Defense

Because typing is so 2017!

Ok, so I ordered a Kensington VeriMark fingerprint reader to see how for a few British pounds (or whatever currency you use!) you can add fingerprint authentication to a Windows desktop in minutes!

So this is being conducted with 0 reading of docs (because it’s fun to research just how simple you can a) enable security or b) mess things up when you don’t RTFM!. The next step on my uncharted journey, I plugged in the device to a spare USB port and didn’t see a failed driver installation toast, so we are looking good (note the sensor is the largest rectangle surface on the device, not the one with a cool blue LED)

Now I hit the windows key and typed finger and Win10 prompted me for the settings pane (that was lucky!)

We are going to click Set up under Windows Hello “Fingerprint”:

Click Get Started:

Follow the on screen prompts until you see the following:

Enter your account password:

Now we pick a PIN:

(for prod kit you may want to use letters and symbols for a PIN – making it basically a password… 😉)

Click OK

Accept the authenticator prompt (if this is enabled)

Click OK and we are done!

Now time to test this bad boy out! (note: can you see dynamic lock, that feature is cool, we’ll be looking at that another day, because this device, you guessed it, doesn’t have a Bluetooth dongle in it (yet))

Then realise because I have DUO MFA in this box… I won’t be testing that out just yet (throws some spanner around) *removes duo windows logon integration tool*

So now we lock the screen and hey presto we can now logon using Widows Hello with a fingerprint!

So, there we have it, in minutes (we can enable fingerprint-based authentication on a Windows 10 client (ok we had to disable MFA…. So perhaps we will integrate this to Azure AD and use Microsoft Authenticator 😉) but for now, for a few pounds and a few minutes of config I can logon to a lab machine using my finger! For those thinking, but why would you take the MFA option away, not only that you’ve converted from a complex password with a second phase auth to using your finger and a simpler PIN, well I wouldn’t so if we head over to this url: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview and we can see Windows Hello for Business! That however can wait for another post another day as you need to have a hybrid deployment and PKI (which I don’t currently have deployed in the lab!)

Leave a Reply