What is Windows Hello?

Windows Hello is the name for passwordless authentication options on Windows 10 and 11. Most of the login options are biometric, which means that they use a trait of your body for identity verification. That includes scanning your face or fingerprint using methods similar to Apple’s Face ID and Touch ID. Windows Hello also allows using a PIN (personal identification number) as an alternative to a password or as a fallback option.

To use Windows Hello, your device must have a Trusted Platform Module (TPM) chip included on which the cryptocraphic keys are stored. Since 2016, Microsoft requires hardware manufacturers to integrate TPM on newly manufactured devices, so over 90% of currently manifactured devices are already equipped with the required hardware. Moreover, a requirement for Windows 11 is the TPM. Whether your device is equipped with TPM, can be checked here.

Windows Hello provides two login options, either based on biometrics or PIN.

‍

Option 1: Windows Hello Biometrics

In order to use the biometric login options your device must either include a built-in sensor for biometric logins or you’ll need to connect an external webcam or fingerprint reader. As face recognition works with the help of an additional infrared sensor that recognizes the facial structure via a deep scan, special webcams are required. This serves as an additional security feature as you cannot hold a picture of a face in front of the camera to trick Windows Hello.

‍

Option 2: Windows Hello PIN

In case that your device does not have biometric sensors, you can still use Windows Hello as long as your deivce contains the TPM (see section above). Even though a PIN can be much shorter and simpler than a complex password, it is more secure. The reason behind is that it is not the structure of a PIN (length, complexity) that makes it more secure than an online password but the way you use and store it.

Your online password is a shared secret which means that there is always a server that keeps track of a copy of your password. This opens space for two attack vectors: the password can be intercepted during transmission or stolen from a server.

A PIN however is stored locally on the device and is neither transmitted to nor stored on the server. An asymmetric key pair is generated and deployed in the TPM of the user device, which protects the private keys against attackers who want to capture and reuse the keys. Thus, user credentials cannot be stolen if the identity provider or the websites the user is accessing have been compromised. The TPM protects against a variety of attacks including brute force attacks on the PIN. After too many failed attempts, the device is locked.

‍

How do I enable Windows Hello?

Activating Windows Hello is quite easy. You just need to follow the steps below:

1. Select Start > Settings > Accounts > Sign-in options
2. Scroll down to the Windows Hello section and select ‘Set up‘ from the face section

‍

‍

3. Click ‘Get started‘ on the Windows Hello setup dialog
4. Look at your camera while it captures the 3D view of your face

‍

‍

You can also decide whether your device should unlock automatically as soon as you are seen or if turning your head is required.

If you have a device with finerprint reader, you can select this option, too. The process is the same.

‍

How do passkeys work with Windows Hello?

Unlocking a laptop or desktop with Windows Hello has been around for several years now. The novelty of passkeys is that Windows Hello will be the standard login option on Windows devices when logging into websites and apps. Your passkeys will be synced within your Microsoft account, meaning that you can sign in from any device that is linked to your account without additional device registration.

As part of the FIDO Allicance, Microsoft announced that they will keep up with the increasing demand of users for passkeys and offer passkeys within the upcoming year. By then, it will also be possible to use your passkeys across different platforms, for instance, if you have an iPhone and a Windows laptop.

Even though passkeys are not officially released by Microsoft, you can already get an impression of a the login ceremony either with the Corbado Demo  based on the WebAuthn protocol (see below).

‍

How to get started with Windows Hello and passkeys?

Together with Apple and Google, Microsoft pushes the roll out of passkeys in the upcoming months. Starting with Apple on September 19, 2022, an ever increasing number of users will be able to use passkeys and a widespread adoption is expected pretty soon after.

‍

Start now! To prepare e-commerce and software-as-a-service companies for the passkeys era, Corbado offers a free passkeys tracking tool that analyzes how many of your users are already passkey-ready. Click here to use the passkeys tracking tool for free.

‍

Corbado provides APIs that cover all cross-platform and cross-device aspects to let you offer passkey login for all your users and transition them smoothly to passkeys. You don’t need to worry about security updates or supported platforms and devices. We have you covered. We will help you in your gradual migration from passwords to passkeys.

To stay updated about the new devices, browsers and operating systems that provide full support for passkeys, subscribe to our passkeys newsletter or checkout this demo video by the FIDO alliance.

‍