Passwordless authentication: Windows Hello for Business

Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.

Windows Hello for Business can be deployed to the cloud (Azure Active Directory), on-premise (Active Directory) and hybrid (both the active directories). On-premise deployment needs Certificate Authority and Active Directory Federation Services. Based on the 80-20 rule (The 80-20 rule maintains that 80% of outcomes (outputs) come from 20% of causes (inputs)), I really recommend doing the Cloud implementation because it is a lot more easier to implement and has more gain in terms of security. When you access resources on-premise you are in well protected corporate network which adds additional layer of security as for the cloud – applications are accessed from anywhere and portable work computers are more accessible to theft and hackers.

What is the difference between Windows Hello for Business and Windows Hello PIN or biometric in Windows 10?

The main difference is that Windows Hello in Windows 10 (also referred as convenience PIN) is a consumer feature that works only within the device and Windows Hello for Business is Cloud service for secure authentication used in corporate environments.

Convenience PIN is just a password stuffer that remembers your password and puts it after PIN or biometric authentication.

Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. Bare in mind that both cannot work together. By default convenience PIN is disabled when you enable Windows Hello for Business or join a pc to the domain.

Prerequisites for Cloud only deployment

Here are the prerequisites for a Cloud only deployment:

  • Windows 10, version 1511 or later
  • Azure Active Directory
  • Azure Multi-factor authentication
  • Modern Management (Intune or supported third-party MDM), optional
  • Azure AD Premium subscription – optional, needed for automatic MDM enrollment when the device joins Azure Active Directory
Mladen Georgiev
My name is Mladen Georgiev. My passion is new technology. I help companies in their efforts to transition to the Microsoft cloud. Security is one of my main focuses and I always strive to keep the balance between usability and protection. Always connected way of work presents new challenges which demand new modern approach to keep up with security threads. With this blog I want to share useful tips for making IT pro life easier and guides that help overcome real world challenges.

One thought on “Passwordless authentication: Windows Hello for Business

Leave a Reply

Your email address will not be published. Required fields are marked *