Windows Hello

Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing. 


Compromised passwords make the news headlines on a weekly basis. This is because passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere; because they're stored on the server, a server breach can reveal those stored credentials. 


Further to this, having complicated password policies and forcing frequent password changes on users causes not only a bad user experience, but can also lead to users forgetting or writing down passwords. 


In Windows 10, Windows Hello replaces passwords. Where supported, the Windows Hello provisioning process creates a cryptographic key pair. Access to these keys and other validations  are enabled only by the PIN or biometric gesture.


Microsoft implemented Windows Hello for Business, a new credential in Windows 10, to help increase security when accessing corporate resources. This feature offers a streamlined user sign-in experience as it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. 


When using Windows Hello for Business, the PIN is not a symmetric key such as a password, which usually is. That is, with passwords, there is a server that has some representation of the password. Windows stores biometric data that is used to implement Windows Hello securely on the local device only. Because PIN and biometric identification data is not sent to a server, there is no database of user accounts and password to be compromised. 


Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. If the resources that users need are all cloud based (e.g. Office 365), then a cloud-based deployment model is best suited and quickest to implement. This usually involves the utilisation of a cloud based MDM solution such as Intune.


Hybrid and on-premises deployment models are for customers that need to access on-premise based resources and may require significant effort to implement. These deployments have two trust models: Key trust and certificate trust. The trust model determines how you want users to authenticate to the on-premises Active Directory and each will have a different set of infrastructure requirements (e.g. Active Directory Certificate Services for a certificate trust model). 


More features include:


Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.


Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.


Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.


Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.


The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.


PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.


Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.


Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.

Case studies

Related resources