Windows Hello for Business - Ready for Primetime?

We recently had a client ask us if Microsoft Windows Hello for Business (WHFB) is a good replacement for authentication in lieu of using Microsoft Active Directory usernames and passwords. After all, who wouldn’t want to finally remove the oppressive yolk of the old username/password combination from around their necks? Management of end users and the never ending locked-out passwords is the bane of the help desk’s existence, so let’s get that ball rolling! Right?

Not so fast. While we see a fair amount of multi-factor authentication (MFA) in various forms, we found ourselves pondering the answer regarding WHFB, as we really haven’t seen it in any of our audits. We decided to dig a little deeper into it.

If you’re not familiar with WHFB, it’s Microsoft’s approach to password-less authentication which they have had available in some form or fashion for about seven years now. Basically, it uses biometrics (fingerprint scan or facial recognition via camera) to authenticate users to their endpoints and involves the Trusted Platform Module (TPM) chip available on most new laptops and PCs which store the cryptographic keys (deep stuff!). While this combination is robust, it violates the “true” definition of MFA because all the information required to authenticate with multiple factors (think: something you have, something you know, or something you are), while in different forms, reside on the same device.

During our research, we found lots of information on the usefulness and general security of WHFB, and at least one reason to be wary: a security research team asked by Microsoft to try to break Windows Hello has exposed issues with the fingerprint sensors used in laptops from multiple manufacturers, revealing a vulnerability that could potentially be exploited by a sophisticated attacker with physical access to the device. However, said researcher also noted that acquiring this information only gives a bad actor access to the device the credentials are tied to, which is far less invasive than a phished username and password might be.

We also reached out to one of our moderately-sized clients to see where they stand on WHFB. They reported that they have been researching WHFB and discussing it with peers; however, like us, they are not seeing widespread adoption, and only a few peers noted they are starting to test and pilot it.

As of this write up, we have been unable to find reports of corporate-wide breaches involving WHFB. The takeaway is that while it’s not deployed in many corporate environments yet, adoption of it is likely to become more prevalent as it becomes easier to deploy. Ultimately, it wouldn’t hurt to start testing it in small groups and get comfortable with it if it aligns with overall business objectives, and you don’t identify anything concerning when you assess its risk. The requirements for MFA are only going to get more stringent, and if you are already a Microsoft 365 or Azure shop a lot of the components for it are already available to do it. Just ensure you plan carefully and implement it correctly. Happy authenticating!

Authored by: Rich Whyrick, MCP, ITIL/F, CBISO; David Bentley, CISSP, CBISO, Security+