Windows Hello: Securing User Credentials with Biometrics
If there is one element that every member of the connected society has in common, it is the fact we are all beholden to the passwords and authentication methods that allows us to access the digital things that we need. Password security has always been a hot topic, and we are constantly being reminded that bad actors are focused on gaining access to personal information.
The problem is that even after years of digital interaction, most people still stick to the same habits that were flawed at the start of the internet era. This has become even more widespread as remote working has become the norm, with a recent article on Forbes citing data that showed that 77 percent of employees were using weak or unsecured passwords to access corporate systems.
To be fair, this is hardly breaking news. User-created passwords are the basis of security and authentication in the vast majority of applications. Essentially, anyone who gets the password can impersonate the owner and put information at risk.
Without wishing to harp on about personal responsibility we all know that passwords are both easy to clone and simple to steal. Most of the places where the password is entered, stored and processed are vulnerable. What matters, therefore, is making the authentication more secure,
Taking the above into account, Microsoft’s biometric sign-in system, Windows Hello (built into Windows 10) is now available to both business and personal users.
What is Windows Hello?
The Windows Hello authenticator – also known as Hello – is unique to the combination of a specific user and an individual device. Originally introduced in 2015, the authenticator is a commitment to personal security that is intended to replace our long-standing reliance on passwords.
On a basic level, Hello can’t be extracted from a device, doesn’t roam across devices and is not shared with a server or calling app. Each user needs to set up their own account if multiple users are sharing a device, and every account gets a unique Hello for that device.
Windows Hello for Business
Microsoft Hello replaces the passwords with strong two-factor authentication (2FA) on computers and mobile devices, creating a “new type of user credential.” These credentials are tied to a device and rely on a biometric element (fingerprint or facial recognition) and PIN. A full overview can be found here.
2FA addresses the below problems:
- People are prone to reuse passwords on multiple sites, and stronger passwords are not always easy to remember.
- When a server breach happens, symmetric network credentials (passwords) are exposed.
- Cybercriminals count on the fact that people have become used to security breaches and don’t change an exposed password, thus making them subject to replay attacks.
- Phishing attacks are not always obvious and end user can inadvertently expose their passwords without meaning to.
By introducing the biometric element, users can thereby authenticate:
- a Microsoft account.
- An Active Directory account.
- a Microsoft Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0
How Windows Hello for Business Works
Windows Hello credentials are based on the certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token which is obtained by using the credential is also bound to the device.
During the registration, identity providers such as AzureAD, Microsoft account, Active Directory etc., validates user identity and maps the Window Hello key to the user account. As we pointed out above, Windows Hello requires two-factor authentication, which is a combination of a key and certificate.
The certificate is tied to a device, whereas the PIN is something that a person knows and has chosen. It should be noted that the Biomatrix can also replace the PIN as biometrics templates are stored locally on a device, whereas PIN is never stored or shared.
Again, the Windows Hello gesture does not roam between devices and is not shared with the server. That means that the private key never leaves a device when using Trusted Platform Module (TPM). The authenticating server has a public key that is mapped to the user account during the registration process.
Finally, PIN entry and a biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user’s identity and authenticates the user.
Why is a PIN Better than a Password?
Passwords have been the defacto means of authentication since day one, but a Hello PIN has the following advantages:
- The Hello PIN is attached to the specific device on which it was originally set up. In other words, that PIN is of no use to anyone without access to that specific hardware.
- Passwords are transmitted to the server. That makes them susceptible to them being stolen in transmission or even from the server itself. A PIN, by contrast, is local to the device itself and is not stored on a server.
- A Trusted Platform Module (TPM) chip – a secure crypto processor that was designed to make the chip “tamper proof” – is part of the device hardware.
- The Windows Hello for Business PIN will be subject to the same IT management policies as chosen passwords. These policies will include standard practices, such as complexity, length, end date and history.
You can take a deeper dive into the reasons why the PIN is a more effective method of authentication here.
Enabling Windows Hello on Your Device
The tool uses three avenues for authentication: facial recognition, fingerprint, and PIN.
Facial recognition, for example, accesses special cameras that see in IR light. This allows the device to tell (with a high degree of accuracy) the difference between an actual human being and a scan or photograph. Fingerprints, on the other hand, use a baked-in sensor to scan the chosen finger and build an authentication profile.
To set this feature up, you should do the following:
- Go to Accounts -> Sign-in options
- Using the Manage how you sign in to your device option, select one of
- Windows Hello Face
- Windows Hello Fingerprint
- Windows Hello PIN
That way you can choose which option you prefer, based on the requirement and your level of comfort with biometrics.
Using Web Authentication API
As we have discussed above, Windows Hello is a more secure access channel for a plethora of existing devices. Biometrics has been gaining in popularity in recent years, and the current generation of smartphones, laptops and tablets will likely have fingerprint readers or facial scanners built in to the hardware by the OEM.
Taking that into account, Apexon can enable Windows Hello authentication in websites. This extra layer of security is becoming increasingly important, especially for business users and digital-only brands.
The key point to remember is that the feature utilizes public-key cryptography in place of passwords. A website will generate the public-private key pair, send the public key to the server, and store the private key securely on the user’s machine or device. In addition, that website will both send the payload and check if the browser can sign the payload by using the private key stored in the user’s device.
While those with malicious intent will always be looking for ways to exploit identified vulnerabilities, you can be reasonably confident that they will not be able to steal your face or your fingerprint without you knowing about it. And that means that the biometric element is arguably the best way to keep your information secure and safe from harm, without the need for passwords.
To find out more about how Apexon can provide you with the level of security that you and your customers require, please contact us using the form below.