1 Introduction

This manual describes how to set up MyID^® to integrate with Windows Hello for Business.

Windows Hello for Business is a two-factor credential that provides a more secure alternative to passwords. Cryptographic keys are stored on your Windows PC; Windows Hello for Business allows you to access these keys through your configured authentication methods (PIN, facial biometrics, fingerprints, and so on) and thereby authenticate securely to your systems.

Note: MyID does not provide any configuration or management of the Windows Hello authentication methods – this is part of your Windows configuration. See your Microsoft documentation for details.

MyID allows you to set up Windows Hello credentials; you can specify which certificates you want to issue to the PC, request Windows Hello credentials for a specified user, and then collect the Windows Hello credentials onto a Windows PC using the MyID Self-Service App.

Once you have issued Windows Hello credentials to a PC, you can manage the lifecycle of the issued credentials; you can update the credentials, reprovision them entirely, or erase the certificates.

MyID can issue certificates to a new or existing Windows Hello credential; for an existing Windows Hello credential, MyID adds its certificates to those already present. MyID then manages its own certificates; it does not manage certificates added to Windows Hello by any other system.

You can also configure MyID to allow you to log on to your MyID system using your Windows Hello credentials as a logon mechanism.

Note: If you have configured Windows Hello to use the "Certificate Trust Model", MyID will not manage the primary authentication certificate used by Windows Hello. This is because Microsoft manages this certificate as part of the Windows Hello for Business infrastructure, and it is not currently possible for third-party systems such as MyID to take over this management. MyID can provide additional authentication, signing, and encryption certificates to Windows Hello; this allows you to use your own PKI and business processes for these certificates.