This content is part of the Essential Guide: Windows 10 guide to upgrades, compatibility and more

Windows 10 security improves with Windows Hello and Passport

Biometrics and multifactor authentication in Windows 10 make it easier and more secure for users to access the resources they need.

Although much of the discussion about Windows 10 has revolved around the return of the Start menu and other user interface improvements, the OS also boasts a number of new features that let workers securely access the applications and data they need.

The Windows 10 security feature that has probably received the most press is Windows Hello. It's a biometric authentication engine that workers can use to log in without a password. Windows Hello supports biometric authentication based on fingerprint, facial or iris recognition. Any PC with a fingerprint scanner will work with Windows Hello.

Workers who want to use facial recognition will require an infrared camera, but there are few PCs -- if any -- that currently have the required hardware. Most of the OEMs that support Windows Hello incorporate the Intel RealSense 3D Camera (F200) into their systems. Iris recognition will also require specialized hardware, but there is no word on what exactly will be required as of this writing.

Using Windows Hello and Passport

A related security feature is Passport, which is designed to work as a federated single sign-on (SSO) feature. It works in conjunction with Windows Hello.

On its own, Windows Hello can provide authentication to a Windows 10 device, and, presumably, it can function as an Active Directory authentication mechanism. But long gone are the days when all the resources users needed were located on premises and under the IT department's direct control. Today, it is common for users to access local resources, applications that are running on virtual machines in a public cloud, and software as a service applications. This is where the Passport feature comes into play: It allows users to sign on once to access a variety of Web applications and services.

SSO technology might make some administrators nervous, because a security breach could potentially grant an attacker access to a wide variety of corporate resources. But the Windows 10 Passport feature is optional, and it supports a somewhat-unique form of multifactor authentication.

Multifactor authentication has been around in various forms for many years. It uses multiple methods to establish a user's identity. In a generic sense, identity can be based on something that the user knows, such as a PIN or a password; something that the user has, such as a smart card; or something that the user is, such as identifying the user's fingerprints.

In Windows 10, Windows Hello provides one authentication factor and the device itself acts as the other factor. At first, this approach might sound dubious; Windows 10 isn't just designed for desktop PCs -- it can also run on laptops, tablets, phones and other devices. Although small, portable devices are prone to loss or theft, Microsoft has devised an approach to the authentication process that may prove to be more secure than password-based authentication.

As previously mentioned, Windows Hello is the first authentication method. It allows a user to sign into his device using biometric identification or a PIN. The nice thing about the way Windows Hello works is that it only provides authentication to the local device. In other words, a user's biometric information is never transmitted across the network or Internet.

Once a user authenticates to the device, the device itself authenticates to Passport and any websites, services or applications that are linked to Passport. Microsoft has not yet released technical details about how this authentication process will work, but the device will likely need to be enrolled in the Active Directory or into Microsoft Azure Active Directory. Once enrolled, devices could be uniquely identified by a device-level certificate.

So, what happens if multiple users share one device? In that case, Windows Hello can differentiate between the users. Although Windows Hello is designed primarily to unlock the device, it does work with Passport; even if multiple users share a device, Passport should be aware of which user is logged in and provide access only to the resources the current person has permission to use. 

Next Steps

Will Windows 10 security features spur hardware upgrades?

What to expect from Windows 10 security

Windows 10 incorporates biometrics

Should you upgrade to Windows 10?

Uncover configuration options for Windows 10 startup

Dig Deeper on Windows 10