Expanding Windows Hello for Business
Author: Anders Adolfsson, Versasec Technical Consultant
Previous << VISA 1FA EMV
In Microsoft Windows 10, Windows Hello for Business (WHfB) replaces passwords with two-factor authentication on PCs. This authentication consists of a new type of user credential that is tied to the PC crypto chip (TPM) and uses biometric and/or PIN.
What We Like About WHfB
No HW: By using standard PC equipment (TPM, fingerprint reader, camera...) WHfB can be deployed using the PC as is, without buying any extra HW like smart cards or smart card readers.
2FA: By using something you possess (computer) and something you know (PIN) or something you are (biometric) WHfB vastly improves your security level over password-based security.
Use cases: WHfB protects Microsoft accounts and enables authentication for:
- Domain accounts that are part of a corporate Active Directory deployment
- Domain accounts joined to an Azure Active Directory domain
- FIDO2 Web Auth to external services
WHfB Functionality Gaps
Compared to its predecessor, the Microsoft Virtual Smart Card, WHfB out-of-the-box only addresses a subset of the typical use cases. WHfB does not offer support for other PKI certificate use cases such as:
- Document signing
- Email signing/encryption
- File/drive encryption
There are also other limitations such as no support for:
- Multiple roles
- Multiple certificates
- RDP authentication
- PIN change
- Key recovery
- User Self-Service
An additional limitation that for many projects is a showstopper is that WHfB only supports the Microsoft Windows Certificate Authority. Very often customers have more advanced requirements for their PKI, that are not met by the Microsoft CA.
Versasec Completes WHfB!
By integrating vSEC:CMS with WHfB Versasec brings all the features of vSEC:CMS to the lightweight user authentication system that WHfB really is. In short you get full lifecycle management and full virtual smart card functionality added on top of WHfB.
All PKI’s that vSEC:CMS integrates with can be used to issue certificates into WHfB. You can even have several different CAs connected and issue certificates, to one WHfB container for one user.
You get full control and audit of the lifecycle of WHfB. We make it possible to use all the PKI use cases such as document signing, email signing/encryption and file encryption. While on the topic of encryption we also offer key recovery so that a lost device or forgotten PIN code does not mean your encrypted content is lost.
You can add multiple user accounts into the same WHfB container for those cases where users have multiple roles such as IT admins including support for RDP authentication.
Do you have different security clearance for different groups of employees? With vSEC:CMS you can manage WHfB for one group of users and traditional credentials (physical smart cards and USB tokens) management for others.
Real World Example: Secure Email
This is a great example of what combining WHfB with Credential Management System and PKI’s can accomplish. In this use case we are using DigiCert to issue publicly trusted personal certificates for email signing and encryption.
Enrollment of WHfB is initiated from vSEC:CMS by operator or by domain group membership. Users are asked for identification and to enroll their fingerprint, face and a PIN code (depending on configuration). The WHfB container is created and vSEC:CMS initiates the certificate issuance from DigiCert.
When issuance is complete the users are signed out of Windows and are able to sign back in using the newly issued WHfB credential. Once successfully authenticated the DigiCert certificate is available for the user to use to sign and encrypt emails.