Overview
Windows Hello is a biometric authentication solution available in recent Windows 10 and 11 versions. Hello enables users to sign in to a device via fingerprint, facial recognition, iris scan, or PIN number. Windows Hello configurations are local to a specific device and do not affect the user experience on other devices. Local or AD users can always choose to sign in to a device with a username and password in place of biometrics, if desired.
For AD users, AD credentials are cached encrypted on the system. When the computer is unlocked with biometrics, the AD credentials are automatically used to access domain resources like the S and U drives.
Windows Hello in a domain environment is sometimes referred to as Hello in convenience mode. For more information, see https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
Windows Hello for Business is a Microsoft solution for password-less authentication across an organization. When a device is successfully unlocked through biometrics, a certificate is sent to backend servers to authenticate the user. This is not currently enabled for U of I.
Hello and Hello for Business are different implementations of biometric authentication. Hello for Business requires specific infrastructure and AD options to be in place in order to work properly. OIT does not support Hello for Business at this time, if enabled it may not function as expected.
For further reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg
Windows Hello is allowed by OIT on capable Windows devices. If Windows Hello for Business is enabled for UI at a later date, simple Windows Hello may be disallowed with little notice.
Current OIT Standards for Passwords support use of Windows Hello
At the present time, new Windows Hello enrollments may not be possible. Settings in local policy allowed this for some time and there are existing enrollments, but as of early 2022, new enrollments do not appear to be working. When a supported configuration is identified, those settings may be pushed out to eligible computers.
A PIN must be created when enabling Hello biometric login. The PIN helps ensure the user can still access the computer if the biometric hardware fails or if the user encounters a limitation that makes biometrics impossible, such as an injury.
Security controls surrounding the PIN on a device include:
- A PIN number must be at least 6 digits long
- A PIN only grants access to a specific hardware device. Other devices cannot be accessed, unless the user reuses the same PIN across Hello-enabled devices.
- A PIN does not grant access to online resources, like MyUI or Office 365.
- A PIN is protected against brute force attacks through increasing PIN lockout delays
For further reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
It is highly recommended that the PIN is only used as a backup for a biometric-based logon.
Please note that Hello has not been widely tested. Other issues may exist that have yet to be discovered, and this allowance may be removed at a future date.