Going Passwordless: Microsoft Windows Hello for Business or Not?

Posted by The TruU Team on March 2, 2021
The TruU Team
Is Windows Hello Enough for Enterprise Passwordless Access?

Organizations are rethinking their workplaces and options for their workforces. Companies in regulated industries and those with higher security needs where work once occurred only in fully-trusted facilities now need to support work anywhere in the world, on any type of device securely. The disintegration of the enterprise perimeter suddenly got more pronounced and very apparent as organizations scrambled to support a geographically dispersed workforce with the need to support the most varied locations.

IT teams at most enterprises need to support an ever-growing variety of desktop and mobile device types. It is not unexpected that IT will receive support calls for Windows, Mac, iOS and Android devices. Many of these are for issues related to VPN, network, system and application login. Password reset costs continue to soar as IT teams are facing a growing volume of support calls from remote workers.

Passwords continue to be an attack vector of choice. As reported in the 2020 Verizon Data Breach Incident Report, misused credentials accounted for more than 80% of breaches. Additionally, in January of 2021, the Cybersecurity and Infrastructure Security Agency (CISA) reported on instances where traditional multi-factor authentication (MFA) solutions that may be tied to underlying passwords, were bypassed using specific attacks such as a pass-the-cookie attack where an authenticated cookie, even if it is encrypted, is exfiltrated from the system and used to initiate additional sessions on the same machine.

Making a Case for Passwordless Authentication

Credential theft and misuse continues to grow. The impact from fraud due to account takeover (ATO), credential misuse and other identity related attacks has exceeded 54% of all fraud detected according to research conducted by security firm Kaspersky. Stolen passwords contribute to significant losses for businesses and consumers across the board. 

In order to address the failure of passwords to protect access to networks, systems and data, enterprises are moving toward passwordless authentication using advanced technologies like biometrics, PIN, and public-private key cryptography. 

Emerging new standards like Web Authentication API (WebAuthN) and Fast Identity Online Version 2 (FIDO2) are enabling passwordless authentication across platforms. These standards were perfected over several years as industry participants strive to replace passwords with and specialized devices such as hardware one time password (OTP) tokens with biometrics and everyday things that people use such as security keys, smartphones, fingerprint scanners, laptop cameras and webcams.


Passwordless authentication satisfies the need for higher security and more convenient access (Source: Microsoft)

Experts continue to point out that users face friction from traditional multi-factor authentication solutions, deployed as a means of strengthening the security at login. This creates an obstacle to wide-scale adoption in both enterprise and consumer environments. Adding another factor of authentication to enhance security just seems to pile on the inconvenience even further. So, while it may lead to higher assurance of security, the likelihood of adoption diminishes.

The real solution lies in deploying a solution that has strong security and is quite easy to use.  The business benefit from eliminating the IT support desk calls related to password resets is an additional incentive to deploy convenient, yet highly secure passwordless solutions. 

Microsoft has deployed Windows Hello for Business as a Passwordless Authentication Solution

Enterprises are rethinking their authentication strategy, especially since conventional password-based approaches are fast becoming unsafe and obsolete. Biometric identifiers such as facial recognition and fingerprint are gaining popularity as an alternate tool for enterprise authentication. 

Windows Hello for Business is a 2FA solution that eliminates passwords by combining an enrolled device with either a PIN or biometric (fingerprint or facial recognition). This enterprise-grade platform allows users to login to their devices or applications without the need for a password that is stored centrally. Instead, it leverages a PIN that is stored locally on a user’s device, as well as a biometric identifier that is unique to every individual.

Windows Hello for business incorporates three fundamental elements of authentication:

  • What a user has: Device
  • What a user knows: PIN
  • Who the user is: Biometric
Designed Expressly for the Windows 10 Environment

Windows Hello for Business is compatible with most Windows 10 (or later) devices. The business version is bundled with management tools and IT enforcement techniques to ensure that the solution can be deployed on an enterprise-wide scale.

Windows Hello for Business requires either a fingerprint reader or a near-infrared 3D camera. This functionality is available on most new Windows devices (and as the name suggests, this solution is limited to Windows 10 OS). If not available or functional, external hardware in the form of sensors or webcams can also be attached to the device. Before evaluating passwordless authentication options for your enterprise, it is important to understand how different authentication solutions operate.

Windows Hello for Business can be deployed in 3 broad buckets: cloud, on premise, and hybrid. Authentication can be set up to be key-based (using public/private keys) and/or certificate-based. Through the use of unique biometric identifiers, unique physical attributes of users generate a private key. This private key is paired with a public cryptographic key that is stored within specialized security hardware or encrypted in software. If the keys match, the user is then able to enter his/her device or application. This process can be used to protect all Microsoft accounts and domain accounts.

Today’s Distributed Workforce Highlights the Heterogeneous Reality of the Enterprise

Enterprises powered by applications in the cloud were already headed towards IT policies that gave knowledge and professional workers much more flexibility when it came to selecting brands and operating systems for their laptops, desktops or mobile devices.

This trend skyrocketed as Covid-19 forced large segments of the workforce to work from home. In many cases displaced full-time employees converted to contractors and used their own endpoint devices (laptops, tablets, smartphones etc.) to conduct work-related business. 

The reality of the situation is that enterprise workers today have a wide range of devices in addition to those operating on Windows 10. This would include prior versions of Windows, Mac laptops and workstations, iOS and Android mobile devices and other specialized applications requiring secure access. These include virtual private network (VPN) access, virtual desktop infrastructure (VDI) and physical security access control systems. With the exception of Windows 10, Windows Hello for Business does not support any of these.

In addition to the solution being limited to Windows 10, there are other challenges that users may encounter deploying Windows Hello for Business for the enterprise:

  • Security Vulnerabilities in the Past: There have been instances where Windows Hello for Business has created security vulnerabilities for enterprises. For instance, in 2019, Microsoft released an advisory for WHFB’s implementation within Microsoft Active Directory, as public keys persisted even after a device was removed from Active Directories. Such examples exemplify the apparent imperfections with the Windows Hello for Business platform. Yet, Windows Hello for Business is definitely a step in the right direction towards a truly passwordless business world.
  • Multi-Device Login Not Supported: Because of the use of PINs that are locally stored on each device, it is not possible for a user to login from multiple devices.
  • FIDO2 Compatibility Means Key Pairs or PINs are stored Locally: While this provides a higher degree of security as compared to keys stored across the network, having the key stored in the target device that users need to log into is less secure than having the keys generated in a smartphone that uses only the public key to unlock the workstation.

With Windows Hello for Business, Microsoft has made great strides in promoting the adoption of passwordless security. However, the enterprise today needs a more comprehensive end-to-end authentication solution supporting the diverse needs of users.

The TruU Delivers the Most Complete End-to-End Passwordless Identity Platform

TruU solves for the above challenges and works across the broadest range of enterprise systems requiring authentication including Windows and Mac workstations, applications, VDI, VPN and physical security systems.

TruU Passwordless Capabilities include

  • Support for a broad range of heterogeneous systems - consistent UI/UX common in the enterprise. TruU has more coverage than Windows Hello and Apple’s TouchID combined.
  • Support for passwordless access beyond devices - Windows Hello for Business is device specific – it does not operate beyond Windows (lacking support for Mac workstations, mobile apps, kiosk machines, etc.).
  • TruU is a truly passwordless solution - Windows Hello will periodically require password entry. On Macs, passwords are required at cold boot up.
  • Unique ability to bridge digital and physical domains – one app to access all enterprise resources.

Key Differentiators:

  • Human Presence Based Security Response – TruU automatically locks the workstation when the user moved more than a few feet away from their device.
  • AI/ML Based Adaptive Risk Engine detects anomalies in human behavioral patterns allowing TruU to deliver continuous risk monitoring that eliminates imposters or attackers from taking over login sessions
  • TruU Passwordless MFA is more secure and easy to use. TruU is more secure since the FIDO keys are generated in the mobile device and the private key never leaves the mobile device. The net effect of the private keys not residing on the target device/laptop makes the deployment more secure.
  • Self-Service Onboarding Capabilities: easy to complete remote self-service user onboarding.
Enterprise deploying TruU Passwordless Solutions can benefit from:
  • Enhanced security from eliminating the risk of data breach due to passwords. 
  • Improved end user experience and satisfaction through fluid, frictionless access.
  • Lower costs related to redundant identity silos and infrastructure.

For more information or to request a demo TruU solutions visit TruU.ai or email info@TruU.ai

Topics: Blog