Windows Hello for Business (WHfB) is a feature at the heart of Microsoft’s strategy for built-in password-less authentication. Hello for Business harnesses biometrics in allowing the unlocking of a device via face, iris, fingerprint, security key/smart card or PIN for domain-joined physical Windows desktops and laptops. WHfB can use these biometrics in combination with multi-factor authentication (MFA) to create an authentication experience that is not only stronger than traditional passwords, but also less time consuming and error prone to the end user.
Traditional password sign-ins are vulnerable to various attacks, e.g., phishing, and brute force. WHfB uses public key cryptography to hide the credential by storing the private key locally on a devices Trusted Platform Module (TPM) which is specifically designed to isolate and protect the key. The public key is registered with an identity provider, Azure AD for example. At sign in the private key is unlocked with a PIN or biometric credential and is used to sign a challenge from the identity provider proving that the device is physically present with the intended user.
Dashing in a pin, dabbing a finger, or glancing at the camera, users can sign in quickly and forget those long strings of complex passwords for good (and not have to log an IT ticket to request a reset) reducing management and overhead.
Windows Hello for Business is available beginning on Windows 10 (build 1709). To make use of WHfB users need hardware that supports it, namely compatible biometric and TPM technology (either a physical chip or a virtual vTPM), plus an appropriate identity management solution.
The current state of the hardware fleet may determine the initial scope of rollout, i.e., all at once if the devices and infrastructure are in place, or a smaller scope pilot deploy as you go scenario if upgrading hardware over time. You will want to think about using all or some of possible biometric options when defining a WHfB policy, for example is fingerprint and PIN enough. Which may also save time and cost when purchasing hardware say if omitting other hardware options.
There are three infrastructure deployment options for WHfB:
1. Azure AD Cloud Only Deployment
a. Requires Azure Active Directory and Azure AD MFA
2. Hybrid Deployment
a. Requires Windows Server 2016 or later schema and Azure MFA
3. On-premises Deployment
a. Requires Windows Server 2016 or later schema and AD FS with 3rd Party MFA Adapter, and either Key Trust or Certificate trust managed Group Policy
WHfB can be managed via Group Policy or a Mobile Device Management (MDM) solution to configure firmwide policies for enabling WHfB for devices, enabling the use of biometrics, turning on the convenience PIN and PIN complexity requirements.
Users will go through a WHfB enrollment process to record their biometric credential and/or a convenience PIN. The biometric data is encrypted and stored locally on the physical device via TPM technology. The enrollment process options are set during Group Policy or MDM configuration. It is wise to implement a fallback authentication method (such as a PIN or smart card) in the event of a biometric hardware failure. WHfB and biometrics suffer some of the same failure points as passwords including being locked out when to many failed authentication attempts occur, and/or users forget their PIN and require a reset.
Users will undoubtedly require training and guidance on understanding the use of password-less technology and biometrics, and how to enroll in such. An important step in planning for a rollout of WHfB is designing a training plan to educate the end users of the technology and the teams that will support them. Telegraphing the benefits of the culture change from passwords to a password free future ahead of time should smooth the path to user acceptance to the change and bring to light unforeseen questions and concerns during the planning phase.
“Hackers don’t break in, they log in.” - Bret Arsenault (CISO Microsoft)
WHfB is part of Microsoft's commitment to a world without passwords as reducing reliance on a string that can be relatively easily obtained enhances overall security as the quote above says, hackers don’t break in, they log in. WHfB supports multifactor authentication by combining biometric data (something you are) with other factors like a PIN (something you know), reducing the risk of credential theft since biometric data is less susceptible to compromise as it is not easily shared, guessed, stolen, or phished.
WHfB reduces the number of MFA prompts that users see when accessing resources and can be integrated with Single Sign-On solutions resulting in an improved user experience across multiple applications.
WHfB maintains an audit trail and ensures that authentication is tied to specific individuals, increasing user accountability, and preventing unauthorized access. WHfB offers secure fallback mechanisms, such as the use of a PIN, in case biometric data cannot be used. Centralized management ensures that configuration and management are done centrally through Group Policy or Mobile Device Management (MDM) solutions.
Implementing WHfB may not be a simple effort and that effort will scale with the size of the organization. There may be additional hardware investment needed to support the biometrics, changes to infrastructure and the directory system, and policy changes both the Firm governance leaders and Group Policy. Training resources and IT upskilling are recommended as well as marketing the culture shift away from passwords to the wider firm.
It’s not unlikely that there will be questions from the user population around who and what has access to their biometric data. The Firms education and policy efforts will need to be ready for those questions when they arise. Users may have privacy concerns or just be resistant to change.
Firms should ensure that they have sufficient alternate authentication methods in place, and the skills to support them in the event of biometric failure at risk of reintroducing some of the issues mitigated by WHfB during this password-less journey. Further, Firms would be wise to support password-less efforts as part of on-going security hardening and future proofing. While WHfB audits and records authentication events Firm policy should address minimum standards and controls for reporting purposes and protecting users' personal biometric data.
It would be wise to get ahead of the marketing efforts before and during the project with the suggestion that going password-less will be an evolution rather than a sudden shift. There will be applications and corner cases that won’t yet support biometric authentication and PINs. There may be, for now, limited cross platform support. And that’s OK. We expect that at the beginning. We say goodbye to passwords gradually, together.
#Microsoft