What is Windows Hello, and how to enable it

Back to Blog
20Apr2017

What is Windows Hello, and how to enable it

Windows 10 introduced a new security feature called “Hello,” which allows a computer to be unlocked via different means than a traditional username/password prompt.  The marketing around this sells it as a more “personalized” login experience–more “human” or whatever. But it’s really just extra security in disguise.

Why is a PIN better than a Password?

Many modern systems come with a Trusted Platform Module (TPM) chip.  This is a special piece of hardware on your motherboard that stores cryptographic information, and is unique to your device. Windows Hello leverages this chip during the logon process. What is happening here is actually pretty great, because no credentials are passed over a wire–Hello takes place completely within your device–your unique “Hello” to Windows depends on that specific piece of hardware as well as the personalized “Hello” that you have configured.

The key requirement for Hello is that you first choose a “PIN” instead of a password. That PIN is tied to your specific TPM chip & device. Some computers may also include an option to enable some other biometric form of Hello, like a fingerprint (if you have a reader), or facial recognition (like my Surface Pro, using a built-in infrared camera). If for some reason the fingerprint read or facial scan fails, you can always fall back on your PIN.

No password is being stored or transmitted to any remote servers in Hello, so there is no possibility of intercepting it in transit, etc. Therefore, a remote attacker cannot leverage your Hello to gain access to any of your information. If there is a key logger present on your system, for example, the attacker may learn your PIN, but they will not be able to do anything with it, without the actual, physical device in their possession.

IT Administrators, see here for configuring your Hello options–including enforcing PIN complexity requirements (which you should do). If you are a user who has full control/admin rights on their own machine, you can follow these steps to setup Hello:

Start > Settings > Accounts > Signin Options > Find Setup under Windows Hello. You may have to configure a PIN (if you don’t already have one), a fingerprint or face recognition (you need compatible hardware for those). Please pick a good, complex PIN (not 1234), and don’t re-use the same one you use everywhere (e.g. your bank card), or something like that. Keep it unique–using the same one everywhere defeats the whole purpose.

 

Technical , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

17Dec

The many ways to prevent data leakage in Microsoft 365

Office 365 Data Loss Prevention (DLP), Windows Information Protection (aka Endpoint DLP), Conditional Access App Enforced Restrictions, Conditional Access App Control with Microsoft Cloud App security, Sensitivity labels, Retention labels--are you thoroughly confused yet? All of the above can help you to prevent the leakage... read more
17Aug

5 Steps to Better Credit Card Handling on Your Network

The requirements for PCI compliance are... high. Performing a risk assessment alone is a time-consuming process, to say nothing of an actual audit. Which is unfortunate for small and mid-sized businesses, since most of them don't even need to store credit card numbers locally (and in... read more
16Mar

Why You Should Avoid Single Label Domains

What is a Single Label Domain (SLD)?  This is a term that Microsoft uses to describe domains which have only a single name, and no suffix such as ".local" or ".com."  For example, your Active Directory domain might have a name like "company.local," but if it... read more
07Jun

Assume Breach: Where Microsoft 365 Business misses on Security (and how to fix it)

Yeah yeah, we've all heard the sob story over Azure AD Premium before. I'm told things may be changing here in the near future, but assuming Conditional access falls into place soon, I believe Microsoft 365 Business would remain lacking when it comes to security. The... read more
20Nov

How to leverage Conditional Access policies to make MFA less annoying: Require only for unmanaged devices

Multi-factor authentication is something I strongly believe in and recommend to all of my customers. But no matter how much I harp on it, most of them don't want to implement it, or  they try it out, then beg me to roll back, because... well...... read more
20Aug

How to configure Advanced Threat Protection (ATP) part 1: anti-phishing

In a previous post, I covered some of the basic anti-spam/anti-malware protections included with Office 365/Exchange Online. Today I want to explore an add-on subscription called Advanced Threat Protection (ATP), which leverages some fancy pants machine learning and other advanced AI-like tech to detect zero-day... read more
20Jun

A framework for implementing device-based Conditional access with Microsoft Intune

I recently shared a set of scripts to help make deployment of Intune a bit quicker. Today I just want to cover a framework which can be used for deploying device-based conditional access in conjunction with your baseline policy set. The main crux of the... read more
Simple Sensitivity Label design for the SMB
11Jun

Simple Sensitivity Label design for the SMB

In the recent updates to the CIS Controls (v8), one of the most noticeable changes was the re-prioritization of Data Protection (now Control #3, up from #13 previously). This control calls out a number of safeguards: inventory of sensitive data and data classification is among... read more
01Sep

A simpler Conditional Access baseline

Some folks have written to me about the "complexity" of my Conditional Access guide and were hoping to find something a bit simpler. This surprised me, and initially I shrugged it off. But I have heard this feedback more than once now, so I decided... read more
26Jan

How to prepare for a HIPAA technical risk assessment or audit

I have had to help a number of smaller-sized health services clinics with this kind of thing recently, so I figured a place to collect notes on these experiences was in order. Hopefully others will find it valuable; just know that there is no such... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me