Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!
So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.
By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.
If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:
- Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication