Windows Hello for Business
Overview
Windows Hello for
Business replaces passwords on Windows with a new type of user
credential tied to a device that uses a biometric or PIN. It allows users to sign in with simplified methods that are both harder
to steal and more resistant to attack.
To enroll, you
first confirm your identity with multi-factor verification and then configure
a PIN and/or biometric. These allow you to unlock the device and even securely
log into additional services (like Salesforce) where supported.
When on the Windows login screen, you can always click "Sign-in options" to switch between multiple methods. Generally, it will default to whichever you used last.
Options from left to right in the image above: smart card, security key, Windows Hello (PIN), web login, and password. The options you see depend on what has been previously registered and made available for login on that specific computer.
Enrolling
Windows Hello for
Business will prompt you to register when first signing into a new computer
with a password. If you have been using your computer for some time, you have
likely set a PIN already. You can try a few guesses on the login screen before
it locks out that method but just jump straight to resetting if unsure.
To reset your PIN,
follow this process:
- Open
"Settings"
- Click "Accounts"
- Click "Sign-in
options"
- Click "PIN (Windows
Hello)"
- Click "I forgot my
PIN"
To reset or enroll
in Windows Hello, you will need to complete multi-factor verification. Any of
your existing methods (Authenticator app, text message, security key) will
work for this purpose. Once verification is complete, you will be prompted to
create a 6-digit PIN.
To keep things simple, we recommend sticking to numbers
only and using the same PIN as your phone unlock passcode if possible. Note, though, that keyboard number pads are typically in the opposite order of phone number
pads.
While you can
select a checkbox during PIN creation to include letters and symbols, there is little benefit to
doing so. Your PIN is meant to replace your password and because of the
restrictions on how and where it is used, it is safe to use something more
simple. Remember: an attacker would need possession of your device to attempt
to guess your PIN and since it's expected to be an easier passcode that you
enter frequently, failed guesses will quickly result in that login method
being locked out and your full password being required instead.
Biometrics
- Fingerprint recognition:
this type of biometric recognition uses a capacitive fingerprint sensor
to scan your fingerprint. Fingerprint readers have been available for
Windows computers for years, but the current generation of sensors is
significantly more reliable and less error-prone. The fingerprint reader on your laptop is built into the power button in the upper right corner of your keyboard.
- Facial recognition: this
type of biometric recognition uses infrared light and special cameras to
identify a face, distinguishing between photographs and living people.
Not all USB webcams support Windows Hello facial recognition but your
laptop's built-in webcam and the webcams built into the large
video-conferencing monitors are supported.
Biometric data is
stored on the local device only. This means that it is not sent to external
servers or other devices. The authentication happens purely on the device
level and your face or fingerprint will only ever unlock the device it was
registered on: it can't be used anywhere else or for anything else.
You will be required to set up a PIN as a backup method. While fingerprint readers and facial recognition cameras are more reliable than ever, they rely on components that can fail or occasionally may face compatibility issues after certain updates.
Summary
Though simplified,
Windows Hello for Business implements multi-factor verification principles by
requiring something you have (the individual device) and either something you
know (your PIN) or something that's part of you (your face/fingerprint).
Because biometrics rely on additional hardware that can sometimes fail, you
are required to set a PIN as backup even if you intend to exclusively use
facial or fingerprint recognition.
The idea here is
that instead of exchanging a username and password combination with a site or
service, you simply need to confirm your identity using the same means you
used to unlock the device. Because it was originally enrolled with
multi-factor verification, it can securely attest to your identity, and
because it is tied to the one specific registered device, it is considered
phishing-resistant.
Related Articles
Windows Clipboard History
Copying and pasting can be done with your mouse, menu options, and keyboard shortcuts. But did you know your system also has the ability to keep a (limited) history of what you've copied, and that you can view those items and choose to paste from any ...
Windows Dynamic Lock
What is it? With the advent of Multifactor Authentication(MFA) we now have the ability to use our cell phones to provide additional security for our PCs. Windows recently came out with a feature called Dynamic Lock which uses your phone both as a ...
Creating a Ticket
Click here to see if you already have a ticket for your concern. Often when there's an issue, our first thought is to reach out to someone in IT. That's a good thing, but many times, you'll hear us start with some basic questions, so here's a quick ...
New Hire Orientation
The purpose of this document is to pick up from the point after initially logging into your system. In it we will discuss some of the basics of the systems that we use at CEI. You've just logged onto your system, we set a strong password, enabled ...
Taking Screenshots - Using FastStone Capture
CEI has specific software for creating and editing screenshots that goes beyond the basic functionality of the built-in Snipping Tool in Windows. FastStone Capture allows you more flexibility and additional functionality when creating and editing ...