Microsoft Hello

For quite a long time, we have been following the routine of typing in a password for accessing our computers. Strong password requirements make us set complex passwords which we often tend to forget, and then we frantically chase the administrator to reset our forgotten passwords. More importantly, even the most secure network is vulnerable to security breaches and the network credentials could easily end up in the wrong hands. Users could also easily fall prey to replay or phishing attacks and end up exposing their passwords. Isn’t it time for a change? What if we could have something more unique than passwords for authentication? Well, Microsoft Hello helps us do just that.

It provides instant access to our Windows 10 devices using biometric authentication i.e., we can log in to our computer using fingerprint, iris, or facial recognition. It offers us a more secure, convenient, and personal way of authenticating to our devices. The biometric data for Microsoft Hello authentication is stored on the local device only and is not shared with a server. Hence, a user can’t use this data for authenticating to a different device. Many users sharing a device can log in to the device using their own individual biometric data.

A little history

When Windows 10 was initially released, it introduced Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and enhance support, Microsoft has now merged these technologies into a unified solution called Windows Hello. Customers who have already implemented these technologies will not experience any changes in functionality. However, those who have yet to explore Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.

Some basics about Microsoft Hello

The two primary forms of biometric recognition supported by Windows Hello are:

1. Facial recognition: This type of biometric recognition employs IR cameras that can effectively differentiate between a living person and a photograph or scan. Several vendors offer external cameras integrating this technology, and major laptop manufacturers are incorporating it into their devices.
2. Fingerprint recognition: This biometric recognition method utilizes a capacitive fingerprint sensor to scan the user’s fingerprint. While fingerprint readers have been available for Windows computers for years, the current generation of sensors is more reliable and less prone to errors. Most existing fingerprint readers are compatible with both Windows 10 and Windows 11, whether they are external or integrated into laptops or USB keyboards.

An additional form of biometric recognition, called iris recognition, utilizes cameras to scan a user’s iris. The introduction of the HoloLens 2 marked the first use of iris scanners in Microsoft devices. Notably, these iris scanners are consistent across all HoloLens 2 devices.

It’s essential to understand that Windows securely stores biometric data required for Windows Hello implementation only on the local device. This data does not roam and is never transmitted to external devices or servers. By exclusively storing biometric identification data on the device, Windows Hello eliminates the risk of a single collection point that attackers could compromise to steal biometric data. For more detailed information on biometric authentication with Windows Hello for Business, please refer to the “Windows Hello biometrics in the enterprise” resource.

Microsoft Hello for Business

In order to help a user log in to cloud-based Microsoft Azure Active Directory or on-premise Windows Server Active Directory, amongst other types of identity providers, Microsoft provides the Hello for Business. Microsoft Hello for Business is a certificate or public/private key-based authentication method that replaces passwords with PIN, biometrics, or remote devices, which can be used for authentication.

Differentiating between Windows Hello and Windows Hello for Business

While individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in, this usage of Windows Hello is specific to the device on which it is set up. However, it may utilize a password hash depending on the individual’s account type. This configuration is known as the Windows Hello convenience PIN and does not rely on asymmetric (public/private key) or certificate-based authentication.

In contrast, Windows Hello for Business, which is configured through group policy or mobile device management (MDM) policy, always employs key-based or certificate-based authentication. This approach enhances security compared to the Windows Hello convenience PIN.

Microsoft Hello for Business authentication: How it works?

The working of Microsoft Hello for Business can be described in the following steps:

1. The user unlocks the account by means of  PIN, biometrics, or remote devices.
2. This information is sent to the Active Directory or other Identity Providers (IDP). 
3. The device creates a key and sends the public portion of the key to the IDP for registration.
4. The IDP registers the public key and sends a challenge to the device.
5. The device signs the challenge using the appropriate private key and returns the original challenge, the signed challenge and the ID of the key used to sign the challenge to the IDP.
6. The IDP verifies the sign on the challenge using the public key associated with the key ID specified above. After verifying that the challenge returned matches the original, the IDP returns a symmetric key encrypted using the device’s public key and a security token encrypted using the symmetric key.
7. The device decrypts the symmetric key using the private key. This symmetric key is used to decrypt the security token. The device uses this security token in order to access a resource.

We live in times where data is considered to be the new oil. Every individual and organization is highly worried about the security of their data. Microsoft Hello for Business offers a compelling option for data security using biometrics and multi-factor authentication. This ensures protection to our existing infrastructure against breaches and thefts.