It was a while since my last article on the blog.
Due to the private things that I had to figure out, I left for a month this blog and articles.
But not, I’m back stronger and with more power to work on those materials.
So let’s say Hello to the new series regarding Windows Hello
In this series, together with my colleague Bartlomiej Kosiak we are going to touch on three aspects of Windows Hello Implementation:
- Windows Hello for ‘home’ users (this article)
- Windows Hello for Business with Hybrid AD Join model (upcoming article)
- Windows Hello for Business with Azure AD Join model (upcoming article)
Why password is
bad / not good?
I remember the time when I was working on a Help Desk / Service Desk / Students Service Center 🙂 a couple of years ago. Most of the time was spent on the passwords resetting for users who forgot it or lost it…
At that time I will give 100 $ to the person who will make it easier and get rid of passwords somehow.
Everybody (or most of the people) knows that if someone has to create a new password it will be:
- either an iteration of the old password
- a mix of simple things like dates, names, places
- or something like the figure below
In order to avoid this, we can block ‘bad’/’simple’/’easy to guess’ passwords or implement something that we all know from our credit cards or mobile phones which is PIN.
If you want to see what are the TOP 1000 most common passwords for 2020 check this link:
On the other hand, you can still use password generators and password managers if you want, but the goal of this article is to show you how we can cover passwords with modern methods.
What is Windows Hello?
According to the Microsoft website Windows Hello is
a more personal, more secure way to get instant access to your Windows 10 devices using fingerprint, facial recognition, or a secure PIN. Most PC’s with fingerprint readers already work with Windows Hello, making it easier and safer to sign in to your PChttps://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0
So, in other words, we can hide our old fashioned password behind:
- Something we know – PIN
- Something we have – Security keys and Cards
- Something we are – Facial Recognition, Fingerprint, and Retina
The figure below depicted the differences between passwords, 2FA/MFA, and passwordless authentication in 2 dimensions: security and convenience
Windows Hello benefits
Let’s sum up benefits of the Windows Hello usage:
- It is a built-in capability in Windows 10 (from version 1607)
- Integrates with Microsoft Passport service
- Speed up the login process
- Enhance security
- Make work easier
- Allows to mask password with biometry
Windows Hello requirements
Based on the Windows Hello configuration below, you can find the list of the requirements:
- Windows 10 (from OS version 1607+)
- Fingerprint sensor
- Windows Hello compatible camera
- TPM Module ( it is required for Windows Hello For business)
Windows Hello notice
Before we go deeper with the configuration, I want to remind you of one thing.
Windows Hello has to be configured for the user on each device that he has access to using his login.
If the user has four devices, he has to configure Windows Hello four times within his user account.
Windows Hello configuration
When we are 100% sure that Windows Hello requirements are met within our workstation, the next step is to go to Windows Settings
Then click on the Accounts area
On Your info screen, click Sign-In options from the left side menu
You will be moved to the Sign-in options screen, where you can find three Windows Hello related options:
- Windows Hello Face – Windows Hello compatible camera will take a picture of your face
- Windows Hello fingerprint – Windows Hello will scan your fingerprint
- Windows Hello PIN – Windows Hello will ask you for a pin.
Windows Hello PIN
The easiest and costless part of Windows Hello implementation is PIN usage.
I order to configure it, please follow steps from the Windows Hello configuration section, and on the Sign-in options screen, select Windows Hello PIN and click Add
You will be prompted to enter your account password
On Set up a PIN screen, you have to provide a PIN twice.
Please remember that PIN is covered by password complexity, so you will not be able to provide easy-to-guess values.
From this moment, you can use a PIN instead of the password on the workstation.
Windows Hello Face
When you have a workstation that has a camera compatible with Windows Hello, you can use Face to cover your password.
Same like in the section above, please follow steps from the Windows Hello configuration section, and on the Sign-in options screen, select Windows Hello Face and click Set up.
On the new screen Welcome to Windows Hello, click Get Started
Provide PIN and get ready for a face scan
After face scan, you will be informed that everything was configured properly.
From now during the Windows Logon process, you can use your camera to log in to the system.
Windows Hello Fingerprint
To start configuration, please follow steps from the Windows Hello configuration section, and on the Sign-in options screen, select Windows Hello Fingerprint and click Set up
On the Windows Hello setup screen click Get started
Touch the fingerprint sensor with the first finger.
After scanning, you will be informed that fingerprint scanning was completed, and you can now use the Windows Hello Fingerprint feature.
Now you can use a fingerprint instead of an account password.
In this article, we went through the Windows Hello basic configuration.
The main takeaways are:
- Windows Hello covers password with PIN, fingerprint, face scan
- Windows Hello is working on the device where it is configured
- Windows Hello is a built-in feature
Stay tuned for the next article related to Windows Hello for Business – Hybrid AD join.