It’s time to take your Windows Hello for Business solution to the next level

by Nicolas Malbranche

The cybersecurity landscape is changing quickly – hackers now utilize advanced phishing threats, ransomware, and credential stuffing to break into IT networks. Many of these attacks come down to the same thing – weak authentication of users and machines.

IT leaders are turning to a Zero Trust security model to defend their workforce, with a transition to passwordless often the first step in this direction. Mobile authenticators are currently the go-to option, as they don’t require a dedicated device such as a smart card or a YubiKey. However, embedded credentials are gaining popularity - these are integrated into a user’s phone or workstation, so they don’t require a separate device. They are increasingly popular due to their convenience for users, the reduced likelihood that they are misplaced or stolen, and their low cost compared to other credential options.

While many vendors offer TPM or mobile authentication options, there’s one solution top of mind for IT leaders: Windows Hello for Business. The buzz around this technology has only increased since Microsoft expanded their passwordless authentication beyond corporate customers to all their users – now that anyone can go passwordless with their personal devices, there will be additional pressure on businesses to offer the same solution. The Windows Hello for Business solution enables users to authenticate into their Windows devices and applications using a “gesture”, which is typically a PIN or biometrics (facial recognition or fingerprint). For the many businesses that rely on Microsoft products, it means that their workforce can securely login to their Windows 10 device, Azure AD enabled apps, or Office 365 easier than ever before.

Many businesses are hoping Windows Hello for Business will be the solution to all their passwordless needs. What they don’t realize is that it only supports a limited set of use cases, as defined by Microsoft. If a business wants to fully secure their whole ecosystem and move towards a Zero Trust security model, they’ll need to strengthen their Windows Hello for Business with other options.

What about your non-Windows use cases?

Windows Hello for Business support is limited to Windows 10, so the solution does not extend support to other operating systems such as macOS or Linux. Similarly, you cannot use Windows Hello for Business for remote login over RDP, VDI or VPN. You also won’t be able to use the credential for authentication to business applications that are not Azure enabled.

For all these reasons, if a business chooses to deploy Windows Hello for Business as the primary authentication method for their workforce, it will also inevitably need to rely on additional technologies or possibly even passwords for these other use cases. This usually translates into additional user friction or security compromises.

How can you authenticate machines and devices?

Transitioning to a Zero Trust security model requires securing more than just user. Machines and digital interactions provide a major threat to your ecosystem when they go unprotected. As businesses undergo digital transformation, they are rapidly adding more BYOD mobile devices, laptops, servers, IoT devices, and more to their network. Each of these machines has their own identity that can be exploited by hackers – for instance, the infamous SolarWinds attack took place in part because of an exploited machine. Because most machines are automatically trusted on the network, they’re easy for hackers to gain control over and enter the network.

Likewise, the more our workforce uses digital communication such as email and business processes like signing documents, the more we need to ensure that they’re interacting securely. Phishing attacks are on the rise – with 71% of IT leaders identifying them as the greatest threat for remote workers. Businesses need to defend against these attacks by securing their emails and online documents with digital signature – a capability not offered in Windows Hello for Business.

How does Axiad ensure full authentication with Windows Hello for Business?

As businesses deploy Windows Hello for Business, these gaps need to be addressed. For many IT leaders this can seem overwhelming – adding additional credentials for their non-Windows devices, RDP/VPN use cases, and machines require extra platforms to deploy and maintain. This adds complexity to their IT systems and for their end users.

That’s where Axiad Cloud comes in. Axiad offers one platform to manage Windows Hello for Business and all the additional credentials required for full passwordless authentication of your users and machines. The solution has a dedicated Public Key Infrastructure, so digital certificates can be automatically issued for machines and devices. This single platform is simple for IT teams and users to manage and maximizes the organization’s investment in Windows Hello for Business by strengthening the solution.

Authenticate with non-Windows systems: In Axiad Cloud, IT teams can support credentials for Windows, Mac, and Linux devices. Any credential employees require for their different devices can be managed in one place.

Extend to new use cases: Axiad Cloud associates Windows Hello for Business credentials with digital certificates. This enables the authentication to Remote Desktop, VPN, and other 3rd party services that Windows does not generally support.

Fully secure machines and devices: The cloud-based PKI in Axiad Cloud makes it simple to issue certificates for machines and devices. By implementing Windows Hello for Business and digital certificates, businesses can secure every identity credential they need and no longer need to worry about unverified devices on the network.

Sign and encrypt interactions: After authenticating with Windows Hello for Business, users need to communicate securely. Certificate-based email and document signature with Axiad allows employees to verify they are communicating with the right person and gain higher trust across digital business processes.

Windows Hello for Business simplifies and streamlines your users’ authentication. With Axiad, you can unlock the full potential of your Windows solution investment by extending it to all your other systems, machines, and interactions. In the Axiad Cloud platform, it’s never been easier to support and manage the credentials you need, all in one place.

About the Author

Nicolas is the Senior Product Manager at Axiad.