Passwords are a problem… we all know it. It’s all over our website and countless others. Vendors are trying to help organizations to course correct to solve the problem. Microsoft’s Windows Hello for Business is an example of this. At its core, Windows Hello for Business (WHfB) provides a new, non-password credential for Windows 10 devices. It implements 2FA/MFA, meaning multilayered security that is much more difficult to bypass than the protection that hinges solely on a correct username and password combination. And it’s an important step. We need to eliminate passwords as they are the permanent weakness in the security chain. But, even WHfB does not eliminate passwords completely nor does it cover some key areas organizations need to protect. It does, however, make it so users may only have to type their passwords once a week or once a month rather than 10 times a day.
Windows Hello for Business is a great introduction to what passwordless access can do for an organization. While my intent with this post is not to take away from the investment made into the technology, WHfB solves about 80% of most needs for the enterprise as there are some gaps that need to be considered:
- Implementation: Currently WHfB only works for systems running Windows 10 OS (and the upcoming Windows 11) and joined with AD or Azure AD. Windows 8 and older are not compatible.
- Infrastructure: WHfB limits technology choices like macOS, Linux, Unix and limits hardware selection.
- Extending technologies: WHfB does not support domain controllers, virtual desktop, and virtual machines.
- Legacy technology: Lacks interoperability with legacy/internally built technologies, older hardware, and earlier Windows OS versions.
- End-user frustration: WHfB can have an impact on user experience. When users need to enroll a new device they need to remember their username and password.
- Passwords are still required: As users transition to a new device, their corporate credential is still required to begin that transition before WH is available for login.
WHfB it’s an excellent start to any passwordless journey as it offers a solid solution but if you have additional platforms or are considering moving to a zero trust-based architecture you’ll want to read on. To cover the additional requirements and to meet zero trust access guidelines consider adding these capabilities to your arsenal of security coverage.
- Support previous generations of Windows as well as Linux, Unix, and Mac OS: They are all out there and need to be secured.
- Include devices that are not compatible with device biometrics: It’s difficult and costly to bring everyone up to the same platform. Ensure backward compatibility with your implementation.
- Managing security for contractors: It’s difficult to ensure contractors have the required hardware to meet the WHfB requirements.
Solving the security gap doesn’t need to be difficult. That’s where 1Kosmos BlockID comes in. With BlockID users login with a biometric tied to a proofed and verified identity, ensuring the user is who they claim to be. And because it’s delivered with a distributed identity architecture certified by NIST, FIDO, and iBeta, it puts an immutable, private and reusable user identity at the core of your Zero Trust security for strong and continuous authentication.
And the integration is easier than you’d expect because we’ve developed the platform to work with others. Where we are different is our identity-based authentication ties a proofed and verified identity to the access request. Meaning the employee’s biometric is the authentication method. By implementing 1Kosmos, users will log in to their Windows, Mac, or Unix desktop with a passwordless experience using real biometrics.
Are you interested in learning more about making the most of your Windows Hello investment? Watch our on-demand webinar.