4 Reasons Windows Hello Customers Still Need Advanced MFA

Windows 10 leverages biometric authentication, but is it enough?

Last year, Microsoft unveiled its Windows 10 operating system, complete with Windows Hello for Business and its built-in biometric authentication capabilities—face, iris and fingerprint recognition. These enhancements promise greater security, increased convenience for users and fewer hassles for administrators—which is good news for the more than 47 million users and 5,000 businesses who have made the leap to the operating system so far.

However awesome and eye-catching (pun intended) the biometrics are in Windows Hello, experts agree a wide variety of factors—biometric, behavioral, risk-based, contextual, traditional—are required to support the modern enterprise. Rely too heavily on a single factor, even ones as advanced biometric capabilities, and you run the risk of boxing in your identity and access strategy.

A cautionary tale…by 2020, 57% of all Windows systems will be running Windows 10. But the results will be a patchwork quilt: few organizations will have 100% of their users on the new OS, and, if history is any guide, Microsoft will extend the life of Windows 7/8 well into the future making migration even slower. Relying on these advanced features to deliver a consistent Windows-based access control for your user population is still a few years in the distance. But there are solutions out there delivering secure, convenient and advanced authentication today.

Contextual and Behavioral Factors Go Beyond Windows Hello

MFA authentication can be maximized with what Crossmatch calls “composite authentication,” the basis of its DigitalPersona MFA solution. Composite authentication leverages dozens of data points from typical MFA factors, plus, behavioral data (such as mouse and keystroke dynamics) and contextual factors (such as when and where attempted access occurs).

New improvements to DigitalPersona make a strong solution even stronger. These include face recognition, FIDO U2F authentication, email delivery of OTPs and Integrated Windows Authentication (IWA). These four advantages should also be considered:

1. More flexibility

By going solo with Windows Hello, businesses give up flexibility in several areas. For example, unlike Windows Hello which only supports Microsoft Edge, DigitalPersona also supports Chrome, Firefox and Explorer. Another example: Beyond the PIN, device and biometric authentication factors found in Microsoft 10, DigitalPersona also supports Bluetooth, smart cards, keystroke biometrics and OTP.

DigitalPersona also allows supports credential roaming. This means that your users enroll once on any Windows desktop or Surface tablet, then can access from any other Windows desktop or Surface tablet. Using Windows 10, users enroll their device and cannot roam to other devices with a separate enrollment.

2. Better Security

CIOs and IT executives want security options that best fit their organization’s needs. DigitalPersona is the only MFA solution that allows time-, situation- and network-based login options for Windows users. No other solution out there offers risk-based authentication to the Windows desktop, meaning users can continue to login with their Windows AD passwords while DigitalPersona invisibly scores them and “steps” them up to stronger factors only when necessary.

It also beefs up behavioral authentication with keystroke biometrics. As your users type in their AD passwords, an algorithm can determine to a high degree of certainty—based on past interactions—that it is the correct user. If you’re into fingerprints, DigitalPersona supports Legacy and FAP wireless readers, rather than just WBF (Windows Biometric Framework).

3. More Control and Easier Management

DigitalPersona is a crowd-pleaser for administrators who need effective policies and efficient processes. It offers control policies for machine, user and applications—not just Hello on/off, biometrics and PIN available on Windows 10. There is also central management of passwords and SAML web browser protocol for Single Sign-On (SSO)—not so for Windows 10.

4. Greater Utility

DigitalPersona gives security professionals more options for deployment across an organization’s system. For example, DigitalPersona offers more complete support for apps and APIs; easy setting of STS (security token service) policies; self-services web-based Windows account unlock and more. Plus, DigitalPersona includes fingerprint reader support.

Microsoft is moving ahead by leveraging the power of biometrics, but biometrics aren’t a cure-all. MFA is still the king of authentication, and DigitalPersona takes MFA further with contextual and behavioral factors, plus a host of other features. Contact Crossmatch to find out more about how DigitalPersona can meet the needs of your growing business.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.

Selecting an Authentication Solution: What you need to consider (Part II)
No Server Left Behind
Selecting an Authentication Solution: What you need to consider (Part I)