Authentication: the act of proving one’s identity to the satisfaction of some central authority. To most, this process means typing in a username and a password. It’s been this way for years and years.
But passwords — especially the passwords that most enterprises require, which have to be complex, with long strings of numbers and specially cased phrases with some (but not all! heavens no, not the one you want) symbols — are difficult to remember and often end up getting written down on sticky notes. Then you have to reset them every so often so that hackers and crackers are working toward moving targets.
Passwords can be leaked or hacked from the inside as well, as we have seen with numerous credential dump attacks over the past few years. And users can accidentally disclose their passwords if they fall victim to increasingly sophisticated phishing attacks.
Luckily for Windows shops, Microsoft has introduced an enterprise-quality method of using biometric identification and authentication without requiring the purchase of high-end hardware — and it is baked right into Windows 10, which many IT departments are beginning to deploy to replace Windows 7, 8 and 8.1. In this piece, I want to take a look at this innovation, called Windows Hello for Business, explain how it works and show how to enable it to secure your enterprise while eliminating the need for your users to handle cumbersome passwords.
How Windows Hello for Business works
Windows Hello is the most common and most widely known of the biometric authentication schemes that Windows supports. It lets Windows 10 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition.
Windows Hello for Business takes the Hello idea and bundles it with management tools and enforcement techniques to ensure a uniform security profile and enterprise security posture. Windows Hello for Business uses Group Policy or mobile device management (MDM) policies for management and enforcement, and leverages key- and certificate-based authentication in most cloud-focused scenarios for maximum protection.
Windows Hello acts on one of two fronts: It can scan one’s fingerprint, or it can take an infrared picture of a user’s face and perform analysis on it. (Hello also supports iris scanning, but since iris cameras are better suited to phones than to laptops or desktop displays, the former two methods are more practical for the enterprise.) It pairs these unique physical attributes of each user with cryptographic keys that replace passwords as authentication methods. These keys are stored within specialized security hardware, or are encrypted in software, and unlocked only after Windows deems them authentic. For organizations uninterested in biometrics, Windows Hello also supports PIN usage to replace passwords transmitted over the network.
Windows Hello protects Microsoft accounts (the accounts you use to log in to Microsoft cloud services, Xbox, Office 365 and the like), domain accounts that are part of a corporate Active Directory deployment, domain accounts joined to an Azure Active Directory domain (these are relatively new), and accounts protected by federated identity providers that support the Fast ID Online 2.0 (FIDO2) protocol.
Why is Windows Hello considered stronger than a traditional password? For one, security is always better in threes — the best method of authentication is to provide something you have, something you know, and something you are. In this case, Windows Hello can authenticate users by satisfying all three rules: something you have (your private key, which is protected by your device’s security module), something you know (the PIN that is used by default by Windows Hello from the point of registration onward), and something you are (either your face, which is exceedingly difficult to copy and use in a malicious way, or your fingerprint, which again without removing digits is difficult to copy and use nefariously).
What is most interesting is that all of these biometrics are stored on the local device only and are not centralized into the directory or some other authentication source; this means credential harvesting attacks are no good against Windows Hello-enabled accounts simply because the credentials do not exist in the place that would be hacked. While it is technically possible each device’s trusted platform module, or TPM, could be hacked, an attacker would have to crack each individual user’s machine, versus simply executing a successful attack against a single vulnerable domain controller.
Hello’s biometric verification requires specialized hardware: webcams or cameras designed to see in infrared can pick up the differences between a photograph of a person and the real presence of that person. Most laptop manufacturers are now including Hello-compliant cameras in their corporate lines of devices. You can also purchase these compliant cameras separately, making a staged rollout possible.
Fingerprint readers, of course, have been around for years. Essentially, all fingerprint readers compatible with any version of Windows can also be used with Windows Hello; however, Microsoft says the newest generations of readers pick up more on the first touch or swipe, eliminating the need to swipe again and again as some previous models required.
It is important to note that you can use fingerprint sensors, facial cameras, PIN entry or a combination of approaches in your organization. In fact, a user can register a fingerprint, face print and PIN on the same device so he or she can choose which authentication method to use when logging in. Each of these authentication methods is called a “gesture,” and the gesture action is the key that begins the unlocking of public and private keys and verification of a user’s identity.
The registration process
To use Windows Hello, you must register your user account so that Windows can generate the proper elements to replace the traditional password. First, the user configures an account on the device (or the administrator adds a user account to the device). The user authenticates the normal way during the registration process — using a username and password — and the authentication source, most likely Active Directory, issues its standard yay or nay to that user’s credentials. The user can then enable his or her PIN, which becomes inextricably linked between that device and that user account.
Windows then generates a pair of keys, a public half and a private half, and stores them both in the hardware TPM module, or if a device does not have a TPM, it encrypts the keys and stores them in software. This first key pair is associated with the user’s PIN “gesture” and is known as a protector key.
Later in this process, the user will be able to additionally register biometric gestures. Each gesture has a different protector key that wraps around the authentication key. While the container is designed to have only one authentication key, multiple copies of that single authentication key can be wrapped up with the different protector keys associated with the different gestures registered on the device.
There is also an administrative key that Windows automatically generates so that credentials can be reset when necessary, and the TPM also has its normal block of data that contains attestations and other TPM-related information.
After the PIN is established and the initial protector key is created as I just described, the user can use the PIN to authenticate to the device in a trusted way. Windows will then let him or her register biometric gestures — a fingerprint or face print, or both — for additional authentication methods.
Enforcing Windows Hello for Business through Group Policy
As you might imagine, you set up Windows Hello and enforce it throughout the enterprise organization through the use of Group Policy. Within the Group Policy Management Console, you can find policy settings under Policies > Administrative Templates > Windows Components > Windows Hello for Business in both the User configuration and the Computer configuration hives. The important policies to configure are:
- Use Windows Hello for Business: Set this to Enabled to get started with the deployment.
- Use biometrics: Set this to Enabled to enable fingerprint- or face-recognition gestures instead of supporting only a PIN.
Alternatively, if you already have mobile device management software deployed, then you can use Microsoft’s MDM policy settings to force the deployment of Windows Hello. The policies use the PassportForWork configuration service provider, which is like a template of potential settings that you will need to import into the MDM tool before you can begin configuring and enforcing policies.
Active Directory requirements
Fully enabling Windows Hello for Business will most likely require you to add at a minimum one Windows Server 2016 domain controller to your domain. While you do not have to raise your domain or forest functional level, the 2016 DC will light up some required authentication functionality. One alternative to shelling out for a 2016 license is to use Azure Active Directory to deploy Windows Hello.
The Microsoft website provides detailed information about exactly what is required from a prerequisite standpoint. In particular, pay close attention to the key-based authentication requirements and the certificate-based authentication requirements; if you already have a public key infrastructure deployed in production, the certificate-based authentication method will be much easier to start with. If you are largely cloud oriented, then the key-based authentication method is the one to go with for your first Windows Hello deployments.
Key points to consider
Some important points to remember:
- Credentials enrolled in Windows Hello for Business can be bound to individual laptops, desktops or mobile devices, and the access token one gets after successful credential verification is also limited to that single device.
- During an account’s registration process, Active Directory, Azure AD, or the Microsoft account service checks and authenticates the validity of the user and associates the Windows Hello public key to a user account. The keys — both the public and private halves — can be generated in the TPM modules versions 1.2 or 2.0, or they can live in software for devices without the right TPM hardware. The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device and never leaves the device. When the PIN is entered or the face or fingerprint is applied, Windows 10 uses the private key stored in the TPM to sign data transmitted to the authentication source.
- According to Microsoft: “Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.” In practice, this means that keys get commingled within one secure container, although they are delineated by their native identity provider so that the wrong key is not sent to the wrong provider.
The last word
Security experts for years have been calling for the death of passwords, but that goal has always been deferred by the lack of a seamless, affordable, user-friendly alternative for authentication. In practice, it was always going to take Microsoft putting biometric features inside Windows, the most popular operating system, to spur enough organizations to look into passwordless authentication. It appears that with Windows 10, the Redmond software giant has done just enough to warrant the attention of enterprises everywhere.
While it is unlikely that your shop is a position to remove passwords entirely, new machines you deploy can work with this option by default, and as you migrate to Windows 10 over time at your own pace, you can slowly but surely work Windows Hello for Business into your security profile.