Passwords are renowned as one of the main causes for weak security in most computer systems. Passwords may be reused across multiple systems (including social networks and weak websites), they may be created based on guessable information that can be socially engineered or cracked using specialized software, or most likely stored in a database that is then compromised and shared across the cyber criminal community. So no matter how well we educate users to create more complex passwords that are changed frequently, there is always going to be a risk of compromise of the password, which can then be used to gain access to systems, impersonating a valid user.
The best defense against this type of risk is to deploy multi-factor authentication (MFA) mechanisms: a method of authentication that requires the user to provide more than just a password to gain authorized access to a system. Deploying MFA solutions has been something only the most secure companies would have considered, or been able to afford, to deploy. Apart from the cost to purchase, deploy, and maintain the solutions, there is also a considerable amount of user training involved, and the potential lost productivity.
Windows Hello for Business combines and simplifies the deployment and management of Microsoft Passport and Windows Hello. It is designed to eliminate the use of passwords as the primary authentication method, replacing them with a range of alternative, more secure options. Users are prompted to configure this solution when they log on to a Windows 10 computer for the first time. To use this feature, users create a device-specific gesture, such as a PIN number or biometric entry, which then unlocks the device and its TPM. The TPM protects a private key that is used to sign authentication requests for credentials, instead of a password.
To make the login process easier for the user, they are initially prompted to sign in with the simplest gestures, such as facial recognition or fingerprints. If for some reason this attempt fails, the user can fall back to using their unique PIN number. These methods are more secure than a single password because of the way they present a second factor of authentication: access to the physical device used in the initial gesture registration. An attacker cannot simply obtain their password, they must also gain physical access to the device used to log on in order to provide the second factor.
Read more about Windows Hello for Business here: https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification.