Windows Hello 企业版概述Windows Hello for Business Overview

适用范围Applies to

  • Windows10Windows10

在 Windows10 中,Windows Hello 企业版会将密码替换为电脑和移动设备上的强双因素身份验证。In Windows10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 此身份验证包含绑定到设备的新型用户凭据并使用生物识别或 PIN。This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.


Windows10 在首次交付时即包含 Microsoft Passport 和 Windows Hello,二者结合使用可提供多重身份验证。When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. 为了简化部署并提高可支持性,Microsoft 将这些技术组合成单个解决方案,并将其命名为 Windows Hello。To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. 已部署这些技术的客户将不会遇到任何功能更改。Customers who have already deployed these technologies will not experience any change in functionality. 尚未评估 Windows Hello 的客户将会发现,由于简化了策略、文档和语义,部署操作将更简单。Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.

Windows Hello 可解决以下有关密码的问题:Windows Hello addresses the following problems with passwords:

  • 强密码难于记忆,并且用户通常在多个站点上重复使用密码。Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
  • 服务器违规可公开对称网络凭据(密码)。Server breaches can expose symmetric network credentials (passwords).
  • 密码会遭受重播攻击Passwords are subject to replay attacks.
  • 用户可能由于网络钓鱼攻击意外暴露其密码。Users can inadvertently expose their passwords due to phishing attacks.

Windows Hello 允许用户验证以下帐户的身份:Windows Hello lets users authenticate to:

  • Microsoft 帐户。a Microsoft account.
  • Active Directory 帐户。an Active Directory account.
  • Microsoft Azure Active Directory (Azure AD) 帐户。a Microsoft Azure Active Directory (Azure AD) account.
  • 支持 Fast ID Online (FIDO) v2.0 身份验证的标识提供商服务或依赖方服务(正在进行)Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication (in progress)

注册期间的用户初始双重验证后,Windows Hello 将在用户设备上完成设置,并且 Windows 将要求用户设置一个手势,该手势可以是生物识别(如指纹)或 PIN。After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. 用户提供手势来验证身份。The user provides the gesture to verify their identity. 然后,Windows 使用 Windows Hello 对用户进行身份验证。Windows then uses Windows Hello to authenticate users.

作为企业或教育机构的管理员,您可以在连接到您的组织的基于 Windows10 的设备上创建管理 Windows Hello 企业版使用的策略。As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows10-based devices that connect to your organization.

生物识别登录Biometric sign-in

Windows Hello 基于面部识别或指纹匹配提供了可靠且完全集成的生物识别身份验证。Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello 使用特殊红外线 (IR) 相机和软件的组合来提高精确度和对欺骗的防护。Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. 由主要硬件供应商运送集成 Windows Hello 兼容摄像头的设备。Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. 指纹读取器硬件可以使用或添加到当前没有它的设备。Fingerprint reader hardware can be used or added to devices that don't currently have it. 在支持 Windows Hello 的设备上,易于使用的生物识别手势可解锁用户的凭据。On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.

  • 面部识别Facial recognition. 此类型的生物识别使用可在红外线中看见的特殊相机,从而使它们可以可靠地辨别照片或扫描与真人之间的区别。This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. 多家供应商正在交付融合了此技术的外部相机,并且主要的笔记本电脑制造商也在将其融合到自己的设备中。Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
  • 指纹识别Fingerprint recognition. 此类型的生物识别使用电容式指纹传感器来扫描指纹。This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. 指纹读取器多年来一直可用于 Windows 计算机,但最新一代的传感器明显更加可靠且更不容易出错。Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. 大多数现有指纹读取器(无论是外部读取器还是集成到笔记本电脑或 USB 键盘读取器)都适用于 Windows10。Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.

Windows 仅将用于实现 Windows Hello 的生物识别数据安全地存储在本地设备上。Windows stores biometric data that is used to implement Windows Hello securely on the local device only. 生物识别数据不会漫游,也不会发送到外部设备或服务器。The biometric data doesn't roam and is never sent to external devices or servers. 由于 Windows Hello 仅在设备上存储生物识别标识数据,因此没有单个收集点,攻击者可能会泄漏这些数据来窃取生物识别数据。Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. 有关 Windows Hello 企业版生物识别身份验证的详细信息,请参阅 企业版中的 Windows hello 生物识别For more information about biometric authentication with Windows Hello for Business, see Windows Hello biometrics in the enterprise.

Windows Hello 和 Windows Hello 企业版之间的区别The difference between Windows Hello and Windows Hello for Business

  • 每个用户都可以在其个人设备上创建 PIN 或生物识别手势以方便登录。Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. Windows Hello 的使用对设置它的设备而言是唯一的,但可以根据个人的帐户类型使用简单的密码哈希。This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. 此配置称为 Windows Hello 便利 PIN 码,不受对称 (公钥/私钥) 或基于证书的身份验证的支持。This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication.

  • Windows Hello 企业版(由组策略或移动设备管理 (MDM) 策略配置)始终使用基于密钥的身份验证或基于证书的身份验证。Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. 这使其安全性比 Windows Hello 便利 PIN更安全。This makes it much more secure than Windows Hello convenience PIN.

Windows Hello 的优势Benefits of Windows Hello

有关身份窃取和大规模黑客攻击的报告经常见诸报端。Reports of identity theft and large-scale hacking are frequent headlines. 没有人希望收到他们的用户名和密码已公开的通知。Nobody wants to be notified that their user name and password have been exposed.

你可能想知道 PIN 如何能比密码更好地帮助保护设备You may wonder how a PIN can help protect a device better than a password. 密码是共享密钥;它们在设备上输入,并通过网络传输到服务器。Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. 任何地方的任何人都可以使用截获的帐户名称和密码。An intercepted account name and password can be used by anyone, anywhere. 因为它们存储在服务器上,而服务器违规将会公开这些存储的凭据。Because they're stored on the server, a server breach can reveal those stored credentials.

在 Windows10 中,Windows Hello 会替换密码。In Windows10, Windows Hello replaces passwords. 当身份提供程序支持密钥时,Windows Hello 预配过程会创建绑定到受信任平台模块的加密密钥对 (TPM) 、设备有 TPM 2.0 或软件。When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. 对这些密钥的访问和获取验证用户拥有的私钥的签名仅受 PIN 或生物识别手势支持。Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. Windows Hello 注册期间发生的双重验证将在标识提供商和用户之间创建一种信任关系,这种关系在将公钥/私钥对的公共部分发送到标识提供商并将其与用户帐户关联时产生。The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. 当用户在设备上输入手势时,标识提供商将知道这是一个经过验证的标识并提供允许 Windows10 访问资源和服务的身份验证令牌的组合。When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows10 to access resources and services.


作为一种便捷登录方式,Windows Hello 使用常规的用户名和密码身份验证,但无需用户输入密码。Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.

身份验证在 Windows Hello 中的工作原理

请想象一下,在你从 ATM 中取钱时,有人在背后看着,并看到了所输入的 PIN。Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. 拥有该 PIN 对访问帐户帮助不大,因为没有你的 ATM 卡。Having that PIN won't help them access your account because they don't have your ATM card. 同样地,知道你的设备的 PIN 也不会允许攻击者访问你的帐户,因为该 PIN 仅用于本地特定设备,并且不支持来自任何其他设备的任何类型的身份验证。In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.

Windows Hello 有助于保护用户身份和用户凭据。Windows Hello helps protect user identities and user credentials. 由于用户不输入密码(预配期间除外),因此它有助于避开网络钓鱼和暴力攻击。Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. 它还有助于防止服务器违规,因为 Windows Hello 凭据是非对称密钥对,这有助于这些密钥受 TPM 保护时阻止重播攻击。It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.


Windows Hello 企业版的工作原理:关键点How Windows Hello for Business works: key points

  • Windows Hello 凭据基于证书或非对称密钥对。Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello 凭据可绑定到设备,使用凭据获取的令牌也绑定到该设备。Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
  • 标识提供商(如 Active Directory、Azure AD 或 Microsoft 帐户)将验证用户身份,并在注册步骤期间将 Windows Hello 的公钥映射到用户帐户。Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
  • 密钥可在硬件(适用于企业的 TPM 1.2 或 2.0 以及适用于使用者的 TPM 2.0)或软件中生成,具体根据策略而定。Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
  • 身份验证是具有绑定到设备的密钥或证书组合的双重身份验证以及人员知道 (PIN) 或该人员 (生物识别) 的内容。Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). Windows Hello 笔势不会在设备之间漫游,并且不会与服务器共享。The Windows Hello gesture does not roam between devices and is not shared with the server. 生物识别模板存储在设备上本地。Biometrics templates are stored locally on a device. PIN 永远不会存储或共享。The PIN is never stored or shared.
  • 使用 TPM 时,私钥从不离开设备。The private key never leaves a device when using TPM. 身份验证服务器具有在注册过程中映射到用户帐户的公钥。The authenticating server has a public key that is mapped to the user account during the registration process.
  • PIN 输入和生物识别手势都触发 Windows10,以便使用私钥对发送到标识提供者的加密签名数据进行加密签名。PIN entry and biometric gesture both trigger Windows10 to use the private key to cryptographically sign data that is sent to the identity provider. 标识提供商验证用户的身份并对用户进行身份验证。The identity provider verifies the user's identity and authenticates the user.
  • 个人(Microsoft 帐户)和公司(Active Directory 或 Azure AD)帐户为密钥使用单个容器。Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. 所有密钥均由标识提供商的域分隔开来,以帮助保护用户隐私。All keys are separated by identity providers' domains to help ensure user privacy.
  • 可以由 Windows Hello 容器和 Windows Hello 手势保护证书私钥。Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.

有关详细信息,请参阅 Windows Hello 企业版的工作原理For details, see How Windows Hello for Business works.

比较基于密钥和基于证书的身份验证Comparing key-based and certificate-based authentication

Windows Hello 企业版可在硬件或软件中使用密钥(硬件或软件)或证书。Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. 拥有公共密钥基础结构的企业 (用于颁发和管理最终用户证书的 PKI) ,可以继续将 PKI 与 Windows Hello 结合使用。Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. 不使用 PKI 或希望减少与管理用户证书相关的工作量的企业可以依赖基于密钥的 Windows Hello 凭据,但仍将其域控制器上的证书用作信任根。Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.

带有密钥的 Windows Hello 企业版不支持为 RDP 提供凭据。Windows Hello for Business with a key does not support supplied credentials for RDP. RDP 不支持带有密钥或自签名证书的身份验证。RDP does not support authentication with a key or a self signed certificate. 具有 Windows Hello 企业版的 RDP 支持使用基于证书的部署作为提供的凭据。RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello 企业版密钥信任可以与 Windows Defender 远程凭据防护配合使用。Windows Hello for Business key trust can be used with Windows Defender Remote Credential Guard.

了解详细信息Learn more

使用 Windows Hello 企业版实现强大的用户身份验证Implementing strong user authentication with Windows Hello for Business

在 Microsoft 实现 Windows Hello 企业版Implementing Windows Hello for Business at Microsoft

Windows Hello 简介, Microsoft Virtual Academy 上的视频演示文稿Introduction to Windows Hello, video presentation on Microsoft Virtual Academy

Windows Hello 面部身份验证Windows Hello face authentication

Windows10:通过革命性的安全性改革网络威胁的演变!Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!

Windows10:终结密码和凭据盗窃?Windows 10: The End Game for Passwords and Credential Theft?

相关主题Related topics