Author: Max Gonzalez
Windows has come a long way since the breach-prone Windows XP era of computing. Microsoft continues to show its commitment as a security-first company with Windows 10. No longer are the days that a hacker can use a Pass-The-Hash attack when features like Windows Hello for Business are enabled on end points.
Take the current state of a password: It’s meant to authenticate the user’s identity to a network or a service. That password is stored on a hosting server, hopefully with tightened security in place like encryption or password hashing. And yes, even when these measures are in place, passwords are susceptible to breaches by man in the middle attacks, compromised servers, and end-user password phishing – by far the most common.
Microsoft attempts to resolve this problem with Windows Hello for Business. Leveraging modern built-in TPM chips, Windows 10 can provide a quicker login and a Seamless Single Sign On experience to the end user, eliminating the burden of traditional passwords.
Windows Hello for Business takes two keys, one public and one private, to authenticate. It’s known as an Asymmetric Approach. The public key is stored in the cloud, in our instance, Azure AD. The private key is safely locked in the TPM chip, only accessible when a user provides their sign-in gesture at login. This results in an authentication token request by the computer from Azure AD in cloud only environments.
I’ll leave you with my favorite feature incorporated into Windows Hello For Business: Dynamic Lock. My phone is connected to my computer via Bluetooth. When I manage to leave the range of my computer, it will automatically lock itself. This comes handy when in public settings you hear your name being called out, letting you know your Chai Latte is ready.