Enabling Windows Hello for Business… Why? Why Not?
- If it ain’t broken, don’t fix it?
- If the glove doesn’t fit, why debate it any further?
- We couldn’t possibly attract any malicious interest?
- We know all our employees!
Excuses are a dime a dozen, but after reading the two stories contained in this multi-part “semi-tech” article, you can decide for or against – but mind you; these stories might never have seen the day of light had the companies only been using Windows Hello for Business to deter the Antagonist…
Welcome to “The Windows Hello Zone!”
The second part of this article can be found here: The Windows Hello Zone! – Part 2
The story of Kim and the new Boss
Kim has a good job… But Kim hates the new Boss…
Kim makes an effort to learn the Boss’ password. Kim uses a shoulder surfing technique, as the glass partitions in the office make it easy to gander over the new Boss’ shoulder during sign-in in the mornings. The Boss is oblivious to this…
Once the password had been gathered, Kim starts plotting… Kim can now login as the Boss from any company laptop! The possibilities for mayhem are many…
Kim comes in late one night as anonymously as possible and starts logging into several co-workers’ computers – with the new Boss’ credentials! And starts downloading sensitive materials and designs for the companies new products…
Later that week, leaked information from the company finds its way to the news, and the company is in a panic, starting a full investigation into who could have leaked the data!? Audit log trails quickly lead to the new Boss and the seemingly feeble attempt to hide their tracks by downloading the data from the co-workers’ computers…
Kim still has a good job… Kim is getting a new Boss soon – let’s hope it’s a nice Boss…
- If only Kim’s new Boss had been using Windows Hello for Business with a Biometric login, Kim would have gotten nowhere with the shoulder surfing. At least IT was auditing file access, so they did not have to waste time placing blame!
Let’s quickly go over some of the tech in Windows Hello for Business:
Biometrics and Windows Hello for Business
Using Biometrics to access Windows is natively built into Windows 10, thanks to Windows Hello for Business. Biometrics are also known as “passwordless” credentials. Passwordless credentials are far superior to typing a password as you sign-in. The most common methods are using either of these mechanisms:
- Fingerprint reader
- Facial recognition
Most laptops for Enterprises come with either a fingerprint or an IR Camera for facial recognition nowadays, so getting started with Biometrics might be something you can do today! If not, check out Part 2 that covers the use of a PIN code and scenarios for that. But just know that the PIN is always a minimum requirement, even if you are using Biometrics!
No more roaming around the office with your credentials
Windows Hello for Business uses the physical TPM security chip on your device- which means that it has a hard dependency on that chip, allowing you access to the certificate that Windows Hello for Business has issued to the device and synced with Azure AD. This is by design, and why Kim would have failed if somehow the new Boss’ PIN was exposed to Kim during a failed Biometric sign-in.
Pay special notice to the fact that the credential certificate is synced to Azure AD. This effectively means there’s a delay in a hybrid environment before you can actually use Windows Hello for Business to authenticate. The delay happens because Azure AD Connect takes care of that process by syncing the user’s certificate attribute to Azure AD for the trust to be established – This is called a Key Trust model. The sync happens after the user has enrolled into Windows Hello for Business on a device.
Some quick takeaways for Windows Hello for Business in common Hybrid environments:
- Domain and forest level should be 2012 R2 as a minimum.
- Install a single Windows Server 2016 Domain Controller, and assign the PDC FSMO role so the schema can support the required attributes for the certificate.
- Remember to re-run Azure AD Connect and refresh the schema after the 2016 DC Role has been installed.
But I want to roam freely!
Then you could opt-in for Biometrics via FIDO2 keys, which have previously been know as “Windows Hello Keys”. Notice that these keys are not dependent on whether Windows Hello for Business is enabled or not. They do however let you roam your secured identity between devices. As the key will take the place of the physical TPM chip in your laptop.
Going passwordless is the future. And It can be yours now!
And now for a limerick…
There once was a man from Nantucket
Who left his password in a bitbucket.
But a hacker named Nan,
was tracking the man
And as for the password, Nantucket