Using Biometric Authentication with Active Directory

How to Implement Biometric Authentication in Active Directory

Below are some of the easiest ways to get started with biometric authentication in Active Directory and Azure AD.

Use Windows Hello

Using Windows Hello is the most widely recommended method for implementing Biometric Authentication in Active Directory. It allows for fingerprint authentication across Windows devices and eliminates the need for users to remember pins or passwords. By requiring users to log in with facial recognition or a fingerprint scanner, the risk of unauthorized access is reduced. Windows Hello enrolls user credentials in Microsoft Passport, which allows for authentication into Microsoft accounts, Active Directory, and other services that support the Fast ID Online (FIDO) standard. This system can use mobile device cameras and fingerprint readers, as well as laptops with fingerprint readers.

Use Public Key Infrastructure

Public Key Infrastructure (PKI) serves as the foundation for all strong authentication factors, including biometric authentication. Azure AD users can now access their accounts without passwords by using FIDO2 security keys, which can be generated by the Microsoft Authenticator app, or Windows Hello. These keys help verify the user and the device to the services within your Active Directory environment. Additionally, the combined registration portal in Microsoft Entra has been updated to enable users to create and manage FIDO2 security keys. FIDO2 security keys can also be used to authenticate across Azure AD-joined Windows 10 devices on the latest versions of Edge and Firefox browsers.

Prepare Devices Accordingly

During the setup process for a new Windows 10 device, the user is asked whether the device belongs to the organization or if it is a personal device. If it belongs to the organization, the user is prompted to select a preferred method of connecting to enterprise resources. They can choose between joining using Azure Active Directory or setting up a local account and manually joining a domain later. Once the user makes a successful selection, they are then asked to verify their identity. This can be done by receiving a phone call or a text message and entering a code. Sometimes, an authentication app is also used for this purpose. In certain cases, organizations may enable a Group Policy setting that allows for biometric authentication, such as fingerprint, iris, or facial recognition through Windows Hello. However, biometric authentication can only be used if the device is equipped with the necessary hardware.

Enable Microsoft Passport

Microsoft makes it easy to implement Microsoft Passport in the workplace using Group Policy. The integration of Microsoft Passport depends on the type of device being used, whether it’s domain-joined or a user-owned device. The ‘Use Biometrics’ setting in the Group Policy Object Editor allows the use of biometric devices, such as retina scanners and fingerprint readers, instead of a PIN. Biometric device use is enabled by default, but it can be disabled to only accept a PIN. If an organization chooses to allow biometric authentication, there are additional Group Policy settings specifically related to biometrics located in:

Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics.

Use The Expiration Setting

The ‘Expiration’ setting in Windows Server determines whether a user’s PIN will expire or not. If disabled or not configured, the PIN will never expire. Enabling this setting allows the administrator to specify the number of days after which the PIN will expire, with a minimum value of zero and a maximum of 730 days. The ‘History’ setting determines how many previous PINs are stored and prohibited for reuse. By default, Windows does not store PIN histories. Enabling this setting allows the administrator to specify the number of PINs to be stored, including the current PIN as one of the history items. The ‘Require Special Characters’ setting determines whether special characters can be used in a user’s PIN. By default, Windows does not allow special characters. Enabling this setting requires users to include at least one special character in their PIN.

How Lepide Helps

The Lepide Data Security Platform can provide an extra level of security to Active Directory by monitoring all authentication-related activities, and also covers a wide range of cloud platforms, including Azure AD. Lepide provides a centralized dashboard where administrators can easily view and manage all biometric events, configurations and policies. Lepide also has the ability to automatically rotate passwords on managed endpoints, bolstering the security of your authentication process. Lepide records all relevant events and provides real-time alerts for any suspicious or unauthorized access attempts. Additionally, Lepide simplifies privileged account management by enabling the definition of roles and assigning permissions to different users within the organization. This ensures that only authorized personnel can access and modify biometric configurations and PINs, further enhancing security and control.

If you’d like to see how the Lepide Data Security Platform can provide added security to your AD authentication process, schedule a demo with one of our engineers or start your free trial today.