How IT leaders can best use Windows Hello for Business for strong workforce authentication

With the advent of Microsoft Windows Hello for Business (WHFB) we all have a simpler way to implement strong authentication. However, whilst WHFB offers the advantage of greater simplicity for IT teams, unless paired with the right technology, WHFB can fall short of the requirements that medium to large enterprises need.

In this article Intercede Chief Technical Officer, Dr Chris Edwards examines what Windows Hello for Business means for strong authentication and outlines the questions and functionality that IT security leaders need to consider when evaluating how they can best adopt this technology.

Windows Hello for Business for strong multi-factor authentication

Microsoft introduced Windows Hello to its consumer market as part of Windows 10. Based on technology specified by the FIDO Alliance, it provides a more secure and convenient logon experience to Windows, with a choice of PINs or biometrics to confirm the user’s identity.

In parallel, business users were given “virtual smart cards” (VSC) that use the Trusted Platform Module in your PC to store cryptographic keys and an associated X509 certificate for logon and authentication to enterprise environments.

More recently the Hello for Business logon authenticator has been added, with a roadmap that sees the deprecation of VSCs over the coming years

WHFB is principally built around a FIDO interoperable core that means it can operate using asymmetric keys without X509 certificates.

The benefit of this approach is that it offers secure multi-factor authentication without the overhead of running a Certification Authority (CA). For internal functions such as desktop and network logon this is sufficient for many organisations whose only point of trust is Active Directory.

Operating in this ‘Key Trust’ mode though does have limitations. With a VSC you can also for example sign & decrypt emails and authenticate to other services and applications that use PKI as their trusted authentication model.

To meet these use cases, Microsoft also offer a ‘Certificate Trust’ model for WHFB. This automatically enrols a certificate from your enterprise (Windows) CA and works behind the scenes to repair any problems it detects with the environment.

A first sight, this appears to provide a viable alternative to VSCs with the added bonus of biometric authentication and a convenient user experience. However, it is not quite that simple in practice!

WHFB challenges

The first challenge you may encounter is that in order to use the certificate to sign emails for consumption outside your enterprise you will need to upgrade your CA to meet the more stringent requirements for it to be fully trusted by the rest of the world. Many organisations outsource this compliance problem by using an external CA service provider. WHFB does not support this natively.

Related to the problem of email signing is that of email encryption. S/MIME certificates have a limited lifetime, but you still need access to expired certificates and keys to decrypt historical emails, WHFB by itself does not have the capability to deploy these additional certificates required for secure email and other encryption applications.

Next, we have to consider certificate revocation. WHFB will do its best to keep your credentials functioning. This includes detecting when your certificate has been revoked, at which point it auto-enrols you for a replacement. This is unlikely to be what was intended when the original certificate was revoked.

Fundamentally, WHFB works great for simple situations, but if you have policies and procedures that you need to enforce for internal or external security compliance, you will need to find ways to enhance the core features to achieve your aims.

MyID for WHFB

Intercede has been working closely with Microsoft to enhance the core capabilities for those organisations for whom security policy and compliance are important. This has resulted in the ability to manage the policy-driven delivery of additional PKI credentials to each WHFB client in a very convenient self-service manner. These secondary credentials can originate from 3^rd party CAs if you want to use an external service (for example you need a certificate that can be trusted by Federal Agencies, or even a globally trusted email certificate).

MyID also manages the controlled recovery of historical encryption certificates from any supported certificate authority (including non-Microsoft environments) to your WHFB container. This avoids the need for clumsy manual processes that make life difficult for your employees.

These secondary credentials are presented through standard Windows cryptographic service provider mechanisms, allowing them to be used in almost any circumstances where a smart card or VSC would have been used before.

It is also important to recognise that each of us will have multiple credentials on all sorts of devices – cards, phones, USB tokens, tablets, desktops and laptops. The management of these needs to be closely coordinated to avoid high maintenance costs and potential security issues.

Conclusion

Windows Hello for Business is a great new technology that combines security and convenience. When deploying into medium to large enterprises however, it does benefit greatly from the addition of a policy-driven credential management solution such as MyID.