Revisiting Windows Hello for 2 Factor Authentication


Windows Hello as 2 factor authentication was originally released when Microsoft introduced being able to “draw your password” on their surface tablets back in 2015. During the announcement they mentioned that you could use facial recognition as well. The problem with Windows Hello is that it requires a camera that has IR built into. Which at the time was a premium upgrade and not common on laptops. To be fair it still kinda is…

Now let’s fast forward to 2019. Since the beginning of year, I’ve had 4 clients at work say “I want to go 100% cloud” Most of these clients were almost there or technically already there. They had/have a Domain Controller in a private cloud running Azure AD Connect and no infrastructure on-site. So, depending on your definition of cloud they were already there. What they were really trying to say is “We want to stop paying for hosting for that Domain Controller and go 100% Azure Active Directory.


The minimum requirements for Azure Active Directory are fairly light.  

To build on the licensing from Microsoft, Microsoft recommends you include Windows Intune for device management. The short explanation is, Microsoft Intune is a mix of Mobile device management, the cloud replacement for traditional Group Policy, and manages policies for BYOD device deployments. I’ll go into intune more indepth in a future post, but that is the shortest way I can summarize the product. Back to the topic at hand, if you’re already buying the P1 License then upgrading that to the Enterprise Mobility and Security E3 license is a no brainer. Because it includes Azure P1 and Microsoft Intune for a total of $8.74 a month per user.

The difficult part is endpoint security. Leading up to this point, the go to solutions for 2 FA have been Duo Security and WatchGuard AuthPoint. They both have their pros and cons, but overall, they both work with Office 365 and end user devices. But when you dump a traditional domain controller and go 100% Azure Active Directory, You can’t use either product for end user devices. You can still use both products to do 2 Factor Authentication on all the Microsoft Portal Web Sites and mobile apps but you loose the functionality of end user devices without a domain controller.

So What do you do?

Welcome back into the picture after Windows Hello/Windows Hello For Business.

When you look at the overall picture of a companies end user device security you want all the products to work together. So for in this instance, we have a company that wants to move to 100% cloud/Microsoft 365. To recap they will buy enough Office 365 licenses to cover their uses email and office needs and then adds Enterprise Mobility + Security E3 to get the Azure Active Directory P1 and Microsoft Intune licensing. To make things easier let’s say this company just bought all brand new Windows 10 computers as well. Now to configure 2 Factor Authentication on the device. When you go through the device enrollment and security options the only option are Windows Hello 2 factor Authentication. There is a section called conditional access where you can enforce 3rd party 2FA solutions for programs or web portals but again the only way to do 2 FA on Pure Azure AD is Windows Hello.

Windows Hello takes a PIN/second Password, finger print, or facial scan and makes a super complex password out of it further secure your account. This second layer (or 2 factor authentication) is on top of your underlying account password. The downside to Windows Hello is that the second factor (PIN,Finger print, or facial scan) is a per device setup. So, in an environment where users, use multiple computers this could be an issue for them remember which PIN goes to each computer. Or worse it’s the same PIN on all the computers….

The setup is straight forward when you log into your computer for the first time during the Out of Box Experience you’re forced to create a PIN. After the fact when you create the finger print scans or facial scans you still need that pin, but it basically acts as a bypass code instead of being required at login. Since most people by now have upgraded their cellphones and have some type of finger print reader to unlock their phones. I opted to set up the facial recognition option for this post.

Here is the process.

Buy a compatible device

This Should be self-explanatory but for the facial recognition the camera must have a compatible infrared filter/mode.  

The easiest why to find a device is to go to Microsoft’s Web Site and pick the option that best suits your needs (my uses cases are, Windows Hello 2 factor authentication and Microsoft Teams usage)

If you’re in the market for a laptop, most vendors have models with compatible cameras available, but you’ll have to pay for the upgrade. In my experience at work, the most popular laptop we sell is the Lenovo ThinkPad T400s series (currently it’s the T480s). On that model to get a compatible camera built in, you have to upgrade the screen to the most expensive option. Depending upon how you upgrade the laptop, the screen upgrade probably isn’t going to break the bank. Its roughly a $200 upgrade for the camera and screen upgrade.  

Microsoft Compatible Device List

Set up a compatible device

For my home desktop computer, I purchased the Logitech 4k Pro Webcam (AKA as Logitech Brio). Most webcams are plug in play.

In Logitech’s case Download the Camera Control software and update the firmware.

I bought the webcam on March 07, 2019 and it had firmware version 1.0 (2017 firmware) on it. The current version is 1.2 that was released on 12/12/2018. Somewhere in between 1.0 and 1.2 there was a firmware update added Windows Hello support. So just like any new tech purchase these days, apply firmware updates right away.

Logitech 4k Pro Webcam

On your computer, go to Settings > Accounts > Sign in options

Click on Set up Face Recognition

Click Get Started and type in your PIN

Center yourself in the box and let it scan your face

After I scanned my face the first time the process completed but warned me about my glasses. The wizard say it will work better if I redo the scan without them on. For now I’m humoring Microsoft and re did the scan with my glasses off.

I haven’t had any issues unlocking my computer with my glasses on after the scan with my glasses off.

Testing Time

Your done test by locking and unlocking your computer.

Press Windows Key + L to lock the computer then click on your user account and change it to the Smiley Face icon under sign in options. Then look in the general direction of the camera.  

That’s all there is too it. Obviously in a Azure Active Directory environment with Windows InTune you can create policies to enforce usage and so on but this is the simple example on how the process works. Over all the login process is very quick and responsive.

One Side note about this camera specifically. When I was researching which camera to buy, I saw that this webcam had some mixed reviews because users couldn’t get 4k to work on it. This issue falls under the category of “things you would think people would assume, but don’t”. When you unbox the camera, you’ll notice it ships with a USB 3 C cable(First Clue). Secondly if you’re geeky at all, you know that 4K any thing requires a little more horse power. The 4K TVs cost more compared to 1080p. To play video games at 4K you need a more expensive videocard, Xbox One X, or PS4 Pro etc (2nd detail) Basically the step up model of everything. So I’ll just say it so everyone is on the same page.

For 4K streaming/recording to work you must plug the USB 3 cable into a USB 3 port.

The camera will work up to 1080p on USB 2. But honestly, if you’re using a computer that doesn’t have USB 3 on it, it’s time for an upgrade. USB 3 has been out for 6-8 years at this point. I doubt an 6-8 year old computer has the hardware to run 4k video anyways.

For more information on Windows Hello 2 factor authentication, here is Microsoft’s documentation on it