Microsoft Apr 15, 2020

Secure authentication with Windows Hello for Business.

Complex passwords only provide a limited amount of protection - even if they are changed regularly. Windows Hello for Business has reinvented the authentication process for the modern world of work.

Share article

Uwe Bauer
Senior System Engineer Modern Workplace Solutions

Complex passwords have their downsides.

Passwords are a weak link in the security chain, no matter if they are made up of a combination of at least 8 letters, numbers and special characters and are changed every 3 months. That’s because it has to be secured by a network - as a hash value or encrypted, it doesn’t matter. It still exists somewhere to identify the user. This can be dangerous when your company is hacked or compromised. We know from experience that users like to use their passwords for more than one site because it’s easier than having to remember several, and the risk of being tricked into revealing them in a phishing attack is greater than you might think.


How to log in securely.

It is critical that the information saved on the network and on the user’s end device do not match. Yes, that’s right. They should not match. This is an asymmetrical approach similar to how security certificates work with both a private and public key. The public key is stored within the infrastructure - in this case, Microsoft Azure - and the private key remains on the end device in the form of a TPM chip and cannot be removed. During login, the private key is unlocked using, for example, biometrics in the form of a Windows Hello camera. Your device then receives an authentication token from the Microsoft Azure directory without the need for transmitting a password.

Seamless integration into apps and services.

These days, many services are secured with multi-factor authentication, but this is at the expense of convenience. If you are working from home or connected to a public network, a PIN which is sent via SMS or an app has to be entered every time. Windows Hello for Business enables secure biometric login, but that’s not all. You can also configure a further raft of security features.


Maybe you need a bit more...

For extra security, a PIN generated by the Microsoft Authenticator App can also be added, which also checks if the phone is close to the Windows device. This means that you can ensure that the device locks as soon as the phone is moved away and the strict “15 minutes until the device is locked” rule is enhanced.


More secure without passwords.

Protect your business from a security vulnerability that you may not have known existed at the start of this blog! Bechtle offers a wide range of support for the strategic implementation of Windows Hello for Business. From choosing the right end device to installation - we are the reliable partner by your side. Interested in learning more? Then give us a call!