What is Windows Hello, and how to enable it

Back to Blog

What is Windows Hello, and how to enable it

Windows 10 introduced a new security feature called “Hello,” which allows a computer to be unlocked via different means than a traditional username/password prompt.  The marketing around this sells it as a more “personalized” login experience–more “human” or whatever. But it’s really just extra security in disguise.

Why is a PIN better than a Password?

Many modern systems come with a Trusted Platform Module (TPM) chip.  This is a special piece of hardware on your motherboard that stores cryptographic information, and is unique to your device. Windows Hello leverages this chip during the logon process. What is happening here is actually pretty great, because no credentials are passed over a wire–Hello takes place completely within your device–your unique “Hello” to Windows depends on that specific piece of hardware as well as the personalized “Hello” that you have configured.

The key requirement for Hello is that you first choose a “PIN” instead of a password. That PIN is tied to your specific TPM chip & device. Some computers may also include an option to enable some other biometric form of Hello, like a fingerprint (if you have a reader), or facial recognition (like my Surface Pro, using a built-in infrared camera). If for some reason the fingerprint read or facial scan fails, you can always fall back on your PIN.

No password is being stored or transmitted to any remote servers in Hello, so there is no possibility of intercepting it in transit, etc. Therefore, a remote attacker cannot leverage your Hello to gain access to any of your information. If there is a key logger present on your system, for example, the attacker may learn your PIN, but they will not be able to do anything with it, without the actual, physical device in their possession.

IT Administrators, see here for configuring your Hello options–including enforcing PIN complexity requirements (which you should do). If you are a user who has full control/admin rights on their own machine, you can follow these steps to setup Hello:

Start > Settings > Accounts > Signin Options > Find Setup under Windows Hello. You may have to configure a PIN (if you don’t already have one), a fingerprint or face recognition (you need compatible hardware for those). Please pick a good, complex PIN (not 1234), and don’t re-use the same one you use everywhere (e.g. your bank card), or something like that. Keep it unique–using the same one everywhere defeats the whole purpose.


Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.