the user uses to sign in to the device. This information is linked to a certificate or an asymmetrical key pair. The private key is hardware attested if the device has a Trusted Platform Module (TPM) chip. The private key never leaves the device.

The public key is registered with Azure Active Directory and Windows Server Active Directory (for on-premises). Identity Providers (IDPs) validate the user by mapping the public key of the user to the private key, and provide sign-in information through One Time Password (OTP), PhoneFactor, or a different notification mechanism.

Why should enterprises adopt Windows Hello for Business?

By enabling Windows Hello for Business, enterprises can make their resources even more secure by:

  • Setting up Windows Hello for Business with a hardware-preferred option. This means that keys will be generated on TPM 1.2 or TPM 2.0 when available. When TPM is not available, software will generate the key.
  • Defining the complexity and length of the PIN, and whether Hello usage is enabled in your organization.
  • Configuring Windows Hello for Business to support smart card-like scenarios by using certificate-based trust.

How does Windows Hello for Business work?

  1. Keys are generated on the hardware by TPM or software. Many devices have a built-in TPM chip that secures the hardware by integrating cryptographic keys into devices. TPM 1.2 or TPM 2.0 generates keys or certificates that are created from the generated keys.
  2. The TPM attests these hardware-bound keys.
  3. A single unlock gesture unlocks the device. This gesture allows access to multiple resources if the device is domain-joined or Azure AD-joined.

How does the Windows Hello for Business lifecycle work?

  • The user proves their identity through multiple built-in proofing methods (gestures, physical smart cards, multi-factor authentication) and sends this information to an Identity Provider (IDP) like Azure Active Directory or on-premises Active Directory.
  • The device then creates the key, attests the key, takes the public portion of this key, attaches it with station statements, signs in, and sends it to the IDP to register the key.
  • As soon as the IDP registers the public portion of the key, the IDP challenges the device to sign with the private portion of the key.
  • The IDP then validates and issues the authentication token that lets the user and the device access the protected resources. IDPs can write cross-platform apps or use browser support (via JavaScript/Webcrypto APIs) to create and use Windows Hello for Business credentials for their users.

What is the deployment requirement for Windows Hello for Business?

At the enterprise level

The enterprise has an Azure subscription.

At the user level

The user's computer runs Windows 10 Professional or Enterprise.

-from a document in Microsoft Docs