Windows Hello is a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition. The sign-in mechanism is essentially an alternative to passwords and is widely considered to be a more user friendly, secure and reliable method to access critical devices, services and data than traditional logins using passwords.
“Windows Hello solves a few problems: security and inconvenience,” said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy. “Traditional passwords are unsafe as they are hard to remember, and therefore people either choose easy-to-guess passwords or write down their passwords.”
It is not uncommon for people to use the same password (or variations) across multiple sites and applications. Windows Hello and other biometric authentication features like Apple’s Face ID or Touch ID are designed to offer an alternative to passwords that is unique and more secure because it relies on technology that’s harder to break.
How Windows Hello works
Windows Hello limits the attack surface for Windows 10 by eliminating the need for passwords and other methods under which identities are more likely to be stolen. “Windows Hello lets a user authenticate a Microsoft account or a non-Microsoft service that supports Fast Identity Online (FIDO) by having the user set up a gesture” such as a facial scan, iris scan or fingerprint to log into a device, said Anoosh Saboori, senior program manager lead at Microsoft.
“Windows Hello uses 3D structured light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people creating a fake head or mask to spoof the system,” Moorhead said.
Windows 10 users can set up Windows Hello in the sign-in options under account settings. Users need to establish a facial scan, iris scan or fingerprint to get started, but they can always improve those scans, and add or remove additional fingerprints. Once set up, a glance at their device or scan of a finger will unlock access to Microsoft accounts, core applications and third-party applications that use the API.
“By adopting [the] FIDO specification, partners will be delivering differentiated and innovative Windows Hello companion devices that meet the needs of both consumers and businesses, including those in heavily regulated industries,” said Saboori.
The FIDO specification was developed in 2014 by the FIDO Alliance, which now includes more than 250 companies, but was founded by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio. FIDO authentication technology is available in hundreds of devices today, according to the group.
Support for FIDO2 security keys
Following the recent introduction of FIDO2 standard, Microsoft has updated Windows Hello to support new security keys based on the protocol and offer two-factor authentication.
That means business users can essentially carry their identity with them, securely logging in to Windows 10 devices across their workplace with USB security keys and NFC-enabled smart cards.
The security keys can authenticate to Azure Active Directory without requiring that a user enter a username or password, or even set-up Windows Hello beforehand.
Microsoft has worked with security key manufacturers that support the FIDO2 protocol, including Yubico, which announced a $20 Security Key dongle last week. Others vendors supported include HID and Feitian.
In an April 17 blog post, Microsoft senior product manager Pieter Wigleven said businesses should also expect “new form factors” in the future, including authentication via a smartphone.
The Windows Hello FIDO2 Security Feature feature is currently in a limited preview via the Windows Technology Adoption Program. You can sign up for the preview here. Wider support is slated become available in the next Windows 10 update.
Who uses Windows Hello?
Windows Hello is designed for both enterprises and consumers, and is gaining traction on both fronts. During Microsoft’s Ignite 2017 conference in September, the company announced more than 37 million people were already using Windows Hello and more than 200 companies had deployed Windows Hello for Business. At the time, the largest enterprise deployment outside of Microsoft’s IT team comprised more than 25,000 users, according to the company.
“Biometric fingerprint scanning is prevalent in the enterprise, but the issue is that it’s not readily used,” Moorhead said. Every major vendor has systems using Windows Hello, according to Moorhead, but market penetration is much lower than needed to start the process of replacing passwords for all Windows 10 users.
Though Windows Hello has a sizeable user base, it is dwarfed by the massive Windows 10 install base. If Microsoft can convert the majority of Windows 10 users to Windows Hello, it would be a watershed moment in the battle against clunky passwords.
Why would you want Windows Hello?
Passwords, in short, are a drag. In this age of password abundance (and human forgetfulness), security-minded users realize that a fingerprint, facial recognition or an iris scan to gain access to devices, important accounts and data is likely to be a safer option. Even so, the password “remains the most frequently used sign-in mechanism, but also a source of frustration for end users,” said Raul Castañon-Martinez, senior analyst at 451 Research.
Moving from traditional passwords to stronger forms of authentication is “one of the great challenges that we face in online computing,” said Saboori. “[Microsoft] is embracing a future without passwords by building Windows Hello into the platform experience and enabling multi-factor authentication in first- and third-party applications.”
Microsoft is working with a growing number of service providers to give its users a more seamless method to authenticate multiple accounts of importance with Windows Hello. There’s a small group of Windows Hello-compatible apps on the market today, but Microsoft says more are coming. Among the apps that can use Windows Hello now are Dropbox, Enpass, OneDrive, One Messenger and OneLocker Password Manager.
What are the hardware requirements?
Windows Hello has a relatively low barrier to entry, but it does come with specific hardware requirements. Microsoft’s Surface Pro, Surface Book and most Windows 10 PCs equipped with fingerprint scanners or cameras that can capture two dimensional infrared spectroscopy are compatible with Windows Hello. Compatible devices from other manufacturers include HP’s Spectre X360 13, ASUS Transformer Mini T102HA and Dell XPS 13 9360.
Microsoft is also working with device manufacturers to maintain consistent performance and security for all Windows Hello users, and set high-level benchmarks and reference designs to establish baseline requirements. The acceptable performance range for fingerprint sensors is a false accept rate of less than 0.002 percent, and the acceptable range for facial recognition sensors is a false accept rate of less than 0.001 percent, according to Microsoft. That translates into 1 in 100,000 for fingerprints and half that rate for facial recognition. (For comparison purposes, Apple says the chances of fooling its Face ID is 1 in 1 million, while the chances of fooling its Touch ID are 1 in 50,000.)
Moreover, false reject rates for fingerprint and facial recognition scanners without anti-spoofing or liveness detection must fall under 5%. False reject rates for fingerprint and facial recognition scanners with anti-spoofing technology must fall under 10%, according to Microsoft’s guidelines.
For those not familiar with the technology, liveness detection does pretty much what it sounds like: it determines that a user is a living being before unlocking a device or app. All sensors must include anti-spoofing measures like liveness detection, but the configuration of these anti-spoofing features is optional and varies with different systems.
In addition to the built-in option, third-party devices allow Windows Hello to be added to other Windows 10 hardware.
How does Windows Hello stack up against Face ID?
Windows Hello doesn’t have direct competitors because of its exclusivity to Windows 10 devices, but it does face indirect competition from the likes of Apple, Samsung and others who provide similar technology for their devices and related ecosystems. Apple’s Face ID is now in use on the company’s popular iPhone X, and is expected to rollout to other devices in 2018, including, perhaps the iPad, and less-expensive phones next fall.
“Windows Hello has been around since 2015, but as usual it was not until Apple came out with a similar feature that this technology got more attention,” said Castañon-Martinez. The delayed recognition could actually benefit Microsoft because Apple is drawing more attention to Face ID and helping users become more familiar or comfortable with the technology, according to Castañon-Martinez.
“The initial reaction to Face ID seems to be skepticism and a lack of trust from users,” Castañon-Martinez said. That’s not uncommon for a new technology. More people are likely to embrace facial recognition biometrics as more devices with the technology are introduced and sold, he said.
According to Moorhead, Apple’s Face ID and fingerprint scanners are the most obvious competitors to Windows Hello. “Face ID works with glasses, Windows Hello doesn’t…. Windows Hello works well in the dark. Face ID, not so much,” he said. “Neither Windows Hello or Face ID work well in very bright light, but fingerprint scanners work in the bright light and the dark.”
New authentication options for Windows Hello
Windows 10 users will get another biometric authentication method: the ability to sign in with a wave of their hand. This is due to a partnership between Microsoft and Fujitsu to integrate the company's PalmSecure vein scanning technology with Windows Hello; the move was announced in February.
According to Fujitsu, palm vein scans are more accurate and secure than other biometric methods such as iris, face, fingerprint or voice recognition, all of which are easier to forge. For example, researchers at Syss recently showed how, on machines running older versions of the Windows 10, Windows Hello’s facial recognition could be bypassed using a printed photo of an authorized person.
Fujitsu has also sold vein-scanning technology – first commercialized by Hitachi in 2005 – for around a decade, and includes banks, universities and healthcare providers among its customers. The technology works by mapping the veins under a person’s skin with infrared rays. This vein pattern image – unique to each individual – is compared to a pre-registered pattern to authenticate the user.
The idea is to reassure IT admins that corporate hardware will remain secure, particularly for remote workers. The PalmSecure technology has been integrated with Fujitsu’s Windows 10 devices in its Lifebook laptop and Stylistic tablet line-ups, and is available as a standalone USB sensor.
What’s next for Windows Hello in the enterprise?
Despite Windows Hello’s slow start and a delayed uptick in usage, Castañon-Martinez is convinced it will become a standard feature available across devices.
“As consumers and enterprise upgrade their devices and software, it’ll be a matter of whether they choose to use it or not,” he said. “IT can prepare by getting familiar with the technology and its security standards. It is more likely that, once users become comfortable with it, they will prefer this type of sign-in mechanism.”
Moorhead said the onus is on businesses to push for greater adoption.
”Businesses need to stop complaining about security and start doing something about it. The technology is there, they just need to start adopting it,” he said. “Multi-factor biometric authentication is readily available and tested, so I think the time is now to implement it not just for device access, but for apps as well.”