Asked
Viewed
656 times

I want to figure out how to set up Windows 10 and Windows 11 machines so that employees can log in to any device using their fingerprints (biometric login). Originally the idea was to use USB drives as USB keys to log in to any of the computers here, but after some discussions employees were thinking USB keys may be a hassle. Using your fingerprint is much easier as you won't have to carry any special equipment then.

The office where this will be set up does have a locked-up central server running on Windows 10 which is used to manage other deployments as well such as ESET.

Currently, many of the computers just have a shared login, that is employees know the same secret password that lets them into any machine in the office that is shared. This has worked well for our situation because employees tend to move around quite a bit throughout the office, they are never really tied down to a single machine. We are wanting to change things so that instead a unique login is tied to an employee who is able to authenticate into any of these machines with their unique fingerprint. Further, if possible, some of the machines might only let a specific group of authorized employees log in with their fingerprints whereas the remaining employees would be denied access.

I would hate to set up all of these employees for each and every device in the office, preferably I do this once via a central server and utilize some sort of network login which simply looks at an employee's fingerprint to be able to log in to the machine. If this sort of scenario can work we will purchase fingerprint scanners for each computer.

So with that said, how can I set up a Windows Network Login across all of our Windows Machines that simply uses the employee's fingerprints to log in? Currently, this should support both Windows 10 and Windows 11 as some of the Windows 10 devices are not eligible to be upgraded to Windows 11 due to hardware requirements.

  • 0
    It's doable but in a way probably different than what you were expecting. — Mark Bowker
  • 0
    Can you clarify that there is no domain in this environment and all computers are in the same workgroup? The Windows 10 "Server" (which really isn't a server - sorry but it isn't and never will be), in addition to ESET and other deployments, is it also used for File Sharing, or do you use a third-party file sharing service like Dropbox, Box, One Drive, etc? Do you currently use MS 365 for email and or MS APP deployment (Word, Outlook, Excel, PowerPoint, etc.) Are there any applications that some users should have access to on a computer, but others shouldn't, for example - HR Software, or Adobe design software? Are the computers laptops, or desktops? Brand? Are fingerprint readers built into some or none? — Mark Bowker
  • 0
    Correct, there is no domain setup, all computers are in the same workgroup; however, we are willing to set up a domain if needed). I will respectfully disagree with you regarding the central server not really being a server (see definition); while it may not be an official advanced Windows Server product line, it still functions and behaves as a server in the sense for how we are utilizing it in that it connects to numerous client machines and other devices throughout the office to perform jobs, all managed in this central area (ESET remote administrator, Honeywell door system, camera systems, Ubiquiti UniFi Controllers for Wifi, and more). It is not used for file sharing, anything regarding file sharing is not needed for the office. We do not use MS 364 for email, word, outlook, excel, PowerPoint, etc. These are not factors. There are no restricted applications other than either being allowed on the machine or not. Mostly Dell computers, but a few laptops. Currently, most do not have fingerprint readers built into the devices; for those, we will purchase a separate USB fingerprint device. Our workstations where this question applies are fairly simple, they are needed for printing documents and accessing the web. The majority of our applications reside outside of the office either in the cloud, via Google Suite, or other Software as a Service (SaaS). As such, all of this is out-of-scope for this question. — Brian Wozeniak
  • 1
    I had to think about this before answering. While, as noted, I will never consider a Windows 10 device as a "Server" per se, you can install ADUC (Active Directory Users and Computers) using RSAT via the instructions in the following link. *note - you have to be using Windows 10 Professional or Enterprise. Installing ADUC will allow you to join all computers to the domain, set up user accounts to login to any computer on the domain, however, I still haven't figured out how you can tie the fingerprint login to it yet. Still thinking on that one. https://www.technipages.com/windows-install-active-directory-users-and-computers Adding another note is if any of the computers are running Windows 10 or 11 home, they can't be joined to a domain. Has to be Professional or Enterprise. — Mark Bowker
add a comment
0

1 Answer

  • Votes
  • Oldest
  • Latest
Answered

On to the topic of fingerprint authentication:

Windows Hello

Window Hello is actually pretty awesome, however, in your business environment there are complications that need to be considered. First, there are four ways that a user can authenticate with Windows Hello (and to be clear it's available on both Windows 10 and 11).

  1. facial recognition (requires a working camera on each computer)
  2. fingerprint (this requires a working fingerprint reader)
  3. a PIN (this by default is numerical but can be change to a combo of characters very much like a password)
  4. IRIS recognition (EXPENSIVE)

    To use Iris authentication, you’ll need a HoloLens 2 device. All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. - see resource 1)

The PIN can be used with fingerprint authentication or just by itself. I login to my own computers with a PIN (I don't have a fingerprint reader at this time)

The problem you'll first encounter given your situation with no domain is that on individual workstations Windows Hello authentication is specific to that workstation.

Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.

The second problem you'll encounter is you haven't solved the problem of not having to touch every workstation.
The third problem is what to do with adding a new user and removing a departed employee.

You're probably wondering by now "What have I gotten myself into?".

Azure AD

Well, there is a viable solution using Azure AD. The question is, how good is your relationship with your CFO, because there's going to need to be some budget planning, and I would highly recommend finding an Azure AD consultant for some advice on your scenario. But here's the thing. Some of your answers to my initial questions might dictate how you want to go. For example, using Azure AD, each computer gets joined to the Azure domain and you create your users in Azure just as you would if you have your own inhouse AD server. However, if your Win 10 server is also your file server then you have to figure out how users can get to their files. You'll also want to figure out if you want to "subscription lease" Azure servers. Typically, most companies I encountered had an AD server and a File/Print server.

Without going into a ton more detail, there's so much you can do with Azure AD it isn't funny. I'm going to post two references to conclude for now. The first is where I got the quotes I included early and the second is for some homework reading for you.

Resources

  1. Windows Hello
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise
  2. Windows Hello for Business (Azure AD)
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
  • 0
    We are specifically only interested in using a fingerprint to login, preferably without any sort of PIN as that slows down employees as they move around the office and to different machines. The idea is that they will either logout when not on the machine, or if they forget it will automatically lock the screen after 3-5 minutes of inactivity. We did discussion facial recognition, but cameras make people uneasy and I completely understand why its preferable not to go that route; thus we are mostly interested in fingerprint scanning, worst case scenario we would still be willing to do USB keys. — Brian Wozeniak
  • 0
    I definitely expect to change configurations, it sounds like you may be trying to limit the answer to our current setup. I get the impression from your answer that we should change from using a workgroup to setting up a domain for the office? Would that be a requirement to solve this problem as far as having to only manage users in a central location (for authenticating in to these workstations)? — Brian Wozeniak
  • 0
    Well if you keep every workstation as a workstation, you'll need to setup an account for every user on each workstation. Pretty sure we can figure out a PowerShell script for that. Then you have to find a way to delete the account on each workstation if the user leaves. Interesting scenario. I'm scratching my head a bit. Azure would work for you but obviously there are costs involved. Hmmm... — Mark Bowker
add a comment
0