<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a [marketing] term used for [implementations] of the [Windows Credential Provider] functionality.
[{$pagename}] at its core provides a new, non-password credential for Windows 10 devices. [{$pagename}] implements 2FA/MFA, meaning multilayered security that is much more difficult to bypass than protection that hinges solely on a correct username and password combination.

Windows Hello for Business is based on the [Web Authentication API] ([WebAuthN]) [APIs].

[{$pagename}] works with [Azure], [Microsoft Active Directory] and [Third-party] [Federation] servers that support the necessary extensions to [OAuth 2.0] and [OpenID Connect] 1.0.

[{$pagename}] also may be used with [Browsers] that support [Web Authentication API]([WebAuthN]).

A future release of [Windows 10], [Windows Logon] will support [SAML] identity providers -- not just identities federated to [ADFS] and other [WS-Federation] providers.

[{$pagename}] allows [passwords] to be transmitted to [Domain Controller], [PINs] are not. They are tied to one [device|Local device], and if compromised, only one device is affected. Backed by a [Trusted Platform Module] ([TPM]) chip, [Microsoft Windows] uses [PINs] to create strong [Asymmetric Key] pairs which causes the much-simpler Windows [PINs] to be resilient to brute-force attacks. 

[{$pagename}] ([{$pagename}] [Hardware] [Authenticator|Platform Authenticator] and [{$pagename}] Software [Authenticator|Virtual Authenticator]) was certified as [FIDO2] Compliant in [2019|Year 2019].

!! [{$pagename}] [Marketing]
When Windows 10 was first introduced, [Microsoft Windows] [Multi-Factor Authentication] was provided by two components: [{$pagename}] and [Microsoft Passport] (not to be confused with the Passport platform of [1998|Year 1998]) [Microsoft Passport] was merged into [Windows Hello].

!! Windows Hello For Business
Windows Hello For Business is the enterprise version of [{$pagename}]. 

Windows Hello, as you may know, is Microsoft’s premiere passwordless solution for devices where the user and device share one to one relationship. Each user on the device gets that one prior key that is authorized by a simple gesture, a PIN, face, or fingerprint.

Windows Hello for Business is and enhanced [{$pagename}] that always two factors, with one gesture being position of the private key and the other being the gesture used for [Authorization].

* [Cloud] Only Deployment
* [Windows 10], version 1511 or later
* Microsoft [Azure] Account
* [Azure] Active Directory
* Azure [Multi-Factor Authentication]
* Modern Management (Intune or supported third-party MDM), optional
* [Azure] AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure [Active Directory|Microsoft Active Directory]

!! [{$pagename}] [PIN]
Why [Microsoft] wanted to use the word [PIN] ([Personal Identification Number]) is beyond [{$applicationname}]. The [{$pagename}] [PIN] is a [Credential] that is much more than numbers and can have [Password ]

!! [{$pagename}] - [WebAuthN] - [Azure]

In the Hybrid model of AD Connect for [Azure] the [Implementation] of [WebAuthN] with [{$pagename}]:

[{Image src='/images/windows-hello-kerberos-hybird-webauthn.png' caption='windows-hello-kerberos-hybird-webauthn' align ='left' style='font-size: 120%;'}]
\\

# User authenticates to Azure AD with a WebAuthN Authenticator
# [Azure] AD checks the tenant for a [Kerberos] server key matching the user’s on-premises [AD DOMAIN].
** [Azure] AD Generates a partial [Kerberos] [Ticket Granting Ticket] ([TGT]) for the users on-premises [AD DOMAIN]. The [TGT] contains only the user [SID]. No [authorization] data ([groups|Group-AD] or [PAC]) are included in the [TGT].
# Windows contacts on-premises AD Domain Controller and trades the partial TGT for a full TGT.
# The partial [TGT] is returned to the Windows along with [Azure] AD [Primary Refresh Token] ([PRT]).
# Windows now has [Azure] AD PRT and a full [Microsoft Active Directory] [TGT].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [How to go beyond passwords in Windows 10|https://www.techrepublic.com/article/how-to-go-beyond-passwords-in-windows-10/|target='_blank'] - based on information obtained 2020-01-06 
* [#2] - [Passwordless Web Authentication Support via Windows Hello|https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/|target='_blank'] - based on information obtained 2020-01-06 
* [#3] - [Windows 10 System Security|Wikipedia:Windows_10#System_security|target='_blank'] - based on information obtained 2020-01-06 
* [#4] - [The difference between Windows Hello and Windows Hello for Business|https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview#the-difference-between-windows-hello-and-windows-hello-for-business|target='_blank'] - based on information obtained 2020-01-07 
* [#5] - [W3C/FIDO2 WebAuthn APIs](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis).

</pre>