How Windows Hello Securing User Credentials with Biometrics
Password protection or password security is an important step in accessing highly informative and confidential accounts, websites, mobile applications, and other platforms. Many of you will have adopted many tools and programs to keep your passwords safe.
If there is one element in common for every connected member of society, it is the fact that we all adhere to passwords and authentication methods that allow us to access the digital things we need. Password protection is always a hot topic and we are constantly reminded that poor participants are focused on gaining access to personal information.
The problem is, even after years of digital interaction, most people maintain the same habits that went wrong at the early age of the internet. This is even more common because remote working has become the norm. A recent Forbes article cited data showing that 77% of employees use weak or insecure passwords to access company systems.
To be honest, this is not the latest news. User-generated passwords are the basis for security and authentication in most applications. Anyone who receives the password can pretend to be the owner and compromise the information.
Without wanting to take personal responsibility, we all know that passwords are easy to duplicate and steal. Most of the places where passwords are entered, stored, and processed are vulnerable. For this reason, it is important to make authentication more secure.
With that in mind, Microsoft’s biometric login system, Windows Hello (built into Windows 10), is now available for both business and home users.
What is Windows Hello?
Windows Hello authenticator also known as Hello – is only valid for a specific combination of users and a single device. Authenticators were first introduced in 2015 and are personal security obligations meant to replace our old reliance on passwords.
At a basic level, Hello cannot be retrieved from a device, cannot be exchanged between devices, and cannot be shared with servers or calling applications. Each user must set up their account if multiple users share a device and each account receives a unique greeting for this device.
Windows Hello for Business
Microsoft Hello replaces strong two-factor authentication (2FA) passwords on computers and mobile devices and creates a “new type of user credentials”. This identification data is provided to the device and is based on a biometric element (fingerprint or facial recognition) and a PIN. You can find the full picture here.
2FA addresses the below problems:
- People are prone to reuse passwords on multiple sites, and stronger passwords are not always easy to remember.
- When a server breach happens, symmetric network credentials (passwords) are exposed.
- Cybercriminals count on the fact that people have become used to security breaches and don’t change an exposed password, thus making them subject to replay attacks.
- Phishing attacks are not always obvious and the end-user can inadvertently expose their passwords without meaning to.
By introducing the biometric element, users can thereby authenticate:
- a Microsoft account.
- An Active Directory account.
- a Microsoft Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying upon Party Services that support Fast ID Online (FIDO) v2.0
How Windows Hello for Business Works
Windows Hello credentials are based on certificates or asymmetric key pairs. Windows Hello credentials can be associated with a device, and credentials obtained using credentials are also associated with the device.
Registration uses an identity provider such as Azure AD, Microsoft account, Active Directory, and so on. Verify the identity of the user and map the hello key window to the user account. As noted above, Windows Hello requires two-factor authentication, which is a combination of a key and a certificate.
A certificate is tied to the device, while the PIN knows and has chosen someone. It should be noted that Biomatrix can also replace PIN codes, as biometric templates are stored locally on the device, whereas PINs are never stored or released.
Again, the Windows Hello gesture doesn’t switch between devices and isn’t shared with the server. This means that the private key never leaves the device when using the Trusted Platform Module (TPM). The authentication server has a public key assigned to user accounts during the registration process.
Finally, the introduction of PINs and biometric gestures resulted in Windows 10 using private keys to cryptographically sign data sent to identity providers. The identity provider verifies the identity of the user and authenticates the user.
Why is a PIN Better than a Password?
Passwords have been the defacto means of authentication since day one, but a Hello PIN has the following advantages:
- The Hello PIN is attached to the specific device on which it was originally set up. In other words, that PIN is of no use to anyone without access to that specific hardware.
- Passwords are transmitted to the server. That makes them susceptible to them being stolen in transmission or even from the server itself. A PIN, by contrast, is local to the device itself and is not stored on a server.
- A Trusted Platform Module (TPM) chip – a secure cryptoprocessor that was designed to make the chip “tamper-proof” – is part of the device hardware.
- The Windows Hello for Business PIN will be subject to the same IT management policies as chosen passwords. These policies will include standard practices, such as complexity, length, end date, and history.
You can take a deeper dive into the reasons why the PIN is a more effective method of authentication here.
Enabling Windows Hello on Your Device
The tool uses three avenues for authentication: facial recognition, fingerprint, and PIN.
Facial recognition, for example, accesses special cameras that see in IR light. This allows the device to tell (with a high degree of accuracy) the difference between an actual human being and a scan or photograph. Fingerprints, on the other hand, use a baked-in sensor to scan the chosen finger and build an authentication profile.
To set this feature up, you should do the following:
- Go to Accounts -> Sign-in options
- Using the Manage how you sign in to your device option, select one of
- Windows Hello Face
- Windows Hello Fingerprint
- Windows Hello PIN
That way you can choose which option you prefer, based on the requirement and your level of comfort with biometrics.
Using Web Authentication API
As described above, Windows Hello is a secure security channel for many existing devices. Biometrics has grown in popularity in recent years, and the current generation of smartphones, laptops, and tablets will most likely have fingerprint readers or face scanners built into OEM hardware.
With that in mind, Infostretch was able to enable Windows Hello authentication on websites. That extra layer of security is becoming increasingly important, especially for business users and digital brands only.
The most important thing to remember is that it uses public-key cryptography, not passwords. The website generates a public-private key pair, sends the public key to the server, and securely stores the private key on the user’s computer or device. In addition, this website sends user data at the same time and checks whether the browser can sign user data with a private key stored on the user’s device.
While malicious individuals are always looking for ways to exploit identified vulnerabilities, you can rest assured that they can’t steal your face or fingerprints without knowing it. And that means biometrics is probably the best way to keep your information safe and protected from harm, without the need for a password.