You run a cloud first, all digital business. That means you think of cybersecurity as a must rather than an afterthought for your company's IT. And it also means a lot of your employees are frustrated by your insistence on strong passwords. Not only are eight to twelve random alphanumeric characters difficult for hackers to guess, they are also hard for the average person to remember. But for businesses using Microsoft 365, there is a feature that enables improved security and a more seamless sign-in experience for your users—without needing to remember a complex password. It's a feature we use here at Amaxra and believe it will help your organization to be more secure and productive.
A peek into a passwordless future
If you have a newer smartphone, chances are you've configured it to be unlocked using either your fingerprint or your face. This "biometric" sign-in method relies on hardware within your phone that stores a digital copy of your unique fingerprint or facial features that can be referenced when accessing sensitive data on your phone or even in the cloud. This biometric method is also available with Windows 10 Pro, a key component of Microsoft 365.
Called “Windows Hello for Business,” this feature adds a strong, hardware protected multi-factor authentication (MFA) credential that enables single sign-on
for the cloud-based standard user identity store for Microsoft 365. Multi-factor authentication is a must have for any company with a modern workforce and Amaxra employees use Windows Hello For Business on our Microsoft 365 deployment as our MFA method whenever possible. When compared to existing
complex password-based security regimes, your users will want to use Windows Hello for Business because of its simplicity and convenience.
If you have Microsoft 365 and want to get started down the road to passwordless working, there are two things you need to do:
- Audit your employee's devices to understand the biometric capabilities available
- Set up your Microsoft 365 to accept MFA using Windows Hello
Preparing for passwordless working
It's important to understand that converting your company to being passwordless is a journey. The duration of that journey varies for each organization. That's why IT decision-makers should understand the criteria influencing the length of that journey. Amaxra has found during our deployments of Office 365 and Microsoft 365 with Windows Hello For Business that having compatible hardware at the user level makes that trip to passwordless nirvana much shorter.
The good news is that the majority of any business-oriented Windows PC purchases your organization made in the past five years are already compatible. Most PC makers have installed low-cost Trusted Platform Module (TPM) technology inside every new device for business users. A TPM chip in your PC enables advanced cybersecurity operations that make your personally identifiable information and user data tamper resistant against criminal hackers. When combined with a fingerprint reader or webcam, the TPM works to encrypt and then securely store your biometric data (e.g. your fingerprint or your face) so that it can be accessed when needed for multi-factor authentication.
While it sounds all very James Bond 007, the fact is just about any Windows 10 PC priced at over $500 that you'd buy from a big box or warehouse retailer already has a TPM. If you buy a Microsoft Surface-branded tablet, laptop, or desktop PC then you are guaranteed to have a TPM. To make sure your PC has a TPM, type Device Manager in the search box on the taskbar then select it from the menu on the right. If you see a "security device" listed, then you have a TPM on your PC.
If your PC does not have a built-in TPM, then search online for an add-on for your specific PC brand. Some large OEMs such as Asus, Dell, and HP offer them through their online stores as accessories. Amaxra recommends PCs with TPM chips for all our customers for whom we've deployed Microsoft 365 (regardless of if they want to go passwordless or not) because it also enables the added security benefit of BitLocker hard drive data encryption for Windows 10.
Face, fingerprint, or PIN?
Once you've determined the status of your TPM, then you need to determine what method of passwordless authentication they will use on their PC. At a minimum, your employees can use a personal identification number (PIN) for their Windows Hello For Business authentication. The Hello PIN is stored in the TPM and tied to the specific device on which it was set up. Because of this, your Hello PIN is useless to anyone without that specific hardware, meaning that you can use a simple set of numbers like a birthday rather than some ridiculous alphanumeric sequence. Amaxra typically sets up Hello PINs for users with desktop PCs without the integrated webcams found in laptops and tablets such as the Microsoft Surface Pro.
Facial recognition using the Windows Hello-compatible webcam on a Surface tablet or laptop feels like magic. Although not all Windows 10 laptops and tablets
have a Windows Hello-compatible webcam like the Surface line does, there are dozens of mid-to-high end laptops made in the past couple of years that
do. If your PC is more than a couple of years old and really want to use the facial recognition, then you can purchase a Windows Hello-compatible USB
webcam for around $100 USD. However, this can get expensive if you have a large number of PCs. Amaxra recommends that unless the PC already has a compatible
webcam, you're better off using a PIN or fingerprint reader.
While the fingerprint reader with Windows Hello For Business doesn't have the sci-fi feel of facial recognition, it is often a standard feature for even
lower-cost business laptops. Good USB fingerprint reader add-ons can also be purchased for as little as $20 USD. Out of all three options, fingerprint
readers are what Amaxra recommends to provide that extra layer of security and passwordless convenience to any Windows 10 PC at your business.
Setting up Microsoft 365 for Windows Hello
Once you've determined the passwordless methods your employees' devices will use to sign into your corporate network with Windows Hello For Business, you need to enable the feature in Microsoft 365. This requires your IT admin to configure Microsoft 365's Azure Active Directory to enable MFA and Windows Hello.
From the Microsoft 365 Admin Center, go to Azure Active Directory > Users and then turn on Multi-Factor Authentication.
In the new tab that opens browse to service settings and under verification options, check the boxes related to your available Windows Hello For Business authentication methods.
To enable passwordless sign-in for your employee, in their Windows 10 devices go to Settings > Accounts > Sign-in options and select
‘On' under ‘Make your device passwordless'. Enabling passwordless sign-in will strengthen device sign-in by switching the device to MFA with Windows
Hello (Face, Fingerprint or PIN).
Let Amaxra guide you on your passwordless journey
Eliminating passwords for security's sake sounds like an oxymoron but it can be a reality with Microsoft 365 and Windows Hello For Business. Simplifying and streamlining your business for MFA can be a lot of work, but Amaxra experts can help. Our consultants have successfully deployed Microsoft 365 solutions for years. No matter where you are on your passwordless journey, our expertise in cybersecurity and Microsoft cloud-based solutions will get you where you want to go.
Contact me at email@example.com or call 425 749 7471 if you have any questions or comments on this blog.