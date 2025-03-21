Windows Hello provides organizations with a convenient method to authenticate in Windows, as it enables users to verify their identity by using biometric authentication or a PIN.

On top of that, Windows Hello for Business provides additional security and management capabilities, including device authentication, device configuration, certificate-based authentication and Conditional Access integration.

Maybe the best part of Windows Hello for Business is that it is seen as a phish-resistant two-factor authentication. That is, however, not always acknowledged as such. Besides that, it integrates well within a Microsoft ecosystem with a single sign-on experience for nearly all applications that are used within the organization. That includes Cloud applications and on-premises hosted applications.

Windows Hello for Business as multifactor authentication According to the definition of multifactor cryptographic device authenticators by NIST, Windows Hello for Business can be seen as a true multifactor authentication (MFA) technology. This is because it combines "something that you have" -- such as a device with a hardware Trusted Platform Module (TPM) that contains the private key -- with "something that you know" -- a PIN to unlock the private key -- or with "something that you are" -- a fingerprint match to unlock the private key. Of course, it is important that it is configured correctly to fully comply with that definition. And all of that is pretty similar to using smart cards. The big difference, however, is that the second factor is not portable with Windows Hello for Business. And even though portability is not part of the definition of MFA, organizations may still consider portability as an important aspect of the authentication platform. The fact that Windows Hello for Business is bound to a specific device with its own hardware TPM is not sufficient in those cases. For enhanced security, organizations could deploy a different offering that is not directly bound to the user's device. Alternatives can be based on smart cards or a secondary approval such as Cisco Duo.