To avoid authentication with passwords, Microsoft provides an authentication method that uses a PIN. When you set up Windows Hello, you’re asked to create a PIN first. This PIN enables you to sign in using the PIN as an alternative when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. The PIN provides the same level of protection as Windows Hello.
Windows Hello PIN provides secure authentication without sending a password to an authenticating authority, such as Azure AD or an AD DS domain controller. Windows Hello for Business provides enterprises with compliance with the new FIDO 2.0 (Fast ID Online) framework for end-to-end multifactor authentication.
A user cannot use a PIN alone (known as a convenience PIN) within a domain environment. Figure 2-5 shows that the PIN settings are known as the Windows Hello PIN. A user must first configure Windows Hello and already be signed in using a local account, a domain account, a Microsoft account, or an Azure AD account. The user can then set up PIN authentication associated with the credential for the account.
FIGURE 2-5 Configuring Windows Hello PIN
After a user has completed the registration process, Windows Hello for Business generates a new public-private key pair on the device known as a protector key. If installed in the device, the Trusted Platform Module (TPM) generates and stores this protector key; if the device does not have a TPM, Windows encrypts the protector key and stores it on the file system. Windows Hello for Business also generates an administrative key to reset credentials if necessary.
Note Pairing of Credentials and Devices
Windows Hello for Business pairs a specific device and a user credential. Consequently, the PIN chosen by the user is associated only with the signed-in account and that specific device.
The user now has a PIN gesture defined on the device and an associated protector key for that PIN gesture. The user can now securely sign in to his device using the PIN and then add support for a biometric gesture as an alternative to the PIN. The gesture can be facial recognition, iris scanning, or fingerprint recognition, depending on the available device hardware. When a user adds a biometric gesture, it follows the same basic sequence mentioned in the previous section. The user authenticates to the system using the PIN and then registers the new biometric. Windows generates a unique key pair and stores it securely. The user can then sign in using the PIN or a biometric gesture.
Need More Review? Windows Hello for Business
To review further details about deploying Windows Hello for Business within an enterprise environment, refer to the Microsoft Learn website at https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification.
You can use MDM policies or GPOs to configure your organization’s Windows Hello for Business settings. For example, you can configure a policy that enables or disables the use of biometrics on devices affected by the policy.
Note Enhancing the Security of a Pin
When we think of a PIN, we generally think of ATM cash machines and 4-digit PINs. For securing Windows 11 with Windows Hello for Business, you can significantly increase the level of security by imposing rules on PINs so that, for example, a PIN can require or block special characters, uppercase characters, lowercase characters, and digits. Something like t496A? could be a complex Windows Hello PIN. The maximum length that can be set is 127.