ADVERTISEMENT

VideoProc Converter AI – New Release Offer – Buy Once, Keep it Forever VideoProc Converter AI offers a user-friendly, fast, and cost-effective solution to improve your video and image quality, whether it’s for editing, uploading, playing on larger screens, or reliving precious memories. You can enhance low-quality photos, recordings, DVDs, and any footage to 4K with seamless frame rate and intelligent stabilization. Plus, enjoy an all-in-one toolkit for downloading, converting, compressing, editing, & recording videos. Shop VideoProc Converter AI with new-release discount, the budget-friendly consumer-grade AI video/image enhancer, now at its lowest price ever!

PUBLIC DEFENDER

By Brian Livingston • Comment about this article

A new Microsoft sign-in method — designed to replace today’s relatively insecure usernames and passwords — was introduced to Windows 10 in July 2015.

The technology is called Windows Hello. It involves your entering a PIN, which can be up to 127 characters long including numbers, letters, and symbols. This PIN is associated with a device of yours: a smartphone, tablet, laptop, desktop computer, etc. Once you use your PIN with a Microsoft Account, an Active Directory, or other services that recognize the technique, you never have to enter a username or password on that connection again.

For additional security, Windows Hello supports a number of other ways to identify yourself. You can allow a device to digitize your face, analyze your fingerprints, or accept mouse gestures on a picture.

Figure 1. According to the FIDO Alliance, a nonprofit security consortium, “89% of IT leaders expect passwords will represent less than a quarter of their organization’s logins in 5 years or less.” If a Win10 device like the one depicted is connected to a corporate network for the first time, you’re likely to see a screen requiring you to set up Windows Hello. Photograph by Somphop Krittayaworagul

The Windows Hello authentication data is encrypted in software on your device or on a hardware chip. The chip could be a USB security stick such as a YubiKey or — in newer machines — the TPM 2.0 chip that Windows 11 has nominally required since 2021.

Rather than sending a password across the Internet, Windows Hello’s information is never transmitted. Only a user’s encrypted identity is provided to a remote service. A compatible server returns a hash code or a cryptographic key pair. The two devices rely on the resulting identifier to recognize each other as genuine.

I often speak of Windows Hello in the past tense, although not because it no longer works. It does work. But Microsoft and other tech giants announced as recently as a few weeks ago their adoption of a new, industry-wide technology that is replacing Hello. I’ll describe both the old and the new tech in a two-part column:

The numerous security problems with username/password combinations are well known:

Unlike a password, a Windows Hello PIN or facial/fingerprint/gesture data is never sent over the wire. Only a request for a server to set up a security key is transmitted. This means there’s still a reason for you to use a Hello PIN if a website — or any other resource you sign in to — doesn’t yet support the newer passkey technology.

For individuals using Windows 10 or 11, setting up a PIN — or one of Windows Hello’s other authentication methods — is simple. However, if your device isn’t already protected by a password, you may see a message such as the one in Figure 2. In this case, you’ll need to establish a password for your device before you can proceed with Hello.

Figure 2. Windows Hello may refuse to create a PIN or a facial, fingerprint, or gesture authentication unless your device already has an ordinary password. Source: Screen cap of Windows 10 by author

If your device already has a password — or you’ve just established one — take the following steps to set up Windows Hello (the process varies slightly on Win10 and Win11):

An individual’s Hello PIN, when used to sign in to a compatible account, will result in a cryptographic hash from the server. This eliminates the need for a username and password combination. Microsoft calls this individual method a Windows Hello convenience PIN.

Setting up Windows Hello in a corporate environment is more involved. The information-technology department must establish a group policy or a mobile device management (MDM) policy. The resulting authentication techniques always use public/private key encryption or employ digital certificates for identity confirmation. Microsoft calls this Windows Hello for Business.

For more information on both methods, see a Microsoft Learn article.

You may wonder, “If Windows isn’t transmitting to a server my PIN, my fingerprint, or a picture of my face, what in the world is going back and forth that makes Windows Hello more secure than a password?”

Microsoft explains the transactional details as illustrated in Figure 3.

Figure 3. A Windows Hello authentication process involves four steps. None of the steps sends a user’s PIN, fingerprint, or facial features to a server. Source: Microsoft

The procedure works roughly as follows:

All that may sound pretty slick. But the Windows Hello method — which is mostly accepted by Microsoft accounts and other services associated with the Redmond software giant — is certain to be replaced eventually by an even slicker industry-wide standard: passkeys.

Besides the aforementioned Microsoft and Amazon, adopters of the FIDO Alliance’s passkey protocol include Google, Yahoo, Instacart, PayPal, Uber, and dozens more. One benefit of the new passkeys is that they’ll work with all these websites. Eventually, every other site that wants to ditch the headache of passwords will be on board.

For an up-to-date list of the players, see the Passkeys Directory that’s administered by the software firm 1Password.

And for details on how passkeys will affect every aspect of your digital life, watch for my second column in this series on November 20, 2023.

	Do you know something that we all should know? Tell me about it! Send your story in confidence to publicdefender@askwoody.com.
	Join the conversation! Your questions, comments, and feedback about this article are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.

ADVERTISEMENT
	Pricing for teams & businesses | 1Password Review our team pricing and sign up for a Free Trial to get access to password manager, digital vault, password generator, digital wallet, and more.

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.