Passwordless authentication: How Windows Hello for Business MFA works

Many people agree that passwords are a big security risk. But how can we replace or improve them? Over the last decade, the security world has given us two main answers. The first is to secure passwords (what the user knows) with a second factor (what the user has). This is called multi-factor authentication (MFA).

MFA is now a standard way to protect credentials from hackers. But there is a second option: abandon passwords altogether. Microsoft’s Windows Hello for Business (WHfB) allows organizations to do just that. Here’s what you need to know about Windows Hello for Business, MFA, and securing user access in a passwordless system.

Passwordless authentication replaces passwords with factors such as biometric identification factors (who the user is) or passkeys. Passkeys rely on public key cryptography, where the private key is securely stored on the user’s device and used to sign authentication challenges. Biometrics are typically used locally to unlock the private key, rather than being transmitted to the server.

Each approach has pros and cons based on context. Many organizations end up mixing both to find a balance. But juggling different authentication methods can be complex for IT to manage and confuse employees. This makes passwordless options such as biometrics look more attractive. At a stroke, they remove the possibility of phishing and brute force attacks while potentially making life easier for staff.

Windows Hello is Microsoft’s passwordless authentication solution for Windows. It comes in two versions: Windows Hello for home users and Windows Hello for Business for bigger security and management needs.

Once users enroll, they can authenticate to a Windows session with a fingerprint, facial recognition, PIN code, or a mix of these. This is more convenient than remembering long, secure passwords. Users only need to remember a short PIN as a backup.

Windows Hello (especially Windows Hello for Business) differs from many traditional MFA systems because it is a client-side authentication technology where the device plays a key role. Biometric data is processed locally and stored securely on the device. When the user successfully verifies with biometrics or a PIN, this unlocks a private key protected by the TPM (or by the device’s secure hardware). The device then uses public key cryptography to prove the user’s identity to a remote service without sending biometric data or a password.

This design is similar to Passkeys, a consumer passwordless authentication technology that also uses a client-side design with public key encryption. And as with Passkeys, it works well for home users, an important issue for the Windows platform. The big difference is that Passkeys is platform independent, while Windows Hello for Business is Windows-only and ties into Active Directory (AD) or Entra ID (formerly Azure AD).

Like other client-side authentication technologies, Windows Hello for Business depends on the user’s device. If the user loses access to that device, they must re-enroll on the new one. This adds some overhead to user management.

Also, Windows Hello for Business only runs on Windows. It doesn’t support non-windows clients. It needs a TPM (ideally, a hardware chip which all recent business PCs should have) as well as fingerprint readers or cameras for face recognition.

If applications support it, Windows Hello for Business can remove the need for passwords (though it’s still possible to use them). Does this also replace MFA? If you use a PIN, the answer is, technically, yes it can. It combines something you know (the PIN) with something you have (the TPM private key). With two factors of identification, that’s MFA.

Still, some scenarios require traditional MFA factors, and Windows Hello for Business supports those, too. These include the initial provisioning phase (before Windows Hello for Business is enabled), or scenarios where stronger factors like hardware tokens are a must.

Windows Hello for Business can also cut down on the frequency of MFA prompts in some contexts. Once a user authenticates, they have a high level of trust and can access services in an AD domain without having to re-authenticate.

UserLock's on-premise Active Directory multi factor authentication works with WHfB in the same way as it supports other authentication mechanisms, namely through its integration with AD. The user sees the Windows Hello for Business prompt locally in the same way they see a prompt for a password. After they initiate authentication, UserLock starts the chosen authentication prompt or process as it would for a Windows session without WHfB. It’s that simple.

Behind the scenes, organizations still need to define their overall MFA and identity architecture. Some Microsoft-based approaches can involve additional components and configuration depending on the scenario (hybrid deployments, certificate or key trust, and cloud identity integration).

The advantage of UserLock is that it offers a much simpler and lower cost way of doing the same thing. Instead of complex middleware, all you need is to install UserLock on one on-premise server, and to set authentication policies based on AD user groups. This gives you the user monitoring and control you need to keep user access as secure as possible.