Windows Hello for Business

In this episode, Don and Mike introduce the viewers to Windows Hello for Business. They discuss the risks associated with standard password usage and explore how Windows Hello for Business can provide a more secure authentication experience.

Welcome to ITProTV I'm your host Don Pezet [CROSSTALK] [MUSIC] >> You're watching ITProTV. >> All right, good morning, good afternoon and good evening. And welcome back to another episode of ITProTV. I'm your host Don Pezet. Here today with a very special series that we're kicking off, which is Windows Hello for Business. And I've got a special guest here in the studio with us, Mr. Mike Stephens, who's gonna be helping us kinda walk through Windows Hello for Business and see what it can do for us. Mike, thanks for joining us in the studios. >> Thanks for having me Don, it's a pleasure to be here. >> And what's on our agenda for today as far as where to get started? >> Yeah, so, Windows Hello for Business is a new thing that we brought out. And this is going to, basically it's a password replacement. We're targeting users on passwords. And so what we're gonna do today is talk about the concepts of leading up to Windows Hello. And why we need Windows Hello in the infrastructure today? And the first thing here is to talk about password itself because you have a problem. And when you have a problem, you need to solve that problem. So our first thing today is talk about that passwords are bad. We've been using passwords for 20 something years. And there's just the go to. They're reliable on the sense that most of use have figured out how to create a password that's semi-strong enough. And we just have hard time getting off of them because so much of the infrastructure depends on the password. And so today what we need to do is look at why is the password so bad and why do we need to get off of that? And so what we really need to do is break down what a password is. And at the end of the day, a password is just a symmetric key. We type in a password that we know, so it's like my favorite dog or something to that effect. But underneath the covers that password is hashed with a hashing algorithm or we use a key derivation like PBKDF2 and we throw some salt in there, and maybe some additional entropy. And the output of that is basically it's a key. It's a symmetric key, it's the secret that I know and that it's the secret that the authenticating server knows. And so that's server is just going to compare that key to the key I typed in after doing all this computational stuff and that's how we authenticate. >> Well, I know you said we've been using passwords for 20 years, probably longer for certain things. You watch the old war spy movies where they had the password response type thing. That technology's been around a long time. It's far more advanced now than it used to be. You mentioned hashes and salts and all that. So, if we have a highly secured password like that, why isn't that a good technology for authentication? >> So, it's not a good technology for authentication because there are three components that we've looked at when we did Windows Hello for Business. And one is passwords are phishable. You can trick somebody into giving you your password. The other thing is passwords are replayable. The great things about passwords is thy are portable, he bad thing is that they are portable. >> [LAUGH] >> Once I get one, I can use it anywhere, and so if I happen to know Don's password I can go back to Washington in my office and I can pretend to be Don. And it works. >> At that point the computer has no way of knowing whether it's you or me because all it's checking for is a password. If you've got my password, it thinks you're me. >> Right, it's a single factor. It's just, I just know that you typed in a user identity and you typed in a password, and on the back-end server that's doing the authentication that password worked. And so it has no other choice but to let that user in. The other thing that it is, is that we talked about that there are phishable and what the big thing and what we've seen in a lot of the TV today is they're breachable. Like I said, in that talk about the password. When I create a password and we do all that crypto underneath, that password still has to be stored on the back end so it knows how to authenticate me. And so that's become a very big target. We've had quite a few things that we've heard in the news about people having identity theft because these breaches on these servers. So the idea of Windows Hello is to go to not one factor or single factor but two factors of authentication and we'll get into that. But the point is that two factors of authentication and design it in the way to where we can try to move forward to, non-phishable, non-replayable and non-breachable. So with that I want to go into, this is where we have this whole password thing and so why I wanted to just give the users or viewers, I should say, give the viewers a view of how passwords are easily breached today. I have this little PowerPoint animation here that we can show you here. And my head's covering up the bottom there, but we'll get to that. So here we have this is, humans are humans, and we don't like to use complex passwords. And the problem is, we end up using the same password over and over again, because, well, we remember it. So the problem here is, I use the password at Bank.com. I'll also use that same password all the way through my social media, maybe some other things, but then I go to this one obscure sight that I only need to do one or two things. But, like a lot of sights, they make me want to actually sign in with something. And so, I use the same password, cuz it's easy to remember. Well, while we think of our bank being a very secure and very trustworthy entity. As we go down this list here on the right side, we start getting our level of trust starts to diminish until we go to Obscure.com, which, I don't know what they are but there was something on the website I wanted to see. And so what happens is, now the attacker, he's just gonna find the weakest link in all of these. He's not gonna go directly to the bank because banks they are tasked with making sure that people don't breach. So what we wanna do then is that basically the attacker finds Obscure.com, hacks that password. And now all of a sudden, as we alluded to in the intro here, that attacker can be me anywhere, all over the place. Bank.com, Social.com. And so now, what ends up happening is that I'm actually compromised at that point and my identity is gone on multiple sites and then you just have this runaway identity problem here. >> And there's been some high visibility instances of this lately. I know Apple was subjected to this where they were saying there were hundreds of thousands of accounts were breached and it turned out that they themselves weren't breached, it was other sites and through password reuse they were able to compromise those credentials. So that's a real problem not just for one company but for every company, every organization that is out there. >> That's a great point, Don, yeah, I mean the problem we have today is that we are really, heavily dependent on passwords today. And it's a big mountain to move, we've done several years of investigation on how can we get to a world without passwords? And it's not an easy task, it's going to take a lot of investigation in each particular enterprise to figure out how they can move their business from something that we call weak credential, which is just user name and password to a strong credential, that is, Windows Hello for Business. So what I wanna do and how is Windows Hello for Business a strong credential? Well, let's start with what's two factor authentication, or basically multi-factor authentication. And there's a great document, NIST SP800-171 has a definition of what multi-factor authentication is. But we can simplify it here. Basically, it's something you have. It's typically a private key, and highly recommended that it not be movable, or secured by some sort of security device. A common thing is a smart card, or perhaps a TPM inside the computer. The next thing that we have is something you know and this can be a pin. And these pins they kind of, people get, well, pin and password, that's kind of confusing, isn't it the same? And its really not because in these scenarios where you're doing multifactor authentication, the pin is actually entropy, it's not really stored anywhere. It's basing on the fact that the user is going to provide this entropy that has been given during a time of provisioning. And it will use that entropy to do some sort of computation that will eventually then say, yes, that is the user, because they knew this. It doesn't have to compare The PIN to a stored PIN. And then, the final thing that we have here is that it's something that is a part of you. In this case, Windows Hello, we have ability to where we can tie Windows Hello for Business to use biometrics. So then you could sign in with your face, or you can do fingerprint reader. So it's a very fluid and easy motion, and it's kind of very futuristic for us, because you get to go and show all your relatives how you just sign into your computer using your face, or using a fingerprint. And it's very, very cool. So, the objective, and when we did Windows Hello for Business, was to basically work on those three pillars of non-fishable, non-replayable, and basically non-breachable. And the way we do that is we start with the something you have. Windows Hello for Business is essentially going to create a private key in the computer's TPM. So we support TPM 1.2 and 2.0. And for older machines we do support a fallback to software. Although for enterprises we have group policies that will actually allow them to force a hardware one where you won't fall back to software. But we have to keep in mind that everybody's computer refresh cycle is not what it's going to be. >> And I think at this point pretty much every computer made in the last three to five years should have a TPM in it. It's kind of becoming more of a rarity to find a computer that doesn't have a TPM integrated, right? >> Yeah, it just depends on where you procure your hardware. TPMs, when you do a build of materials for these laptops and everything, these manufacturers are cutting costs. A TPM might be $0.17, but that's $0.17 to the bottom line. So you definitely want to make sure that when you are looking at Windows Hello for Business and upgrading your hardware that you make sure that you call out to that vendor that you want a TPM, and preferably you want a TPM 2.0. I know that Microsoft has recently changed their hardware guidelines where TPM 2. is what we are recommending for Windows Logo PCs right now. And TPM 2.0 is just a better version all out. It doesn't lock out as easy, it has better performances, it supports more crypto. So, it's just a better overall thing. But we know that it's gonna be a gradual movement before you get from TPM 1.2 to 2.0. But most PCs in an enterprise will have a TPM 1.2. There's already things that use it. Like right now BitLocker needs a TPM 1 to use that, and there are other things that is more and more prevalent where TPMs are just being used more and more. So that's not really a hard thing, but we need to have that TPM because what do we want, we wanna have that thing that you know, or sorry, that thing that you have is gonna be a private key, that private key is generated in a TPM. TPMs have all this crypto built into them, so they can do random number generator, they do all this stuff inside the TMP. And they generate a key. And that key is then wrapped with a key that's burnt into the TPM at the time of manufacturing. And that key is different for each TPM that's manufactured. And so TPMs don't really have a lot of storage. So what happens is is that key is wrapped with that unique key that's burnt into the TPM at the time of manufacturing and then persisted to disk. And so that way, even if you were to get that key and move it laterally one way or another, it's not gonna work because you need to feed it into the TPM that actually created it. And so that's where we can get this where we don't have lateral movement of the actual something you have. The next thing that we're gonna talk about is is that the something you know which is the PIN. As I mentioned, that's entropy, and so we don't persist the PIN anywhere. And so that way, if that PIN is ever entered wrong, then it's not gonna work. Because what happens is is the way to bring that key out of its persistent state or where it's stored on disk, and to bring it back into the TPM to where it can be used is I need to have that key that's wrapped, and I need to provide the entropy. Both of those get fed into TPM, and it's gonna do a computation. And if it's not what it expects, then it just fails and you don't get to use that. So those are the things that we have as far as there is something you have and something that you know. The or in this matter for where you can get into a different one is that you can use your biometrics. The biometrics you can enroll your biometrics during Windows Hello. And in that enrollment, you can use your fingerprint and you can use your face, depending on the hardware that you have. And then, from that point on, instead of using your PIN as a gate to get to that key, you can use your biometrics as a gate to get that key. So that makes it a little bit more cooler, and it's a very frictionless sign in. So, if we look at those three factors, and what we do, how do those play into our objective of non-fishable, non-replayable and certainly, non-breachable? So if we look at the something you have, your authentication is not really a symmetric key, it's I'm doing a cryptographic signature operation to sign in or authenticate. Then what you get there is this that, well, knowing my PIN doesn't really help me anything. Because it's not gonna work, if the PINs in this laptop, it's not gonna move to another one. So, where you have that is it's just very difficult to phish something because all you're gonna get is a cryptographic output of phishing. If you ask me to type in my PIN, I'm gonna type in a PIN that's not gonna do anything. So you can't really phish it. The next thing about it is that it's non-replayable. Because I'm using a key that can't move off of this computer, well, it can't move off this computer. That means that it can't be replayed. The analogy we had, if Don's using Windows Hello for Business, I can't go and be Don in Washington because I don't have his key. It's on his device. And then the next thing is it's non-breachable. And this is more of a forward thinking objective in that, if you think about when we talked about passwords being stored on a server, and these breaches that we were talking about, well, now all sudden in doing the registration process, I need to know who Don is, when he's authenticating. But these are asymmetric keys. So I have the private key stored here. The public key, well, it's a pubic key, it can go anywhere it needs to go. So the public key gets registered with the identity provider or the authentication. So now what you have is if you fast forward, you have a server full of public keys. And a server full of public keys doesn't really do an attacker much good at that point. >> And that's one of the neat parts about this whole aspect is that you'll hear about companies where they have password databases that are very heavily encrypted, very well secured. And a breach happens, somebody gets a copy of that database. And they say, well, yeah, they got the database, but everything's encrypted, it's fine. Well, that encryption might be very, very strong today. But two years from now, four years from now, six years from now, processors get better, computers get faster, our compute resources get significantly larger. And maybe that strength and security is no longer there anymore and now they are able to be compromised. Well, that's passwords four or five years down the road, but a lot of people aren't changing their passwords. They are using passwords that are very, very old and that means you now have a compromise. So with this, because they're just public keys, it really doesn't matter if somebody gets that database. I mean, obviously, we'd rather it didn't happen, but if it did, that risk is far, far mitigated. So we don't have to worry about it so much. >> Right, I mean, the whole idea of a public key in RSA is it's public, it's allowed, people are allowed to see that key. So, yeah, the idea here is that it's not gonna, it's a roadblock. We know attackers are, attacking is a business now. People are doing this to make money. So we know that by virtue of attacking a server that once had symmetric keys and now it only has public keys, we're kind of moving the target attack to something else. And so that's why that defense in depth that you hear all throughout the IT industry is very important. You protect one thing, and they're just gonna move and find. Attacks go to the path of least resistance. So they're always gonna try to find where is the weakest link And that's the attack factor and with Windows Hello for Business is this long term strategy of getting off passwords and moving to this strong two factor authentication. That's where we can sit there and say AK in the future the directory or the authentication, in this case Active Directory, or in the cloud like of like Azure, these particular attacks are not going to be valid there. You're gonna have to move to something else there, so that's kind of the gist of why we had Windows Hello for Business. One follow up point on that particular thing is, is there's been two factor our for a while, I'm sure everybody out there has heard of smart cards. And smart cards, they're about 15 to 17 years old and they've gone through these same little hurdles that they had to go to and work out. But the problem with smart cards, frankly, is it's very expensive, you need an infrastructure, you need to have smart card management software, you need to have smart card readers, you need the smart card itself. And then there's the ongoing maintenance and cost of making that infrastructure and keeping it in place. And then, so those are the things that deter a lot of companies from wanting to go to a strong credential, it's just, they simply can't afford that. And so what Windows Hello for Business does is it brings strong two factor authentication, strong two factor authentication, to the enterprise in an affordable manner, where most of it just reuses the existing infrastructure you have today. So on top of infrastructure, let's talk about some of the technologies that Windows Hello is gonna use, before we jump in to actually getting our feet wet with it. So some of the technologies that Windows Hello is gonna cover is Active Directory. We're gonna be doing some stuff in Active Directory, user maintenance but we're also going to be doing some schema extensions and we will get to that in a later episode. We're gonna be using DNS to make sure that we have, any time you mention Active Directory, DNS goes hand in hand with it. PKI, Public Key Infrastructure, we're gonna need a certificate server, and we're gonna use that as a root of trust. And then we're also gonna use that to issue identity certificates to the actual user itself. So that's what they'll authenticate with, then we're gonna manage it with group policy, which makes it very easy, very affordable. We don't need to have an expensive management solution, we can just use what's built into Windows Server right then and there. And then we're gonna throw a little twist into this and we're gonna bring in Active Directory federation services. And we use that, is a way we'll see how that is being used with, I talked about registering that public key. That's gonna be where our registration point, and we're gonna see how that actually plays a very pivotal role in Windows Hello for Business in that defense in depth security model that I spoke of. And then, we're gonna introduce a new thing that many people may not know. But what we're talking about today is the on prem version of Windows Hello for Business, which we recently have introduced with the creator's update. And in that we've brought it to where it works with this on prem Active Directory. But we have a little, little snag here to where doing multi-factor authentication on prem is not cost-productive. So we're gonna introduce the Azure multi-factor authentication server. It's an on prem server, and we'll have a pretty good discussion about that and how that keeps the credentials on prem. But it leverages the cloud just simply to make that one phone call because we don't wanna upgrade a user from a weak credential to a strong credential just because they typed in a password. We need to know that when Don goes to the provisioning flow, that, Don is Don, and it's not just an attacker that stole his password. So in that provisioning flow we're gonna make the user do another form or a second factor of authentication to make sure we're giving them a strong credential and we're giving it to the right person. And then lastly, there's some supporting mechanisms here with the multi-factor authentication where there's a user portal that lets you set up a self-servicing portal to where the users can manage their multi-factor authentication and how that's going to play. Whether they register a phone number or they could use an authenticator app, these are the things that we don't wanna have that burden on the IT. So part of the server is there's a user portal that you can set up in your enterprise. And then you can use that user portal to then let the users manage their own identities there. And so we'll be doing some IIS web services stuff, but basically just helping you understand the requirements you need to install it. We're not gonna go deep into IIS there, and that basically we'll wrap up. >> And I know it sounds like a lot of components, but if you look at the list of things that we need to get Windows Hello for Business setup most of it is stuff that you should have already or most businesses are going to have. You're going to have Active Directory domain controllers, you're going to have a DNS infrastructure. So it's mostly reusing the technology you've already got and adding a little bit more to them to get that support. But it's also important to note that there is a big difference between just plain old Windows Hello and Windows Hello for Business. Now with Windows Hello for Business, we're controlling that infrastructure, that's why we need all these different components. The original Windows Hello, was it in the anniversary update or was it in the original Windows 10 release, do you remember? >> I think it was in the November when we first did the original Windows Hello for Business one. >> So the consumer version of Windows Hello, that just taps into Microsoft's infrastructure and it is all controlled in the cloud and we don't worry about it. But here, Windows Hello for Business it's integrated into our on premises environment, and we maintain that control. >> Yeah, that's a good point Don, to expand on Windows Hello, actually Microsoft is using Windows Hello for Business, the infrastructure, whatever. So when you sign in with your Microsoft account into Windows 10, you have the option to sign it, when you sign in, you can create a PIN. In fact, we wanna encourage users to create PINs because creating that PIN gets you off of that password, even if you have the password there. Not using the password and not being prompted to enter a password is a good thing. We wanna get users out of the habit of something popped up and ask me for my password, let me go ahead and give it to you. So, Microsoft accounts will do that, Azure is using Windows Hello today, so we have a lot of things. Now to be very transparent here there is a Windows Hello or a standalone Windows Hello for just your local machine. And that's not really the Windows Hello for Business, that is what we call a convenient sign in. And there's a big distinction there, in a convenient sign in, so if I just have a computer with no infrastructure and I'm not connecting to either Azure or wiht my Microsoft account. The convenient sign in is really, Don, we hear that convenience and security, they're mutually exclusive. >> They don't play well. [LAUGH] >> [LAUGH] So the reason why we call it a convenient sign in is that's exactly what it is, it's a convenience. So what it's really doing under the covers is it's not using a private key, it's not really using the TPM for a private key. It's basically what we call a password stuffer, it'll ask you for your password, it'll grab that password. Now one of the improvements is it will use the TPM to encrypt that password before it's persisted to the disk. But at the end of the day you're sill using a password, so the way I try to tell people is, is that every decryption operation leaves you with clear text. Clear text is clear text, so that means I'm still gonna get your password, yes, the brute force attack of trying to get it from the disc is much more difficult because we're using the TPM. But if I'm malware and I'm sitting there and I'm just looking for things in memory, eventually that password is going to get decrypted, and it's gonna get into clear text and then I'm gonna be able to get it. So that's just a thing to let people know in the enterprise we have convenience sign in turned off by default and it's only turned on with group policy. So, you wanna make sure that that one is not turned on. In fact, when we get into the policy sections I'll probably mention it then as well, that if you try to have a conflict between Windows Hello for Business and the convenient sign in we kinda just don't let you create a pin at all. >> [LAUGH] Yeah, and for a business we don't want that anyway, so it makes sense that we'd stick with the Windows Hello for Business infrastructure and get that implemented properly. >> Absolutely, it's the stronger of the versions that we want people to use. Like I said, even with your Microsoft account it's a good idea to just go ahead and create that pin. And if you can get hardware, there's a lot of cameras, third party cameras that are coming out. There's more, a lot of fingerprint readers I'm seeing in laptops now more than ever. So, it's really starting to get a popularity and gaining in momentum. So if any time you can do those things is, moving off of a password is just the be all end all of what we want. >> All right, well Mike, I think that's probably a pretty good spot for us to wrap this one up. Did you have anything else you wanted to mention before we close? >> No, we're good, we're gonna have a lot more to talk about, and we're gonna be here for a while talking about Windows Hello, and setting it up, and making sure people can use it. >> All right everybody, well, in this episode, we had a chance to learn a little bit about Windows Hello for Business. We talked a bit about the reason why we want to have it, and why passwords are no longer cutting the mustard for our security solutions. And we talk a little bit about the infrastructure that we're going to need to put Windows Hello for Business in place. And in the coming up episodes we're gonna be seeing actually how to put that into place, get it implemented in your on premises environment. I hope you enjoyed it, be sure to stay tuned for the follow up episodes cuz we're really gonna get to the good stuff coming up. But for now, signing off for ITProTV, I'm Don Pezet. >> And I'm Mike Stephens. >> And we'll see you next time. [MUSIC] >> Thank you for watching ITProTV.