The Windows Hello Zone! – Part 2

Enabling Windows Hello for Business… Why? Why Not?

Excuses are a dime a dozen, but after reading this second story, you can decide for or against it – but mind you; these stories might never have seen the day of light had the companies only been using Windows Hello for Business to deter the Antagonist…

Welcome to “The Windows Hello Zone!” – Part 2.

If you missed out on Part 1, click here to read it!

Ask Jimmy!

We all go to the hardware store once in a while. So did Isabella one day, when the water heater in her house broke…

At the local Mega Hardware store, Isabella started chatting with a sales rep about getting a good deal on a new water heater. But it was a little too rich for her blood. So she asked the sales rep to print out a quote for her to think over at home.

Isabella had been talking for so long with the sales rep that the computer he was standing at was locked due to inactivity. It turns out the sales rep was new and struggling to remember the credentials to unlock the station. So, he starts yelling over to a colleague about the credentials, and the colleague yells back, “Ask Jimmy!”. It turns out that Jimmy is the manager of the store, and the sales rep calls Jimmy up on the store intercom.

Jimmy is on the other end of the intercom now. Isabella can hear everything he is saying to the rep; “…yeah, so we had to change the password to a longer one due to company policy! IT nerds are getting on my nerves about this security bulls**t…” Jimmy goes on to spell out the new password, which is quite complex!

Hard times tempt even the kindest soul.

Back home, Isabella is sitting with the quote in hand and notices the account name used to print it out happens to be on it. Poor Isabella is tempted to try the password that she clearly remembers since she is sort of a genius. She easily guesses the webmail address of the hardware store “https://webmail.megahardware.com/ and tries the credentials… She is in!

Isabella spends some time with the mailbox and learns that all the sales reps use the same account for all their communication. And how sales are processed and marked as paid and ready for pickup!

The next day Isabella makes sure to avoid the sales rep she previously spoke to and picks up her brand new and free water heater!

Isabella now visits the store regularly…

Morals smorals…

• If the Hardware store that insists on sharing credentials between employees had only used Windows Hello for Business with a PIN for shared access, then “poor” Isabella would not have had so much success with her grift.

PINs and needles

We previously touched base with the PIN code, a minimum requirement for enabling Windows Hello for Business. And there are a lot of questions that immediately come to mind when you first hear the sentence “Now you can simply sign-in to your device with a PIN code – it’s so much better!”:

• “How can a 6 digit PIN code possibly be safer!?”
• “This person must be out of their mind to suggest such nonsense!”
• “I am going to poke needles through my ear-drums and pretend I did not just hear this insanity.”

YES! That does sound insane, but there is more to the story!

Windows Hello for Business PIN security

A Windows Hello for Business PIN has some hard to ignore advantages over just being a PN code of 6 or more digits.

1. The PIN will ONLY work on the device it was enrolled onto by using Multi-Factor verification of the enrolled user account.
   • Meaning that even if you gave it to someone online by mistake, it would be useless.
2. The PIN is shareable without giving away your actual password.
   • Not something I would condone doing, but it would have worked well at the Mega Hardware store.
3. The PIN can be enrolled by IT, thus keeping the actual account password completely out of the user’s reach.
   • Effectively locking them into the specified device, making them practically Phishing proof.
   • A great strategy for dealing with those users who are not IT literate and need to do simple tasks on their devices.
4. The PIN can even include letters!
   • But be careful to enable this – you don’t want to risk users just typing in their password as a “PIN,” this will just bring confusion and lower the security of the account substantially.

So much more can be said, and already has been said here: Why a PIN is better than a password (Windows 10) – Microsoft 365 Security | Microsoft Docs

Conclusion

By now, you should be aware of the game changing advantage that Windows Hello for Business gives you over a regular set of credentials.

The only thing you should fear is missing out on the awesomeness of going passwordless with Windows Hello for Business.

Windows Hello for Business is here to stay, and anyone serious about their Windows 10 endpoints’ security needs to get practical experience with this technology NOW – not later – NOW.

For any questions or comments, my @michael_mardahl Twitter account is just a friendly follow and a tweet away.

(1921)