Overview
Windows Hello is a biometric authentication solution available in recent Windows 10 and 11 versions. Hello enables users to sign in to a device via fingerprint, facial recognition, iris scan, or PIN number. Windows Hello configurations are local to a specific device and do not affect the user experience on other devices. Local or AD users can always choose to sign in to a device with a username and password in place of biometrics, if desired.
For AD users, AD credentials are cached encrypted on the system. When the computer is unlocked with biometrics, the AD credentials are automatically used to access domain resources like the S and U drives.
Windows Hello in a domain environment is sometimes referred to as Hello in convenience mode. For more information, see https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
Windows Hello for Business is a Microsoft solution for password-less authentication across an organization. When a device is successfully unlocked through biometrics, a certificate is sent to backend servers to authenticate the user. This is not currently enabled for U of I.
Hello and Hello for Business are different implementations of biometric authentication. Hello for Business requires specific infrastructure and AD options to be in place in order to work properly. OIT does not support Hello for Business at this time, if enabled it may not function as expected.
For further reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg
Windows Hello is allowed by OIT on capable Windows devices. If Windows Hello for Business is enabled for UI at a later date, simple Windows Hello may be disallowed with little notice.
Current OIT Standards for Passwords support use of Windows Hello
At the present time, users who wish to enable and configure Windows Hello must install an application from Software Center. This step will no longer be necessary in the near future.
From the Windows 11 device on which you wish to use Windows Hello:
- From the start menu, locate "Sign-in Options" and click on it
- Select the sign in option you wish to configure
- This guide will be for setting a fingerprint and PIN, but if your device is capable, you can also use facial recognition
- Click on the "Get started button in the Windows Hello setup window
- Follow the guide in the Windows Hello setup window to add fingerprints
- You may add additional fingerprints
- You will be required to create a PIN, click on the Set up a PIN" button
- Click on the "OK" button
- Use your University of Idaho account to sign in
- Enter and confirm your new PIN - this PIN is unique for this device
- Windows will require a PIN that confirms to the requirements below
- Sign out of your device, and test signing in with your biometrics (fingerprint or face) or PIN
A PIN must be created when enabling Hello biometric login. The PIN helps ensure the user can still access the computer if the biometric hardware fails or if the user encounters a limitation that makes biometrics impossible, such as an injury.
Security controls surrounding the PIN on a device include:
- A PIN number must be at least 6 digits long
- A PIN only grants access to a specific hardware device. Other devices cannot be accessed, unless the user reuses the same PIN across Hello-enabled devices.
- A PIN does not grant access to online resources, like MyUI or Office 365.
- A PIN is protected against brute force attacks through increasing PIN lockout delays
For further reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
It is highly recommended that the PIN is only used as a backup for a biometric-based logon.
Please note that Hello has not been widely tested. Other issues may exist that have yet to be discovered, and this allowance may be removed at a future date.