This content is part of the Essential Guide: Windows 10 security guide to fortify your defenses

Windows Hello for Business ditches password-only authentication

Microsoft merged Windows Hello and Microsoft Passport to create Windows Hello for Business, which allows for two-factor authentication and enables single sign-on.

Windows Hello for Business puts the dangers of password-only authentication in the rear view mirror by adding two-factor authentication.

With Windows Hello for Business employees can use a PIN or biometric factor such as a fingerprint or facial recognition to access corporate resources. Users can also authenticate to Microsoft accounts, Active Directory accounts, Azure Active Directory accounts, or accounts with identity providers that support Fast Identity Online v2.0, an open, interoperable authentication specification that aims to reduce the reliance on passwords.

The tool ties user credentials to the individual PC or mobile device, rather than following users' across all devices, as is typical of password-based authentication. Windows Hello for Business is available to both Windows 10 and Windows 10 Mobile, starting with version 1607.

Passport and Windows Hello

At first Windows 10 included Microsoft Passport and Windows Hello, which combined to support multifactor authentication in place of basic passwords. Passport delivered the two-factor authentication, and Windows Hello added the biometrics.

As Passport and Hello matured, Microsoft simplified the processes around deploying and supporting them. The company combined and improved on the two technologies and packaged them as a single feature called Windows Hello.

After that, Microsoft released Windows Hello for Business, which made it easier to manage Windows Hello in the enterprise, using either Group Policy or mobile device management (MDM) policies. Windows Hello for Business also supports certificate-based authentication, along with key pair authentication. The non-business version of Windows Hello cannot use certificates.

Why Windows Hello for Business is necessary

The tool ties user credentials to the individual PC or mobile device, rather than following users' across all devices.

It's not surprising that Microsoft is moving away from passwords to other forms of authentication. Passwords are a risk to the enterprise and individual alike. Users can forget their passwords, treat them carelessly or reuse them for multiple services. Cybercriminals can eavesdrop on network connections, break into data centers to steal credentials or trick users into revealing passwords. A system that relies on passwords alone assumes any connection that provides the correct username and password is safe to authenticate.

To address these risks, Windows Hello for Business bases authentication on the specific device, using either security certificates or private/public key pairs, rather than passwords. This approach is more resistant to data theft because the device stores users' personal credentials locally. They do not roam, and the devices do not transmit them to external systems or store them in a central repository in some distant data center.

Because Windows Hello authentication is tied to the device, the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources. A compromised component means little without the device, and a compromised device provides no access without the other component. In this sense, Windows Hello for Business works like a bank card and its PIN.

Once users provide their PINs or biometrics, they have single sign-on access to network resources, on-premises applications and cloud-based services.

Putting Windows Hello for Business to work

An organization that already has a public key infrastructure (PKI) can use that system to issue and manage Windows Hello for Business certificates. Each certificate has a lifetime limit of 90 days, but Windows Hello for Business can renew them automatically, usually about 30 days before they expire.

An organization that doesn't have a PKI or doesn't want to deal with certificates can use key-based authentication. In this model, the authentication server maintains the public key, which it maps to the private key stored securely on the device.

Admins can bind key pairs to a device's software or hardware. To use hardware, IT must configure the device with a Trusted Platform Module (TPM) chip. A TPM chip is a secure processor that carries out cryptographic operations and contains multiple security mechanisms to protect it from threats such as brute force attacks.

In addition to the certificate or key pair, users must register a PIN or biometric gesture, which is then tied to the device. The PIN can be a simple set of numbers or a more complex mix of characters, much like a password. Administrators can configure Group Policy or MDM policies to control the PIN's length -- which must be at least six characters long -- complexity, expiration and other settings, such as requiring special characters.

How to enroll in Windows Hello for Business

The process of enrolling users in Windows Hello for Business varies depending on the deployment scenario. Users must initially provide their usernames and passwords and then verify their identities with smart cards, phone calls, text messages or authentication apps. Once they complete the verification process and register their gestures on their specific devices, they can use those gestures to access IT-approved corporate resources. Enrollment applies only to the specific device, so users must re-enroll for each additional device they want to register with Windows Hello for Business.

Next Steps

Complete guide to Windows 10

What real Windows 10 users have to say about it

A closer look at Windows 10 security

Dig Deeper on Windows 10