Microsoft implemented Windows Hello for Business, a new credential in Windows 10, to help increase security when accessing corporate resources. In Windows 10, this feature offers a streamlined user sign-in experience—it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution.
In Windows 10, the Windows Hello for Business (formerly known as Microsoft Passport for Work) feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. With the Windows 10 Anniversary Update, Core Services Engineering (CSE, formerly Microsoft IT) streamlined the deployment of this feature as an enterprise credential to improve the user sign-in experience and to increase the security of accessing corporate resources.
This feature lets users authenticate to a Microsoft account, an Active Directory account, or a Microsoft Azure Active Directory (Azure AD) Premium account.
The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.
Other benefits of this feature include:
- It uses existing infrastructure. We configured Windows Hello to support smart card–like scenarios by using a certificate-based deployment. Our security policies already enforced secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication. Windows Hello is currently enabled, and we anticipate an increase in usage as more biometric-capable devices become available in the market.
- It uses a PIN. Replace passwords with a stronger authentication. Users can now sign-in to a device using a PIN that could be backed by a trusted platform module (TPM) chip.
- It provides easy certificate renewal. Certificate renewals occur automatically when a user signs in with their PIN before the lifetime threshold is reached.
- It permits single sign on. After a user signs in with their PIN, the user has access to email, SharePoint sites, when using the latest Office 365 versions, and business applications without being asked for credentials again.
- It is compatible with remote access. When using a certificate-based PIN, users can connect remotely using a CSE VPN without the need for multi-factor authentication with phone verification.
- It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or a take a quick look at the device camera.
To get more information and more secure environment, contact to one of our technical consultants.