deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Acrolinx Correctness edits.
This commit is contained in:
Stephanie Savell
2023-01-24 10:44:07 -06:00
committed by GitHub
parent 1d569ce817
commit a451baa307
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -30,7 +30,7 @@ sections:
For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md). For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md).
- question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process? - question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process?
answer: | answer: |
Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, wehn using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures. At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
- question: What's a container? - question: What's a container?
answer: | answer: |