Windows Hello for Business

Windows Hello for Business

    Overview

    Windows Hello for Business replaces passwords on Windows with a new type of user credential tied to a device that uses a biometric or PIN. It allows users to sign in with simplified methods that are both harder to steal and more resistant to attack.

     

    To enroll, you first confirm your identity with multi-factor verification and then configure a PIN and/or biometric. These allow you to unlock the device and even securely log into additional services (like Salesforce) where supported.


    When on the Windows login screen, you can always click "Sign-in options" to switch between multiple methods. Generally, it will default to whichever you used last.

    Options from left to right in the image above: smart card, security key, Windows Hello (PIN), web login, and password. The options you see depend on what has been previously registered and made available for login on that specific computer.

    Enrolling


    Windows Hello for Business will prompt you to register when first signing into a new computer with a password. If you have been using your computer for some time, you have likely set a PIN already. You can try a few guesses on the login screen before it locks out that method but just jump straight to resetting if unsure.

     

    To reset your PIN, follow this process:

    1. Open "Settings"
    2. Click "Accounts"
    3. Click "Sign-in options"
    4. Click "PIN (Windows Hello)"
    5. Click "I forgot my PIN"


    To reset or enroll in Windows Hello, you will need to complete multi-factor verification. Any of your existing methods (Authenticator app, text message, security key) will work for this purpose. Once verification is complete, you will be prompted to create a 6-digit PIN.
    To keep things simple, we recommend sticking to numbers only and using the same PIN as your phone unlock passcode if possible. Note, though, that keyboard number pads are typically in the opposite order of phone number pads.


    Info
    While you can select a checkbox during PIN creation to include letters and symbols, there is little benefit to doing so. Your PIN is meant to replace your password and because of the restrictions on how and where it is used, it is safe to use something more simple. Remember: an attacker would need possession of your device to attempt to guess your PIN and since it's expected to be an easier passcode that you enter frequently, failed guesses will quickly result in that login method being locked out and your full password being required instead.

    Biometrics

    • Fingerprint recognition: this type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. The fingerprint reader on your laptop is built into the power button in the upper right corner of your keyboard.
    • Facial recognition: this type of biometric recognition uses infrared light and special cameras to identify a face, distinguishing between photographs and living people. Not all USB webcams support Windows Hello facial recognition but your laptop's built-in webcam and the webcams built into the large video-conferencing monitors are supported.

    Biometric data is stored on the local device only. This means that it is not sent to external servers or other devices. The authentication happens purely on the device level and your face or fingerprint will only ever unlock the device it was registered on: it can't be used anywhere else or for anything else.

    You will be required to set up a PIN as a backup method. While fingerprint readers and facial recognition cameras are more reliable than ever, they rely on components that can fail or occasionally may face compatibility issues after certain updates.

      To set up biometrics, follow this process:
      1. Open "Settings"
      2. Click "Accounts"
      3. Click "Sign-in options"
      4. Click "Fingerprint recognition (Windows Hello)" or "Facial recognition (Windows Hello)"
      5. Click "Set up"
      6. Follow the prompts to register the new method (you will typically need to confirm your PIN first or set one if you haven't already)


    Summary

    Though simplified, Windows Hello for Business implements multi-factor verification principles by requiring something you have (the individual device) and either something you know (your PIN) or something that's part of you (your face/fingerprint). Because biometrics rely on additional hardware that can sometimes fail, you are required to set a PIN as backup even if you intend to exclusively use facial or fingerprint recognition.

     

    The idea here is that instead of exchanging a username and password combination with a site or service, you simply need to confirm your identity using the same means you used to unlock the device. Because it was originally enrolled with multi-factor verification, it can securely attest to your identity, and because it is tied to the one specific registered device, it is considered phishing-resistant.


    • Related Articles

    • Windows Clipboard History

      Copying and pasting can be done with your mouse, menu options, and keyboard shortcuts. But did you know your system also has the ability to keep a (limited) history of what you've copied, and that you can view those items and choose to paste from any ...
    • Windows Dynamic Lock

      What is it? With the advent of Multifactor Authentication(MFA) we now have the ability to use our cell phones to provide additional security for our PCs. Windows recently came out with a feature called Dynamic Lock which uses your phone both as a ...
    • Creating a Ticket

      Click here to see if you already have a ticket for your concern. Often when there's an issue, our first thought is to reach out to someone in IT. That's a good thing, but many times, you'll hear us start with some basic questions, so here's a quick ...
    • New Hire Orientation

      The purpose of this document is to pick up from the point after initially logging into your system. In it we will discuss some of the basics of the systems that we use at CEI. You've just logged onto your system, we set a strong password, enabled ...
    • Taking Screenshots - Using FastStone Capture

      CEI has specific software for creating and editing screenshots that goes beyond the basic functionality of the built-in Snipping Tool in Windows. FastStone Capture allows you more flexibility and additional functionality when creating and editing ...