Windows Hello for Business – Review

SDO Marketing Staff | July 19, 2018

Just a few years ago, biometric logins were the stuff of science fiction and technophiles.

Today, the market has produced a slew of tools that have made biometrics available for the common user.

Microsoft’s biometric solution, Windows Hello for Business (WHB), is one of the industry’s most successful platforms designed for enterprise-wide use.

Let’s start with the basics:

What Does it Do

Released in 2015, Windows Hello gave Windows 10 users an alternative way to log into their devices and applications, eliminating tedious passwords. It is a tri-option technology, offering facial, retinal and fingerprint recognition.

Centrality and Control

The pros to Windows Hello for Business are in the systems scalability and the centralized management it gives to company executives.

Windows Hello for Business took the Hello idea (Biometric framework) and bundled it with management tools and enforcement techniques to ensure both a uniform security profile and security posture that encompasses the whole enterprise. To accomplish this, Windows Hello uses Group Policy or mobile device management (MDM) policies for management and enforcement, and leverages key- and certificate-based authentication in most cloud-focused scenarios for maximum protection.

So Windows Hello for Business did provide a workable administration scheme for businesses and was easily extendable throughout an organization. However, the creators left some serious drawbacks to the system, all of which leave users boxed in when it comes to implementation and ease.

Why is Windows Hello considered stronger than a traditional password?

Every security expert will advice adding Multi-Factor Authentication (MFA), Windows Hello for Business provides an easy MFA solution for windows users with compatible hardware or dedicated added hardware.

The use of a private key that is stored over dedicated secured hardware is widely used in the mobile industry (Secure Enclave),  the hardware component is not accessible via web access and provides a safe place to store biometric or pin number authentication data, making it much safer than a password stored on a hard drive, and immune to threats such as credential stuffing and tools like Mimikatz.

Only Available for Windows

Windows Hello for Business is a feature of Windows 10. That means only machines with this operating system are able to use it. At this time, Microsoft is not developing clients for other platforms (Linux, iOS etc).

Limited Compatibility

To utilize Windows Hello or its business version, a user must possess a compatible machine. If a given device will not support Hello, a user must purchase a peripheral accessory to add functionality–not a practical solution for implementing technology across an organization.

banner - simple passwords - double secret octopus


No Logins from Different Machines

The Windows Hello model also impairs the flexibility of workers by limiting the workstations or devices from which they can operate.

Hello’s authentication scheme works by pairing the unique physical attributes of a user with cryptographic keys. These keys are what replace passwords as authentication factors. The keys, in turn, are stored within specialized security hardware, or are encrypted in software, and are unlocked after authentication occurs.

The same applies to Windows Hello for Business secondary method.

For organizations uninterested in biometrics, Windows Hello also supports PIN usage. When the user enters the PIN, it is not transmitted over the network, rather it’s matched to pre-stored keys. The fact that the keys are stored on the machine itself means that the user cannot authenticate using any other device.

No Escaping PINS

Interestingly, many users get the wrong idea on this point. They assume that the PIN requirement on Hello can be completely disabled and utilize face and biometrics only. The fact is that this is not possible on Hello’s platform. The system was designed for a “fallback” method in a scenario where the use of biometrics isn’t possible. The PIN is that method. This means that there is no option for disabling the PIN credential for a particular user.

Octopus’s Solution

The authentication technology of Secret Double Octopus addresses all of these implementation challenges.

The fully scalable platform is compatible with all of the common operating systems including Linux as well as iOS and Android.

The Octopus Authenticator requires no dedicated software and turns users’ personal smart devices into mobile authenticators.

Additionally, the platform also allows for the off-workstation use of private keys, giving workers the flexibility to operate across the entire enterprise.

Authentication methods compared - Secret Double Octopus