Let’s go password less, because passwords are bad! Part 2

Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!

Afbeeldingsresultaat voor windows hello logo

So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.

By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.

If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:

  • Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication

Windows Hello for business supports multiple ways of authenticating on the device. Possible options to allow are:

  • Username and password
  • PIN (Only on-premise)
  • Facial recognition
  • Fingerprint
  • Microsoft Authenticator app
  • FIDO 2.0 key

The best and the most user friendly are off course the Facial recognition and fingerprint. The user always has them with him, and these are unique.

What else can we do?

since we have eliminated the use of a password on the device where possible, it is now time to see where we can simplify the rest of your (cloud) applications.

It is important to enable single sign-on where you can. This way the authenticated user doesn’t need to type in his username and password. If it isn’t possible to use SSO, try to implement MFA authentication.

Avoid MFA prompts!

If a user gets a lot of 2-factor prompts, the user might overlook the fact that there is one false prompt for a unauthorized login attempt. So if you implement MFA, make sure that you do it as lean as possible!

If you need more information, or want some tips or help, leave a message below, and I will try to contact you as soon as possible!

Leave a Reply

Your email address will not be published. Required fields are marked *