In This Article
What is Windows Hello?
The Windows Hello is a technology that ensures better security to computers adding another layer to it with a seemingly failsafe biometric authentication.
This technology is usually available in Windows 10 operating systems and is based on fingerprint reading and facial recognition ability of the computers.
This innovative biometric authentication process was first introduced in 2015 with the release of Windows 10.
- Windows Hello is a biometric authentication that adds an extra layer of security to the computers and allows secure access to networks, apps, and online services.
- Available in Windows 10 operating systems, this technology works mainly on facial recognition and fingerprint reading techniques.
- This feature needs a special illuminated infrared camera to work and the users need to follow three authentication methods.
- This efficient technology prevents data thefts but still has some compatibility issues.
Understanding Windows Hello
Windows Hello is an alternative, more secure, faster, and a new way to log into your device as well as different apps and networks.
It uses biometrics of the users for authentication which is more secure than a password, no matter how strong it is, with careful use of upper- and lower-case alphabets, digits, symbols and other special characters.
However, it is not mandatory to use this security feature even if your device supports Windows 10 and use Windows Hello, but if you use it then make sure that the details that identify you through your face, iris, and fingerprint never leaves your system.
This is because Windows never stores images or pictures of these on the cloud or anywhere else.
Ideally, the Windows Hello feature needs a special type of illuminated infrared camera. This actually is needed for facial or iris recognition.
There may also be a fingerprint reader integrated on the palm rest or even on the touchpad which supports Windows biometric framework.
Thanks to the sophisticated technology, Windows Hello allows logging into the device in three different ways at a speed that is three times faster than it would if you use a traditional password.
If you use the Windows 10 face recognition feature, you will need to set it up first. These are the steps to follow.
- Go to Windows Search Box
- Type hello
- Go to Set Up Face Sign-in
- Select open
- Select Windows Hello Face
- Set Up and
- Select Get Started.
If you have a PIN, enter it or position your face at the center of the frame to continue and complete setup.
If your device comes with a fingerprint reader installed in it, the biometric fingerprint option should be used to sign in to your device quickly. The process to follow is:
- Go to Windows Search Box
- Type fingerprint
- Go to Set Up Fingerprint Sign-in
- Select Open
- Select Windows Fingerprint
- Set Up
- Select Get Started.
To continue the setup process, you will once again need to enter the PIN, if you have one, or else scan your finger on the fingerprint reader. This will complete the setup process.
The best part of this technology is that you can make it even better and safer by creating a backup with a PIN.
This is one of the Windows Hello options that Windows 10 operating system offers out of its different login options.
To set up Windows Hello PIN as a backup for secure and fast access to your device, especially if there is no Windows Hello Face or Windows Hello Fingerprint option available on your computer, here is the simple process to follow.
- Open the Windows Search box
- Go to set-up sign-in option
- Type sign in
- Select Open and
- Select Add Under PIN.
In the end, you must verify your account password when prompted, enter and confirm it and the PIN you want to use and select OK.
In order to identify you as the authentic user, the biometric security analyzes and measures your specific and unique characteristics.
These characteristics are extremely secure as these cannot be copied or forged to identify someone.
It is a fact that even identical twins do not have identical human characteristics. It is these characteristics that this Microsoft Hello technology uses as distinct identifiers for a failsafe authentication.
This method of logging into your device is very safe and Microsoft continually emphasizes on it.
The primary factors that make this a more secure logging option, which is often termed as ‘enterprise grade,’ are:
- The human characteristics used cannot be replicated or stolen by other nefarious persons or hackers
- No one can watch the user typing in the password or the PIN and try to get access doing the same
- Photos of face cannot be used to trick the system and log in because Windows Hello is designed intelligently to work only on and for real people, and
- The biometric data of the users is not stored by Windows in the cloud thereby preventing anyone from getting into Microsoft servers to gain access to the data.
Even if someone steals your laptop, it will be safe because they will not be able to activate Windows hello without using your real face, iris, or fingerprint.
Windows Hello feature, though useful for any user or consumer, is especially gaining traction in the enterprises front.
There are a few specific hardware requirements to make Windows Hello work perfectly, though it has comparatively a very low barrier to entry.
Your system will need at least a camera that can not only capture 2D infrared spectroscopy but also supports Windows Hello feature.
Alternately, you will need to have a device that has a fingerprint scanner integrated in it. Check out Differences between Windows and Linux OS.
There are different acceptable ranges for these specific hardware components to support Windows Hello feature most effectively.
This is measured in the false accept rate and, according to Microsoft, it is different for each, such as:
- For the fingerprint sensors it should be less than 0.002%
- For the facial recognition sensors, it must be less than 0.001% percent.
This means that for fingerprints it is 1 in 100,000 fingerprints and for facial recognition it is half that amount.
In addition to that, there is also a specific measurement and acceptable range for false rejection rates for both facial recognition and fingerprint scanning.
It should be less than 5% without anti-spoofing or liveness detection and less than 10% with them, according to the guidelines of Microsoft.
Liveness detection here means that the user is a living being and the device determines it before unlocking the system or app for you.
How Does It Work?
In order to make Windows Hello work, you will need to follow one of the three authentication methods mentioned above.
However, first you will need to make sure that your device supports Windows Hello. Once you know it does, this is how it works.
The Windows Hello technology identifies the face of the users or retina, or fingerprint, only when these are in full view of the camera or the scanner after you power on the computer.
Once it matches with the programmed instructions, it will automatically allow you to log into your system.
The camera used for this purpose is certainly not an ordinary web camera. In fact, it is a specially designed RealSense depth camera module.
This is designed by Intel by using infrared sensors in it and an advanced technology that helps in distinguishing between a real and a fake user or even a photo of the actual user.
This prevents tricking the system to gain access to your computer by the hackers or any other unscrupulous individual.
When Windows Hello is configured in Windows 10, it follows a few specific steps to allow you to log into your device. This includes:
- Allowing you to authenticate a Microsoft account and
- A non-Microsoft service which supports FIDO or Fast Identity Online.
FIDO is actually the process to set up a gesture that will allow you a safer log in. These gestures are a facial recognition, and iris or fingerprint scan.
This technology uses 3D structured lights that helps in creating a 3D model of your face. This is saved in the system.
The device then uses the anti-spoofing methods to restrict people from creating a replica of it or a mask or fake head to fool the system.
It is simple and foolproof, but only when it works. Sometimes Windows Hello may not work. In such situations there is a high chance that the hardware of your system is not compatible with this technology.
In that case, you can add a fingerprint scanner, which is the most secure and also the cheapest option.
It will identify the unique topography of your fingertip or thumb. Unfortunately, you cannot buy an iris scanner as of now.
The fingerprint scanner is easy to use and will plug into a USB port of your system. You will however need to install the relevant drivers and configure your fingerprint in Windows.
You and your system both will then be ready to log in and start functioning with just a touch of your finger.
If you do not have or want to use a USB dongle scanner, there are also two other alternatives to it such as:
- Using the first-party biometric scanner made by Microsoft in combination with a keyboard and
- A mouse with integrated scanners, which are yet to come of course.
There are also a few other expensive options to make Windows Hello work in your system but all those will do practically the same as the fingerprint scanner, which offers the optimal security at minimum cost.
The facial recognition camera, on the other hand, which also doubles as a webcam, are pricier but more importantly, these have a false validation rate of less than 1%, as per Microsoft.
These cameras also come in many different models and prices. Moreover, these Windows Hello compatible webcams may or may not come with a microphone and noise cancelling feature.
For the records, the reviews of these external webcams are not very impressive, though most of these tend to be much higher than most budgets.
1. More efficient
This feature makes the login process much more secure, efficient, and faster.
You can even use this feature for making monetary transactions safely while making purchases via the Windows Store and paying after due and foolproof authentication and authorization.
2. Prevent theft of credentials
It will also help you to fortify your protections and security against any potential credential theft, even if your system is stolen or hacked.
This is because the other person will need to have both your device as well as the PIN, making it much difficult to gain access.
The login process is simple. There is no need for a password and therefore you need not worry about remembering it.
The authentication process involves fingerprint, iris scan or facial scan. All of these are properly and securely backed up with a PIN.
4. Add extra devices
The technology enables you to include extra biometric devices and policies since it is built in the operating system. T
his allows a coordinated rollout to a group of people using Mobile Device Management, Group Policy, or Configurations Service Provider policies.
5. Deal with different issues
When it comes to the security of your system, there can be a lot of issues that may let it down.
This feature will enable you to deal with them most efficiently.
These issues include strong passwords that are difficult to remember, reuse of passwords on several sites and apps, server breaches that can expose symmetrical network credentials, replay and phishing attacks.
6. Multiple authentication
Using this single secure feature, you can have multiple authentications for your Microsoft account, Active Directory account, and Microsoft Azure Active Directory account.
It will also ensure safety for the Identity Provider Services as well as the Relying Party Services for FIDO v2.0 authentication.
7. Creation of cryptographic key pair
There are no more shared secrets with Windows Hello feature since there are no passwords entered and transmitted through a device to a network so that it can be used by anyone and anywhere.
Instead, it generates a cryptographic key pair that is bound to the TPM or Trusted Platform Module, if your system has a TPM 2.0 chip, or in software.
8. A trusted relationship
The process involves a two-step authentication involving access to the keys and obtaining the signature to validate possession of the user of those private keys, through the biometric gesture or PIN.
This enrollment builds a trusted relationship between the user and the identity provider.
9. Centralized management
For businesses, Windows Hello allows a better and more secure centralized management and control over the scalability of the systems, especially those used by their employees.
There are many different management tools and enforcement methods that can be used to fortify the security and ensure uniformity in the profile and posture.
10. Use of another device
Due to the biometric requirements, the Windows Hello feature impairs the flexibility of users to access sites and apps using another device.
Without the unique physical attributes of the user matching with the cryptographic keys, authentication will not occur. Since these keys are stored on the machine itself, other people cannot login using any other device.
11. Limited compatibility
Though there are only a few known issues and limitations allied with Windows Hello as of now, one of the most significant drawbacks of it is that it has very limited compatibility.
Most of the computers available on the market as of now are not Windows Hello compatible. In that case, you are left with no other choice but to purchase a suitable peripheral accessory to make it functional.
However, this is not at all a practical and cost-effective solution especially for any organization that wants to implement this security feature across its length and breadth.
12. Still need a password
Surprisingly though, you will still need to type in a password especially for those on-premises resources that you or any other person uses frequently.
Once you sign in using your Windows Hello PIN, you will not gain access to it automatically to these on-prem frequently used print queues and Active Directory file shares.
You can apply the workaround or sign in using your PIN.
13. Unavailability of PIN configuration button
Sometimes the setup PIN button may not be available for configuration. These buttons are often greyed out on some computers, especially those that are upgraded from any older version of Windows 10 operating system.
This is because these older versions of Windows 10 operating system had this Windows Hello feature already disabled by default.
The Windows Hello is more of a personal way to log into your Windows 10 device by just looking at it or touching it without needing a password.
It provides a safer and faster log in with enterprise-grade security.