Professional Services Company Welcomes Passwordless Login with Windows Hello

A professional services company with offices across Europe, this organisation has invested significantly in Microsoft solutions including Microsoft 365 and Intune to provide a flexible, easily managed environment to support its users wherever they are working.

Technology used :

Microsoft Windows Hello

What were the challenges?

This company wanted to accredit for Cyber Essentials Plus, requiring a number of security enhancements to be made
Multi-factor authentication for all logins was one requirement

What was the solution?

Given all the related factors, Windows Hello for Business was advised to be the best solution.

What were the results?

There is no longer a requirement for passwords
Phishing attacks are no longer viable
Password change issues have been removed
Security is significantly improved.

The Background

Following a strategic decision to accredit the organisation for Cyber Essentials Plus and to align with an upcoming regulatory compliance requirement, a stringent audit was carried out. One of the key outcomes of this audit was that multi-factor authentication (MFA) needed to be implemented for all system logins whether that is desktop, laptop or server (accessed via remote desktop).

Having a long-standing relationship with this company, we were asked to provide advice and implementation of a recommended solution.

To satisfy all the requirements in this scenario, and based on licensing and technical infrastructure factors, we determined that Windows Hello for Business would be the best solution with the least friction for the users and admins. In addition, we initially identified the Remote Credential Guard feature to support the remote desktop login to servers.

Challenges

Strategic decision was made to accredit for Cyber Essentials Plus
Several security enhancements were required
Multi-factor authentication was a key requirement

What are Windows Hello for Business and Remote Credential Guard?

Windows Hello for Business is an enterprise security solution that replaces traditional passwords with stronger, two-factor authentication using biometrics (facial recognition or fingerprint) or a PIN.

It offers enhanced security, convenience, and improved user experience for accessing Windows devices and corporate resources. Crucially, it removes the need for passwords, eliminating the opportunity for phishing attacks – no password means there is nothing to give to a phishing attacker.

Remote Credential Guard is a separate technology that works in conjunction with Windows Hello to support passwordless logins to remote desktop sessions.

“We have a great working relationship with this company and being a small IT team with many offices to support across Europe, we could see the many benefits a modern security solution like Windows Hello could bring. It’s terrific that these have now been realised in terms of an improved login and working experience for users while at the same time, reducing the wider security risks and threats to the organisation."

Colin Gray, Account Manager, Silversands

The Solution

Following our initial discussions, we completed a technical workshop to discuss the various considerations, requirements and configuration parameters and then produced a design document. Once the design was agreed, and with no additional infrastructure required, we implemented the required configuration and policy changes across the existing Microsoft cloud platform and tested against the defined requirements.

During this testing, it became clear that the Remote Credential Guard would not support the requirements in this situation because of the way that admin users login to the servers. Consequently, an alternative method was developed using a FIDO-2 security key (a USB key with an embedded security certificate which needs to be plugged in to grant access).

Once the configuration was completed, a set of pilot users and admins were identified to trial the new capabilities, ensuring that the users could log in and access all their applications with no issues or service degradation.

When we were confident that this was all working as expected and that the users were happy, we enabled a second-stage pilot to remove passwords entirely. By marking the users in Active Directory as requiring Windows Hello, the users’ passwords are taken over by Active Directory and no longer accepted as a sign-in method. This step also removes the password from Entra ID for the cloud-synchronised identities. Since all authenticated application accesses worked as expected, there is no impact on the users and their passwords are effectively hidden and rendered unbreakable.

Following the successful testing of these two pilots, we handed the solution over to the company’s IT team for deployment to the remainder of the users.

Solution

Windows Hello and Remote Credential Guard were selected solutions
Piloting determined that Remote Credential Guard was not suitable for admin login
Admins logins were enabled with FIDO-2 security keys
Initial Hello login pilot was successful
Secondary pilot of passwordless application access was also successful
The solution was handed over to local IT for roll-out

What did the client say?

“Windows Hello for Business design and implementation options were all clearly outlined and discussed and caused zero disruption to the business during the setup and testing. The knowledge and professionalism of the entire Silversands team during this project was invaluable.”

Customer Application Manager

The Results

The primary result of the implementation of Windows Hello is that the users no longer need to use a password to login to Windows. They simply boot the machine, and then sign in with either a biometric (fingerprint or facial scan) or a PIN. Admin users just have an extra step to plug in a USB key.

The benefits of Windows Hello for this company are clear:

There is no longer any need for passwords.
No passwords means that phishing attacks are rendered ineffective
As the credential is tied to the device, the loss of a PIN code or device does not compromise the whole identity.
The usual and problematic requirement for a password policy is eliminated.
No password changes results in the end of password-related service desk calls and no loss of productivity.
Although there was some resistance to change initially, the users are happier once they understand how simple login becomes.
And, of course, security is significantly improved.

The company is very happy with Windows Hello as it delivers exactly what is required in terms of MFA-protected logins and gets rid of one of the most painful elements in any organisation – passwords!

Moving forward, we look forward to helping this company implement additional Microsoft security solutions to help it achieve its Cyber Essentials Plus accreditation.

"The feedback from the pilot users was that the login and usage of the devices are easier than the traditional username and password. We are also happier that our device security is improved with the implementation of WHfB."

Customer Application Manager

Results

Passwords are no longer required
Phishing attacks rendered ineffective
Password change and policy issues are eliminated
Users are happier with simplified logins and application access
Security is significant improved

Other Case Studies you may be interested in

Power Platform

Power Platform delivers a maternity leave solution for a large utility company

A utility company wanted to replace its inefficient maternity leave process. We built a Power Platform solution that was more flexible, more efficient and an overall better experience for users and admins.

Accountancy firm taxed by external access vulnerabilities

An accountancy firm experienced a cyber attack and so requested an external threat review. Read about the issues we found with this company's access control configuration.

Silversands provides modern management readiness review for waterway authority

A waterway authority was interested in moving to Microsoft's modern management solutions like Intune. However, it needed help from us to understand the considerations and implications.