Windows Hello


Windows Hello is a marketing term used for implementations of the Windows Credential Provider functionality.

Windows Hello at its core provides a new, non-password credential for Windows 10 devices. Windows Hello implements 2FA/MFA, meaning multilayered security that is much more difficult to bypass than protection that hinges solely on a correct username and password combination.

Windows Hello for Business is based on the Web Authentication API (WebAuthN) APIs.

Windows Hello works with Azure, Microsoft Active Directory and Third-party Federation servers that support the necessary extensions to OAuth 2.0 and OpenID Connect 1.0.

Windows Hello also may be used with Browsers that support Web Authentication API(WebAuthN).

A future release of Windows 10, Windows Logon will support SAML identity providers -- not just identities federated to ADFS and other WS-Federation providers.

Windows Hello allows passwords to be transmitted to Domain Controller, PINs are not. They are tied to one device, and if compromised, only one device is affected. Backed by a Trusted Platform Module (TPM) chip, Microsoft Windows uses PINs to create strong Asymmetric Key pairs which causes the much-simpler Windows PINs to be resilient to brute-force attacks.

Windows Hello (Windows Hello Hardware Authenticator and Windows Hello Software Authenticator) was certified as FIDO2 Compliant in 2019.

Windows Hello Marketing#

When Windows 10 was first introduced, Microsoft Windows Multi-Factor Authentication was provided by two components: Windows Hello and Microsoft Passport (not to be confused with the Passport platform of 1998) Microsoft Passport was merged into Windows Hello.

Windows Hello For Business#

Windows Hello For Business is the enterprise version of Windows Hello.

Windows Hello, as you may know, is Microsoft’s premiere passwordless solution for devices where the user and device share one to one relationship. Each user on the device gets that one prior key that is authorized by a simple gesture, a PIN, face, or fingerprint.

Windows Hello for Business is and enhanced Windows Hello that always two factors, with one gesture being position of the private key and the other being the gesture used for Authorization.

Windows Hello PIN#

Why Microsoft wanted to use the word PIN (Personal Identification Number) is beyond Ldapwiki. The Windows Hello PIN is a Credential that is much more than numbers and can have Password

Windows Hello - WebAuthN - Azure#

In the Hybrid model of AD Connect for Azure the Implementation of WebAuthN with Windows Hello:


  1. User authenticates to Azure AD with a WebAuthN Authenticator
  2. Azure AD checks the tenant for a Kerberos server key matching the user’s on-premises AD DOMAIN.
  3. Windows contacts on-premises AD Domain Controller and trades the partial TGT for a full TGT.
  4. The partial TGT is returned to the Windows along with Azure AD Primary Refresh Token (PRT).
  5. Windows now has Azure AD PRT and a full Microsoft Active Directory TGT.

More Information#

There might be more information for this subject on one of the following: