And hello to the replacement of long complicated passwords – a strong, two-factor authentication, Windows Hello for Business.
What is Windows Hello?
Windows Hello for Business replaces passwords with strong authentication. The authentication consists of a user credential that is tied to a device and uses a PIN or biometric - face or fingerprint. It is available on devices enrolled to Windows 10, with a camera that supports Windows Hello.
When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric.
Why a PIN is better than a password
The pin is tied to the specific device on which it was set up. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too.
Passwords are transmitted to a server and can be interrupted in transmission or stolen from the server. The PIN is local to the device and therefore not transmitted to or stored on a server.
A Windows Hello for Business PIN has the same set of management policies as a password, such as complexity, length, expiration and history.
Why Windows Hello for business?
- Strong passwords can be difficult to remember
- Users often re-use passwords on different sites
- Server breaches and other attacks can cause an exposion of passwords
- Employees that get tricked to share a password is one of the biggest security threats for companies
You can easily change, configure and manage settings for Windows Hello use in the organization. These settings are available in: User configuration and Computer Configuration under Policies > Administrative Templates > Windows Components > Windows Hello for Business.
Windows Hello uses a type of protection (TPM) that locks the device if someone attempts to sign-in but fails many times. For devices which don't have this protection, additional protection can be set up in BitLocker – where you easily set a limit for failed sign-ins.
Windows Hello can easily be deployed on devices, and requires Azure AD. You can read more about Azure AD in this previous article. Two additional features you should consider using with Windows Hello - Conditional access and PIN reset.