Authentication: the act of proving one’s identity to the satisfaction of some central authority. To most, this process means typing in a username and a password. It’s been this way for years and years.
But passwords — especially the passwords that most enterprises require, which have to be complex, with long strings of numbers and specially cased phrases with some (but not all! heavens no, not the one you want) symbols — are difficult to remember and often end up getting written down on sticky notes. Then you have to reset them every so often so that hackers and crackers are working toward moving targets.
Passwords can be leaked or hacked from the inside as well, as we have seen with numerous credential dump attacks over the past few years. And users can accidentally disclose their passwords if they fall victim to increasingly sophisticated phishing attacks.
Luckily for Windows shops, Microsoft has introduced an enterprise-quality method of using biometric identification and authentication without requiring the purchase of high-end hardware — and it is baked right into Windows 10, which many IT departments are beginning to deploy to replace Windows 7, 8 and 8.1. In this piece, I want to take a look at this innovation, called Windows Hello for Business, explain how it works and show how to enable it to secure your enterprise while eliminating the need for your users to handle cumbersome passwords.
How Windows Hello for Business works
Windows Hello is the most common and most widely known of the biometric authentication schemes that Windows supports. It lets Windows 10 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition.
Windows Hello for Business takes the Hello idea and bundles it with management tools and enforcement techniques to ensure a uniform security profile and enterprise security posture. Windows Hello for Business uses Group Policy or mobile device management (MDM) policies for management and enforcement, and leverages key- and certificate-based authentication in most cloud-focused scenarios for maximum protection.
Windows Hello acts on one of two fronts: It can scan one’s fingerprint, or it can take an infrared picture of a user’s face and perform analysis on it. (Hello also supports iris scanning, but since iris cameras are better suited to phones than to laptops or desktop displays, the former two methods are more practical for the enterprise.) It pairs these unique physical attributes of each user with cryptographic keys that replace passwords as authentication methods. These keys are stored within specialized security hardware, or are encrypted in software, and unlocked only after Windows deems them authentic. For organizations uninterested in biometrics, Windows Hello also supports PIN usage to replace passwords transmitted over the network.
Windows Hello protects Microsoft accounts (the accounts you use to log in to Microsoft cloud services, Xbox, Office 365 and the like), domain accounts that are part of a corporate Active Directory deployment, domain accounts joined to an Azure Active Directory domain (these are relatively new), and in the future, accounts protected by federated identity providers that will support the Fast ID Online (IDO) 2.0 protocol.
Why is Windows Hello considered stronger than a traditional password? For one, security is always better in threes — the best method of authentication is to provide something you have, something you know, and something you are. In this case, Windows Hello can authenticate users by satisfying all three rules: something you have (your private key, which is protected by your device’s security module), something you know (the PIN that is used by default by Windows Hello from the point of registration onward), and something you are (either your face, which is exceedingly difficult to copy and use in a malicious way, or your fingerprint, which again without removing digits is difficult to copy and use nefariously).
What is most interesting is that all of these biometrics are stored on the local device only and are not centralized into the directory or some other authentication source; this means credential harvesting attacks are no good against Windows Hello-enabled accounts simply because the credentials do not exist in the place that would be hacked. While it is technically possible each device’s trusted platform module, or TPM, could be hacked, an attacker would have to crack each individual user’s machine, versus simply executing a successful attack against a single vulnerable domain controller.