Windows Hello is a cutting-edge authentication technology that offers users the ability to sign in to their Windows devices using biometric data or a PIN, eliminating the need for traditional passwords. This innovative solution provides enhanced security through phish-resistant two-factor authentication and built-in brute force protection. Moreover, with FIDO/WebAuthn integration, Windows Hello can also be used to sign in to supported websites, reducing the burden of remembering multiple complex passwords.
Bạn đang xem: Windows Hello for Business – Enhancing Security and Convenience
Windows Hello for Business takes this authentication technology a step further, providing enterprise-grade security and management capabilities. This extension of Windows Hello incorporates features such as device attestation, certificate-based authentication, and conditional access policies. By deploying policy settings to devices, organizations can ensure that they are secure and compliant with their requirements.
Authentication and Security Differences
Windows Hello for Business offers additional authentication and security features compared to Windows Hello:
Authentication
- Users can authenticate to:
- A Microsoft Entra ID account
- An Active Directory account
- Identity provider (IdP) or relying party (RP) services that support Fast ID Online (FIDO) v2.0 authentication.
On the other hand, Windows Hello allows users to authenticate to:
- A Microsoft account
- Identity provider (IdP) or relying party (RP) services that support Fast ID Online (FIDO) v2.0 authentication.
Security
Windows Hello for Business employs key-based or certificate-based authentication, eliminating the risk of a stolen password. This solution ensures that there is no symmetric secret exposed on a server or susceptible to phishing attacks. Enhanced security is available on devices equipped with a Trusted Platform Module (TPM). Users can conveniently create a PIN or biometric gesture on their personal devices for easy sign-in. This use of Windows Hello is unique to the device on which it is set up but can utilize a password hash based on the account type. This configuration is known as Windows Hello convenience PIN, and it does not employ asymmetric (public/private key) or certificate-based authentication.
Benefits of Windows Hello for Business
Windows Hello for Business offers numerous advantages, including:
- Strengthened protection against credential theft, as an attacker needs both the device and the biometric or PIN to gain access without the user’s knowledge.
- Mitigated phishing and brute force attacks by eliminating the use of passwords.
- Prevention of server breaches and replay attacks due to asymmetric and isolated TPM environments.
- Simple and convenient authentication method backed up with a PIN, which users always have with them. The use of a PIN does not compromise security, thanks to the built-in brute force protection.
- Flexibility to add biometric devices during a coordinated rollout or as required for specific users.
To visualize the benefits of Windows Hello for Business, watch this demonstration video showcasing the sign-in process using a fingerprint:
Windows Hello and Two-Factor Authentication
Windows Hello for Business utilizes a two-factor authentication method that combines a device-specific credential with a biometric or PIN gesture. This credential is tied to an identity provider, such as Microsoft Entra ID or Active Directory, and can be used to access organization apps, websites, and services.
During provisioning, Windows Hello is set up on the user’s device after an initial two-step verification. Windows prompts the user to set a gesture, which can be a biometric or PIN. The user provides the gesture to verify their identity, and Windows subsequently employs Windows Hello for user authentication.
Windows Hello for Business offers two-factor authentication by incorporating two of the three observed authentication factors: something you have, something you know, and something that is part of you. With the appropriate hardware, biometrics can replace the something you know factor with the something that is part of you factor, while still allowing users to fall back to the something you know factor when necessary.
Biometric Sign-In
Xem thêm : How to Prevent Eye Strain from Working With Gadgets at Night
Windows Hello delivers reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Special infrared (IR) cameras and software work collaboratively to enhance accuracy and guard against spoofing. Many hardware vendors are now shipping devices equipped with Windows Hello-compatible cameras and fingerprint readers.
On devices that support Windows Hello, a simple biometric gesture unlocks users’ credentials:
- Facial recognition: This biometric recognition technology uses IR cameras to differentiate between a living person and a photograph or scan. Several vendors offer external cameras incorporating this technology, and many laptop manufacturers integrate it into their devices.
- Fingerprint recognition: Windows Hello supports capacitive fingerprint sensors for precise fingerprint scanning. Most existing fingerprint readers, whether integrated into laptops, USB keyboards, or external devices, are compatible with Windows Hello.
- Iris recognition: Windows Hello also enables iris recognition, which employs cameras to scan users’ irises. HoloLens 2 is an example of a Microsoft device that features an Iris scanner.
Windows securely stores biometric data necessary for implementing Windows Hello solely on the local device. This data does not roam and is never transmitted to external devices or servers. Since biometric identification data is stored only on the device, there is no centralized collection point that an attacker can compromise to steal biometric data.
Windows Edition and Licensing Requirements
Windows Hello for Business is supported by the following Windows editions:
- Windows Pro
- Windows Enterprise
- Windows Pro Education/SE
- Windows Education
Licensing requirements for Windows Hello for Business are granted through the following licenses:
- Windows Pro/Pro Education/SE
- Windows Enterprise E3
- Windows Enterprise E5
- Windows Education A3
- Windows Education A5
For more detailed information on Windows licensing, refer to the Windows licensing overview.
Hardware Requirements
Microsoft collaborates with manufacturers to ensure a high level of performance and protection for each sensor and device. These requirements include:
- False Accept Rate (FAR): Represents the instance where a biometric identification solution mistakenly verifies an unauthorized person. It is usually expressed as a ratio or percentage.
- False Reject Rate (FRR): Represents the instances when a biometric identification solution fails to correctly verify an authorized person. The sum of the True Accept Rate and False Reject Rate is always 1.
Fingerprint Sensor Requirements
To enable fingerprint matching, devices must be equipped with fingerprint sensors and software. Fingerprint sensors can be touch sensors (large area or small area) or swipe sensors. All sensor types must comply with specific requirements and incorporate anti-spoofing measures.
Acceptable performance ranges for touch sensors include:
- False Accept Rate (FAR): <0.001 – 0.002%
- Effective, real-world FRR with Anti-spoofing or liveness detection: <10%
Acceptable performance ranges for swipe sensors include:
- False Accept Rate (FAR): <0.002%
- Effective, real-world FRR with Anti-spoofing or liveness detection: <10%
Facial Recognition Sensors
Facial recognition requires devices with integrated special infrared (IR) sensors and software. These sensors utilize IR light to differentiate between a photo and a living person during the scanning process. Like fingerprint sensors, facial recognition sensors must incorporate anti-spoofing measures (required) and provide configuration options (optional).
- False Accept Rate (FAR): <0.001%
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
- Effective, real-world FRR with Anti-spoofing or liveness detection: <10%
Iris Recognition Sensor Requirements
To utilize Iris authentication, a HoloLens 2 device is required. All HoloLens 2 editions are equipped with the same sensors. Iris authentication is implemented similarly to other Windows Hello technologies and achieves a biometric security FAR of 1 in 100,000.
Xem thêm : Don’t Lose Your Passwords When Changing Phones: Follow These Steps
For more information on the hardware requirements for Windows Hello, consult the Windows Hello biometric requirements.
Frequently Asked Questions
Q: What is the difference between Windows Hello and Windows Hello for Business?
A: Windows Hello for Business is an extension of Windows Hello that provides enhanced security and management capabilities for enterprise environments. It offers features such as device attestation, certificate-based authentication, and conditional access policies.
Q: Can Windows Hello for Business be used to sign in to websites?
A: Yes, Windows Hello for Business can be used to sign in to supported websites, reducing the need for multiple passwords.
Q: Is Windows Hello for Business compatible with biometric devices?
A: Yes, Windows Hello for Business supports various biometric devices, including fingerprint sensors, facial recognition cameras, and iris scanners.
Q: Does Windows Hello for Business store biometric data on external servers?
A: No, Windows Hello for Business securely stores biometric data only on the local device, ensuring user privacy and security.
Q: Which Windows editions support Windows Hello for Business?
A: Windows Pro, Windows Enterprise, Windows Pro Education/SE, and Windows Education editions support Windows Hello for Business.
Conclusion
Windows Hello for Business transforms the authentication experience for users, combining convenience and security. By leveraging biometrics and PIN gestures, Windows Hello for Business ensures that only authorized individuals can access devices, apps, and services. Moreover, its enterprise-grade security features and management capabilities provide organizations with a robust solution to protect sensitive information and enhance compliance.
To learn more about Windows Hello for Business, visit Eireview – your go-to source for the latest technology trends and insights in the world of information technology.
Nguồn: https://eireview.org
Danh mục: Technology