Login Options for Windows Hello

%3CLINGO-SUB%20id%3D%22lingo-sub-80656%22%20slang%3D%22en-US%22%3ELogin%20Options%20for%20Windows%20Hello%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80656%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20will%20we%20see%20a%20login%20option%20where%20you%20will%20both%20Windows%20Hello%20and%20a%20PIN%20or%20Password%20for%20login%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80806%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80806%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%20has%20a%20smart%20card%20emulation%20that%20enables%20you%20to%20use%20it%20with%20RDP%20smart%20card%20redirection.%20That%20scenario%20should%20work%20today.%20You%20cannot%20enroll%20Windows%20Hello%20for%20Business%20on%20a%20remote%20computer%20because%20you%20do%20not%20actually%20possess%20the%20%22the%20something%20you%20have%22%20Authentication%20factors%20are%20well%20defined--%20something%20you%20have%2C%20something%20you%20know%2C%20or%20something%20part%20of%20you.%20A%20session%20token%20is%20something%20you%20have%2C%20which%20would%20duplicate%20the%20protected%20private%20key.%20We%20need%20to%20use%20a%20factor%20from%20a%20different%20category.%20-%20Mike%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80798%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80798%22%20slang%3D%22en-US%22%3EThere%20is%20a%20Group%20Policy%20setting%20to%20enable%2Fdisable%20biometrics%20in%20conjunction%20with%20Windows%20Hello%20for%20Business.%20-%20Mike%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80787%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80787%22%20slang%3D%22en-US%22%3E%3CP%3ERemotely%20accessing%20another%20system%20-%20say%20an%20RDP%20session%20to%20a%20node%20on%20a%20customer%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20third-factor%20could%20be%20session%20based%2C%20as%20in%20it%3Bs%20only%20needed%20for%20the%20task%20the%20user%20is%20running%20it%20for%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80775%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80775%22%20slang%3D%22en-US%22%3EI'm%20assuming%20there'll%20be%20controls%20on%20each%20MFA%20method%3F%20For%20instance%20in%20a%20secure%20area%20we%20don't%20want%20camera's%20turning%20on%20but%20still%20would%20like%20to%20use%20WHFB.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80703%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80703%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20its%20partly%20due%20to%20travels%20and%20for%20instance%20customs.%20Alot%20of%20countries%20got%20different%20rules%20on%20this%20subject%2C%20so%20having%20just%20facial%20recognition%20might%20not%20be%20the%20best%20idea.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80694%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80694%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20question.%20Windows%20Hello%20for%20Business%20currently%20is%20two%20factor%20authentication--%20something%20you%20have%20(%20a%20private%20key%20protected%20by%20the%20TPM)%20and%2C%20something%20you%20have%20(PIN)%20or%20something%20part%20of%20you%20(Bio).%26nbsp%3B%20We%20are%20investigating%20multi-factor%20authentication%20(all%20three%20factors)%2C%20but%20no%20time%20line%20has%20been%20established.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20would%20be%20interesting%20to%20know%20is%20what%20business%20requirement%20does%20three%20factors%20authentication%20satisfy%20in%20your%20organization%20that%20two%20factors%20do%20not%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMike%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80683%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80683%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20of%20course%2C%20let%20me%20clearify%3A%3C%2FP%3E%3CP%3EWhen%20will%20we%20be%20able%20to%20demand%2C%20for%20instance%2C%20both%20Facial%20recognition%20AND%20a%20PIN%2FPassword%20to%20login%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80675%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80675%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20once%20you%20deploy%20Windows%20Hello%20for%20Business%2C%20the%20user%20will%20see%20additional%20login%20credential%20provides%20such%20as%20PIN%2C%20fingerprint%2C%20and%2For%20Facial%20recognition%20depending%20on%20the%20hardware%20and%20if%20the%20user%20enrolled%20biometrics.%3C%2FP%3E%0A%3CP%3EMike%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80657%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Windows%2010%20security%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80657%22%20slang%3D%22en-US%22%3E%3CP%3E*use%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi, will we see a login option where you will both Windows Hello and a PIN or Password for login?

 

9 Replies

Yes, once you deploy Windows Hello for Business, the user will see additional login credential provides such as PIN, fingerprint, and/or Facial recognition depending on the hardware and if the user enrolled biometrics.

Mike

Yes of course, let me clearify:

When will we be able to demand, for instance, both Facial recognition AND a PIN/Password to login?

Great question. Windows Hello for Business currently is two factor authentication-- something you have ( a private key protected by the TPM) and, something you have (PIN) or something part of you (Bio).  We are investigating multi-factor authentication (all three factors), but no time line has been established. 

 

What would be interesting to know is what business requirement does three factors authentication satisfy in your organization that two factors do not?

 

Mike

 

Well its partly due to travels and for instance customs. Alot of countries got different rules on this subject, so having just facial recognition might not be the best idea.

I'm assuming there'll be controls on each MFA method? For instance in a secure area we don't want camera's turning on but still would like to use WHFB.

Remotely accessing another system - say an RDP session to a node on a customer site.

 

The third-factor could be session based, as in it;s only needed for the task the user is running it for,

There is a Group Policy setting to enable/disable biometrics in conjunction with Windows Hello for Business. - Mike
Windows Hello for Business has a smart card emulation that enables you to use it with RDP smart card redirection. That scenario should work today. You cannot enroll Windows Hello for Business on a remote computer because you do not actually possess the "the something you have" Authentication factors are well defined-- something you have, something you know, or something part of you. A session token is something you have, which would duplicate the protected private key. We need to use a factor from a different category. - Mike
www.000webhost.com