Overview#Windows Hello is a marketing term used for implementations of the Windows Credential Provider functionality.
Windows Hello at its core provides a new, non-password credential for Windows 10 devices. Windows Hello implements 2FA/MFA, meaning multilayered security that is much more difficult to bypass than protection that hinges solely on a correct username and password combination.
Windows Hello allows passwords to be transmitted to Domain Controller, PINs are not. They are tied to one device, and if compromised, only one device is affected. Backed by a Trusted Platform Module (TPM) chip, Microsoft Windows uses PINs to create strong Asymmetric Key pairs which causes the much-simpler Windows PINs to be resilient to brute-force attacks.Microsoft Windows Multi-Factor Authentication was provided by two components: Windows Hello and Microsoft Passport (not to be confused with the Passport platform of 1998) Microsoft Passport was merged into Windows Hello.
Windows Hello For Business#Windows Hello For Business is the enterprise version of Windows Hello.
Windows Hello, as you may know, is Microsoft’s premiere passwordless solution for devices where the user and device share one to one relationship. Each user on the device gets that one prior key that is authorized by a simple gesture, a PIN, face, or fingerprint.
Windows Hello for Business is and enhanced Windows Hello that always two factors, with one gesture being position of the private key and the other being the gesture used for Authorization.
- Cloud Only Deployment
- Windows 10, version 1511 or later
- Microsoft Azure Account
- Azure Active Directory
- Azure Multi-Factor Authentication
- Modern Management (Intune or supported third-party MDM), optional
- Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory
- User authenticates to Azure AD with a WebAuthN Authenticator
- Azure AD checks the tenant for a Kerberos server key matching the user’s on-premises AD DOMAIN.
- Windows contacts on-premises AD Domain Controller and trades the partial TGT for a full TGT.
- The partial TGT is returned to the Windows along with Azure AD Primary Refresh Token (PRT).
- Windows now has Azure AD PRT and a full Microsoft Active Directory TGT.
More Information#There might be more information for this subject on one of the following:
- Microsoft Account
- Microsoft Passport
- Personal Identification Number
- Primary Refresh Token
- Windows Credential Provider
- Windows Hello
- [#1] - How to go beyond passwords in Windows 10 - based on information obtained 2020-01-06
- [#2] - Passwordless Web Authentication Support via Windows Hello - based on information obtained 2020-01-06
- [#3] - Windows 10 System Security - based on information obtained 2020-01-06
- [#4] - The difference between Windows Hello and Windows Hello for Business - based on information obtained 2020-01-07
- [#5] - W3C/FIDO2 WebAuthn APIs(https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis).