Windows Hello


Windows Hello is a marketing term used for implementations of the Windows Credential Provider functionality.

Windows Hello works with Azure, Microsoft Active Directory and Third-party Federation servers that support the necessary extensions to OAuth 2.0 and OpenID Connect 1.0.

Windows Hello also may be used with Browsers that support Web Authentication API(WebAuthn).

A future release of Windows 10, Windows Logon will support SAML identity providers -- not just identities federated to ADFS and other WS-Federation providers.

Windows Hello allows passwords to be transmitted to Domain Controller, PINs are not. They are tied to one device, and if compromised, only one device is affected. Backed by a Trusted Platform Module (TPM) chip, Microsoft Windows uses PINs to create strong Asymmetric Key pairs which causes the much-simpler Windows PINs to be resilient to brute-force attacks.

Windows Hello Marketing#

When Windows 10 was first introduced, Microsoft Windows Multi-Factor Authentication was provided by two components: Windows Hello and Microsoft Passport (not to be confused with the Passport platform of 1998) Microsoft Passport was merged into Windows Hello.

Windows Hello For Business#

Windows Hello For Business is the enterprise version of Windows Hello. The differences are not clearly defined at least by Ldapwikis observation but we found this:
Windows Hello for Business, which is configured by Group Policy Object or Mobile Device Management (MDM) policy, always uses Asymmetric Key Cryptography or certificate-based authentication. This makes it much more secure than Windows Hello convenience PIN.

So Ldapwiki assumes this implies the PIN based auth is not available in Windows Hello For Business as PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by Asymmetric Key Cryptography or certificate-based authentication.

More Information#

There might be more information for this subject on one of the following: