With Windows 10, Microsoft introduced two security features called Windows Hello and Microsoft Passport. Windows Hello is the biometrics system built into Windows—it is part of the end-user’s authentication experience. Microsoft Passport is a two-factor authentication (2FA) system that combines a PIN or biometrics (via Windows Hello) with encrypted keys from a user’s device to provide two-factor authentication.
How does it work?
Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user’s device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs.
Microsoft Passport and Windows Hello together represented Microsoft’s FIDO 2.0 aligned end to end multi-factor authentication solution. Microsoft today announced that Windows Hello will be their brand for FIDO aligned end to end multi-factor authentication solution. So, they are once again killing Microsoft Passport brand. Microsoft Passport for Work will now become Windows Hello for Business. The credentials part along with Factors part is now considered part of Windows Hello.
Does it affect end users?
No. From a customer’s perspective, this is simply a naming change and there are no changes from a configuration or security perspective.
Also, with the Windows 10 Anniversary Update, Microsoft has designed Windows Hello’s architecture to be more flexible, enabling it to support devices, PINs, and biometrics as factor options for authentication. The architecture has also been made flexible enough to support the addition of new factor types which may be added in the future. Since Windows Hello now supports devices as factors, it enables scenarios where an user can unlock his laptop using Microsoft Band. Read more about it here.
Some history on Microsoft Passport brand:
In 1990s, Microsoft started a service called Microsoft Passport which was positioned as a single sign-on service for all web commerce. In early 2000s, Microsoft used the same brand to become Internet-wide unified-login system. Both these attempts failed. Later on, it was rebranded as Windows Live ID and now it has become the Microsoft Account which we use to login into all of the Microsoft’s services.