Essential Guide

Windows 10 guide to upgrades, compatibility and more

A comprehensive collection of articles, videos and more, hand-picked by our editors
Get started Bring yourself up to speed with our introductory content.

Windows 10 security improves with Windows Hello and Passport

Biometrics and multifactor authentication in Windows 10 make it easier and more secure for users to access the resources they need.

Although much of the discussion about Windows 10 has revolved around the return of the Start menu and other user interface improvements, the OS also boasts a number of new features that let workers securely access the applications and data they need.

The Windows 10 security feature that has probably received the most press is Windows Hello. It's a biometric authentication engine that workers can use to log in without a password. Windows Hello supports biometric authentication based on fingerprint, facial or iris recognition. Any PC with a fingerprint scanner will work with Windows Hello.

Workers who want to use facial recognition will require an infrared camera, but there are few PCs -- if any -- that currently have the required hardware. Most of the OEMs that support Windows Hello incorporate the Intel RealSense 3D Camera (F200) into their systems. Iris recognition will also require specialized hardware, but there is no word on what exactly will be required as of this writing.

Using Windows Hello and Passport

A related security feature is Passport, which is designed to work as a federated single sign-on (SSO) feature. It works in conjunction with Windows Hello.

On its own, Windows Hello can provide authentication to a Windows 10 device, and, presumably, it can function as an Active Directory authentication mechanism. But long gone are the days when all the resources users needed were located on premises and under the IT department's direct control. Today, it is common for users to access local resources, applications that are running on virtual machines in a public cloud, and software as a service applications. This is where the Passport feature comes into play: It allows users to sign on once to access a variety of Web applications and services.

SSO technology might make some administrators nervous, because a security breach could potentially grant an attacker access to a wide variety of corporate resources. But the Windows 10 Passport feature is optional, and it supports a somewhat-unique form of multifactor authentication.

Multifactor authentication has been around in various forms for many years. It uses multiple methods to establish a user's identity. In a generic sense, identity can be based on something that the user knows, such as a PIN or a password; something that the user has, such as a smart card; or something that the user is, such as identifying the user's fingerprints.

In Windows 10, Windows Hello provides one authentication factor and the device itself acts as the other factor. At first, this approach might sound dubious; Windows 10 isn't just designed for desktop PCs -- it can also run on laptops, tablets, phones and other devices. Although small, portable devices are prone to loss or theft, Microsoft has devised an approach to the authentication process that may prove to be more secure than password-based authentication.

As previously mentioned, Windows Hello is the first authentication method. It allows a user to sign into his device using biometric identification or a PIN. The nice thing about the way Windows Hello works is that it only provides authentication to the local device. In other words, a user's biometric information is never transmitted across the network or Internet.

Once a user authenticates to the device, the device itself authenticates to Passport and any websites, services or applications that are linked to Passport. Microsoft has not yet released technical details about how this authentication process will work, but the device will likely need to be enrolled in the Active Directory or into Microsoft Azure Active Directory. Once enrolled, devices could be uniquely identified by a device-level certificate.

So, what happens if multiple users share one device? In that case, Windows Hello can differentiate between the users. Although Windows Hello is designed primarily to unlock the device, it does work with Passport; even if multiple users share a device, Passport should be aware of which user is logged in and provide access only to the resources the current person has permission to use. 

Next Steps

Will Windows 10 security features spur hardware upgrades?

What to expect from Windows 10 security

Windows 10 incorporates biometrics

Should you upgrade to Windows 10?

Uncover configuration options for Windows 10 startup

This was last published in August 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Windows 10 guide to upgrades, compatibility and more

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How well do you think Windows Hello and Passport will improve Windows 10 security?
Cancel
I am not an IT professional. But just wanted to say I recently bought a surface pro 4 and found if I put my hand over the camera when I turn it on so it can't recognise me all I have to do is lift the start screen page and bingo I'm in, hello is then bypassed! Not very secure.
But it is effective if I shut it down first, it won't allow access then.
Cancel
So I love the introduction of biometrics to laptops.  But I've always wondered, what kind of a mess does that make for trying to get your machine worked on if you need help from say.. Geek Squad?
Cancel
@Veretax -- that's a great, really interesting question. Would you have to stand there with your tech while they work on your computer to unlock it if necessary? I wonder if there are ways IT folks can get around those biometrics, and if there are, are those measures really that secure in the first place? I'm the Site Editor for SearchEnterpriseDesktop, so I'll ask Brien (the author of this tip) what he knows about that and see if we can get an article posted to answer your question. Keep your eyes peeled!
Cancel
I am not an IT professional. But just wanted to say I recently bought a surface pro 4 and found if I put my hand over the camera when I turn it on so it can't recognize me all I have to do is lift the start screen page and bingo I'm in, hello is then bypassed! Not very secure.
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close