Deploying Windows Hello for Office 365

Having grown up with personal computers in the 70s and 80s my introduction to computer science was a simple two-line program.

I’m sure that most of those who read this blog post will have started their career in a similar manner. Our next step was often to modify this program to repeat “Hello, World!” infinitely, then modify it again to repeat that message a finite number of times.

Microsoft has evoked this heritage with the service it calls “Windows Hello” and the related (but much more clumsily named) “Windows Hello for Business.” These services are a new way to authenticate to your computer, your Active Directory, your Office 365, and your Azure resources. The Hello services are one of the foundational pieces in Microsoft’s strategy to move us away from an authentication model that is dependent on usernames and passwords. In this blog post I’m going to explain what the Hello services do, and what you’ll need to deploy them in your organization.

Biometric Authentication

Before we can talk about the specifics of the Hello services, I think it’s appropriate to start this discussion by talking about biometric authentication.

Biometric Authentication is simply the process of using unique physical characteristics to authenticate to a resource. Fingerprints and facial recognition are the most common types of biometrics we use. There are other types of biometric scanners, but none of them are widely used enough for serious consideration here.

Fingerprint scanners can work in several different ways.

• Optical scanners use light to map the fingerprint
• Capacitive scanners use electric signals to map the fingerprint
• Ultrasonic scanners use sound to map the fingerprint

The different types of fingerprint scanners have different strengths and weaknesses. They all take the map of the fingerprint and apply cryptographic algorithms to create a unique identifier used for authentication.

Facial recognition, like fingerprint scanners, can work in different ways. Good facial recognition scanners use a combination of visible light and infrared light to create a map of the users face. While facial recognition has some benefits over fingerprint scanners, it should be noted that security researchers have defeated the best facial recognition with 3D printed masks made of silicon.

What’s important for our purposes is that different biometric scanners provide different levels of security. Some of them work with Windows Hello, and some do not. Microsoft does have an approval process that biometric devices must pass to be certified to work with Windows Hello. I have been unable to find a single definitive list of all devices that support Windows Hello but THIS LINK will show you a list of laptops that support Windows Hello.

It’s not necessary to buy a new laptop to use Windows Hello. There are plug in biometric scanners that can be added to any Windows 10 computer enabling Windows Hello. I’m not able to find a single Microsoft webpage that lists all devices that are certified to work with Windows Hello.

I use a Surface Laptop, which includes a Hello capable camera. My advice would be that you do your research when looking for a biometric scanner to use for Hello. Ensure you understand how it works, and what its weaknesses are. It’s time for us to move away from usernames and passwords, but it’s just as important to make sure the replacement is a step forward.

Windows Hello

Biometric authentication to your PC is nothing new. Fingerprint scanners have been coming equipped as part of laptops for years. Generally, those systems store your username and password then enter it for you after the device has verified your identity with biometric data. So how is Windows Hello different?

First, Hello is device specific. The user’s biometric data is stored on the PC in an encrypted form that is not easily extracted. The Hello registration process stores your data in the PCs TPM module under RSA 2048 encryption.

Secondly, all authentication through Hello is two-factor authentication. A device certificate is installed during the registration process, and that device certificate is used as a second factor during authentication.

Thirdly, Hello uses a PIN. When you register your device for Hello you will be required to setup a PIN. PIN complexity requirements can get setup to ensure that user’s PINs are as good as passwords, but that isn’t an improvement over a password. What makes you Hello PIN better is that it’s device specific. The only way someone can log in with your PIN is if they do it on your computer.

Windows Hello for Business

To this point, we’ve been talking about Windows Hello. Hello is the service for Windows 10 that allows you to log into your Windows 10 PC with biometrics. This is a great service, but I’d guess you’re here to read about Windows Hello for Business, the enterprise version of Hello.

Deploying Windows Hello for business is a bit more complex than just setting up Hello for a single laptop. While deploying the enterprise version of this service you’ll need to consider how your PCs are joined to Active Directory, how certificates are issues for your PCs, and how authentication rules should change for your users based on the conditions of their authentication requests.

A recent change to Windows Hello for Business makes it possible for you to do a limited deployment of Hello. This means that you can now pilot Windows Hello for Business without enabling this service for everyone in your environment.

A full enterprise deployment of Windows Hello for Business can be fairly complex and is worthy of its own blog post. Since I’m out of space in this post, we’ll get into the enterprise deployment options for Windows Hello in my next post. Stay tuned!

Gain Visibility into Office 365 with Mailscape 365