Microsoft is trying to get rid of that sticky note that you see taped to everyone’s office monitor. You know, the one with the password on it. The one with all of the old passwords crossed off one by one, each one subtly different from the last — an exclamation point turning into an ampersand, a one into a two.
Enterprises have really done this to themselves. The passwords that most organizations require — which have to be complex, with long strings of numbers and specially cased phrases with some (but not all! heavens no, not the one you want) symbols — are difficult to remember. There’s no hope except to write them down. Then you have to reset them every so often. Then they get recycled. And on and on the cycle goes.
Luckily for Windows shops, Microsoft has introduced an enterprise-quality method of using biometric identification and authentication without requiring the purchase of high-end hardware — and it is baked right into Windows 10 and 11.
In this piece, I want to take a look at this innovation, called Windows Hello for Business (WHFB), explain how it works, and show how to enable it to secure your enterprise while eliminating the need for your users to handle cumbersome passwords.
How Windows Hello for Business works
Windows Hello is the most common and most widely known of the biometric authentication schemes that Windows supports. It lets Windows 10 and 11 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition. The consumer version of Windows Hello is a device-specific mechanism and doesn’t transport between a user’s devices, so they will need to make a PIN or gesture on each device they want to use.
Windows Hello for Business takes the Hello idea and bundles it with management tools and enforcement techniques to ensure a uniform security profile and enterprise security posture. WHFB uses Group Policy or mobile device management (MDM) policies, usually enforced with Microsoft Intune, for management and enforcement, and leverages key- and certificate-based authentication in most cloud-focused scenarios for maximum protection. The PINs and gestures created by users work across devices in the WFHB model.
Windows Hello acts on one of two fronts: It can scan one’s fingerprint, or it can take an infrared picture of a user’s face and perform analysis on it. (Hello also supports iris scanning, but since iris cameras are better suited to phones than to laptops or desktop displays, the former two methods are more practical for the enterprise.)
It pairs these unique physical attributes of each user with cryptographic keys that replace passwords as authentication methods. These keys are stored within specialized security hardware, or are encrypted in software, and unlocked only after Windows deems them authentic. For organizations uninterested in biometrics, Windows Hello also supports PIN usage to replace passwords transmitted…
2023-11-10 02:41:03
Post from www.computerworld.com rnrn