Hello for business
In the US, businesses are projected to spend more than $65 billion on cybersecurity solutions. With good reason too. Cyberattacks may have abated from 2017’s high of 1.6 billion, but they still remain quite elevated in this ever-connected digital world.
Fortunately, new security solutions such as Windows Hello for Business can help make companies more secure. IT managers will be happy to know that solutions like this don’t need to eat up a big part of the tech budget either.
Microsoft has stated that it is, “committed to its vision of a world without passwords.” While this may seem counterintuitive to the need for increased security, the company’s no-password world relies on other security measures that address the inherent weaknesses of passwords. Passwords can be:
With Windows 10 devices, users can now use Microsoft’s new Windows Hello service, designed to help address these password flaws. The business version of this innovation replaces passwords with stronger authentication based on a device and a biometric or a pin. Windows Hello for Business delivers maximum protection through the combination of biometric authentication, Group Policy or mobile device management (MDM) and key- and certification-based authentication.
With this new type of credential, users can gain secure access to an Active Directory or Azure Active Directory.
During enrollment, users will have to complete an initial two-step verification. After this step, they won’t have to perform this step again. To finish set-up, users will then have to set a gesture. The gesture can be a biometric or a pin.
A biometric is a way to sign in based on fingerprint matching, iris scan or facial recognition. Your Windows 10 device must have a way to read these biometric indicators, such as a fingerprint scanner or infrared-capable camera (to differentiate a human face in person from a photograph). Increasingly, devices are coming standard with these features, or they can be purchased separately. Note that with current technology, iris scans work best on mobile devices, so enterprise solutions may want to focus on fingerprints and facial recognition.
It’s important to note that this biometric data is stored locally so it’s not as if a central location storing all the biometric data could be hacked.
A pin might not sound much different than a password, but it is more secure. A pin is tied to the specific hardware, so it is not useful to a hacker unless he has the hardware. As with biometric data, pins aren’t transmitted anywhere.
A pin is more secure than a password because it creates an asymmetric key pair for authentication. As an administrator, you can set policies for pins – for example, characters that aren’t allowed or lock out periods after brute-force attempts to gain access. As a standard, the service does not allow pins that have a constant delta (rate of change) from one digit to the next.
Multi-factor authentication is used to describe security measures that rely on three factors:
Windows Hello for Business can satisfy all of these requirements if you have the right equipment. The thing you have is the private key or token that is protected by your device’s security. The thing you know is the pin you set up. The thing you are is your fingerprint, iris or face, aka the biometric gesture you use.
Although you only really need two of these factors to unlock your device, you can set up your device to require an additional factor in order to access your desktop.
Given these extra layers, multi-factor authentication is more secure than other measures of protection. Biometric data, in particular, is difficult to hack. An attacker would not only have to get your device but would also need you present in order to scan your finger, face or eye.
If you already have a third-party authentication system set up, you can still benefit from this new Windows service. Windows Hello for Business can be configured to work with third-party authenticators in Active Directory Federation Services (AD FS). Currently, Microsoft lists twelve outside offerings that work with Hello for Business.
These offerings include services such as:
You can also build your own custom authentication method.
Beyond a Windows 10 device – either desktop or mobile – fingerprint sensors and software or facial recognition devices with infrared sensors and software, the basic technical requirements will vary based on your deployment strategy.
If you are doing a cloud-only deployment, then you’ll need:
Modern Management and Azure AD Premium subscription are optional in cloud deployments.
If you are doing an on-premise deployment, then you’ll need:
In this deployment, an Azure Account is optional for Azure MFA billing.
Hybrid deployments are more complicated.
Most businesses, especially those that still rely on cumbersome and cyberattack-prone passwords, would probably benefit from implementing Windows Hello for Business. It is a relatively cost-effective and easy way to increase your security. It will require some set-up and perhaps some initial investments in hardware for biometric scans, but the long-run gains in security will likely outweigh these set up costs.
2019 may be too early to declare the end of passwords. However, technology seems to be headed in that direction and adopting Windows Hello for Business may help you stay ahead of this technological shift.
Resources:
https://support.microsoft.com/en-us/help/17215/windows-10-what-is-hello
With the outbreak of COVID-19, we are increasingly having conversations with our clients about working…
The medical data management system in Australia is not where it should be. According to…
Not everyone has the luxury of 0 unread emails. Australia right now is on the…
One of the most pressing tech issues for businesses, especially in Australia, is cybersecurity. Therefore,…
The Hard Truth About Malware in Australia (The statistics in this section are findings from…
Many new apps will help increase your productivity and make getting the job done a…