{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T06:07:39Z","timestamp":1775110059769,"version":"3.50.1"},"reference-count":27,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2023,2,14]],"date-time":"2023-02-14T00:00:00Z","timestamp":1676332800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100018693","name":"Horizon Europe Project Trust","doi-asserted-by":"publisher","award":["GA 101070214"],"award-info":[{"award-number":["GA 101070214"]}],"id":[{"id":"10.13039\/100018693","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Cryptography"],"abstract":"<jats:p>Traditional password authentication methods have raised many issues in the past, including insecure practices, so it comes as no surprise that the evolution of authentication should arrive in the form of password-less solutions. This research aims to explore the problems that password authentication and password policies present and aims to deploy Windows Hello for Business (WHFB) on-premises. This includes creating three virtual machines (VMs) and evaluating WHFB as a password-less solution and showing how an attacker with privileged access may retrieve the end user\u2019s domain password from the computer\u2019s memory using Mimikatz and describing the possible results. The conducted research tests are in the form of two attack methods. This was feasible by the creation of three VMs operating in the following way. The first VM will act as a domain controller (DC) and certificate authority server (CA server). The second VM will act as an Active Directory Federation Service (ADFS). The third VM will act as the end-user device. The test findings research summarized that password-less authentication is far more secure than the traditional authentication method; this is evidenced throughout the author\u2019s tests. Within the first test, it was possible to retrieve the password from an enrolled device for WHFB while it was still in the second phase of the deployment. The second test was a brute-force attack on the PIN of WHFB; since WHFB has measures to prevent such attacks, the attack was unsuccessful. However, even though the retrieval of the password was successful, there are several obstacles to achieving this outcome. It was concluded that many organizations still use password authentication as their primary authentication method for accessing devices and applications. Larger organizations such as Microsoft and Google support the adoption of password-less authentication for end-users, and the current usage of password-less authentication shared by both organizations is encouraged. This usually leads organizations to adopt this new solution for their IT infrastructure. This is because it has been used and tested by millions of people and has proven to be safe. This supports the findings of increased usage and the need for password-less authentication by today\u2019s users.<\/jats:p>","DOI":"10.3390\/cryptography7010009","type":"journal-article","created":{"date-parts":[[2023,2,15]],"date-time":"2023-02-15T04:47:24Z","timestamp":1676436444000},"page":"9","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Attacking Windows Hello for Business: Is It What We Were Promised?"],"prefix":"10.3390","volume":"7","author":[{"given":"Joseph","family":"Haddad","sequence":"first","affiliation":[{"name":"School of Computing, Engineering & the Build Environment, Edinburgh Napier University, Edinburgh EH10 5DT, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3392-9970","authenticated-orcid":false,"given":"Nikolaos","family":"Pitropakis","sequence":"additional","affiliation":[{"name":"School of Computing, Engineering & the Build Environment, Edinburgh Napier University, Edinburgh EH10 5DT, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9817-003X","authenticated-orcid":false,"given":"Christos","family":"Chrysoulas","sequence":"additional","affiliation":[{"name":"School of Computing, Engineering & the Build Environment, Edinburgh Napier University, Edinburgh EH10 5DT, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0114-1054","authenticated-orcid":false,"given":"Mouad","family":"Lemoudden","sequence":"additional","affiliation":[{"name":"School of Computing, Engineering & the Build Environment, Edinburgh Napier University, Edinburgh EH10 5DT, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0809-3523","authenticated-orcid":false,"given":"William J.","family":"Buchanan","sequence":"additional","affiliation":[{"name":"School of Computing, Engineering & the Build Environment, Edinburgh Napier University, Edinburgh EH10 5DT, UK"}]}],"member":"1968","published-online":{"date-parts":[[2023,2,14]]},"reference":[{"key":"ref_1","unstructured":"Goldberg, J., Hagman, J., and Sazawal, V. (2002). CHI \u201802 Extended Abstracts on Human Factors in Computing Systems (CHI EA \u201802), Association for Computing Machinery."},{"key":"ref_2","unstructured":"Farke, F.M., Lassak, L., Pinter, J., and D\u00fcrmuth, M. (2022, January 7\u20139). Exploring User Authentication with Windows Hello in a Small Business Environment. Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), Boston, MA, USA."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"533","DOI":"10.1007\/978-981-15-7062-9_53","article-title":"Detection and Prevention of Attacks on Active Directory Using SIEM","volume":"196","author":"Muthuraj","year":"2021","journal-title":"Smart Innov. Syst. Technol."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Chen, S., Choo, K.K., Fu, X., Lou, W., and Mohaisen, A. (2019). Security and Privacy in Communication Networks, Springer. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.","DOI":"10.1007\/978-3-030-37228-6"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"6245306","DOI":"10.1155\/2021\/6245306","article-title":"Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild","volume":"2021","author":"Kim","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_6","unstructured":"Blaauwendraad, B., Ouddeken, T., and Van Bockhaven, C. (2020). Using Mimikatz\u2019 driver, Mimidrv, to disable Windows Defender in Windows. Comput. Sci."},{"key":"ref_7","unstructured":"Lyastani, S.G., Schilling, M., Neumayr, M., Backes, M., and Bugiel, S. (2020, January 18\u201321). Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA."},{"key":"ref_8","first-page":"682","article-title":"Research on Integrated Authentication Using Passwordless Authentication Method","volume":"1","author":"Morii","year":"2017","journal-title":"Proc. Int. Comput. Softw. Appl. Conf."},{"key":"ref_9","unstructured":"(2023, January 19). Download FIDO Authentication Specifications\u2014FIDO Alliance. Available online: https:\/\/fidoalliance.org\/specifications\/download\/."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Alqubaisi, F., Wazan, A.S., Ahmad, L., and Chadwick, D.W. Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication? In Proceedings of the 2020 12th Annual Undergraduate Research Conference on Applied Computing, URC 2020, Dubai, United Arab Emirates, 15\u201316 April 2020.","DOI":"10.1109\/URC49805.2020.9099190"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Saracino, A., and Mori, P. (2020). Emerging Technologies for Authorization and Authentication, Springer. Lecture Notes in Computer Science.","DOI":"10.1007\/978-3-030-64455-0"},{"key":"ref_12","unstructured":"Mardini, A., and Kim, G. (2023, January 19). Making Sign-in Safer and More Convenient. Available online: https:\/\/blog.google\/technology\/safety-security\/making-sign-safer-and-more-convenient\/."},{"key":"ref_13","unstructured":"Bassett, G., Hylender, C.D., Langlois, P., Pinto, A., and Widup, S. (2023, January 10). Data Breach Investigation Report. Available online: https:\/\/enterprise.verizon.com\/resources\/reports\/2021-data-breach-investigations-report.pdf."},{"key":"ref_14","unstructured":"(2023, January 30). Windows Hello for Business Frequently Asked Questions (FAQ)\u2014Windows Security. Available online: https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/hello-for-business\/hello-faq."},{"key":"ref_15","unstructured":"Kavanagh, K., Bussa, T., and Collins, J. (2023, January 27). Magic Quadrant for Security Information and Event Management\u2014Gartner Reprint. Available online: https:\/\/www.gartner.com\/doc\/reprints?id=1-26OLSQ2N&ct=210630&st=sb."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"594","DOI":"10.1145\/359168.359172","article-title":"Password security","volume":"22","author":"Morris","year":"1979","journal-title":"Commun. ACM"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1145\/2699390","article-title":"Passwords and the evolution of imperfect authentication","volume":"58","author":"Bonneau","year":"2015","journal-title":"Commun. ACM"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Flor\u00eancio, D., Flor\u00eancio, F., and Herley, C. (2007, January 8\u201312). A Large-Scale Study of Web Password Habits. Proceedings of the 16th International Conference on World Wide Web\u2014WWW \u201807, Banff, AB, Canada.","DOI":"10.1145\/1242572.1242661"},{"key":"ref_19","unstructured":"(2023, January 13). Password Policy Recommendations\u2014Microsoft 365 Admin. Available online: https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/admin\/misc\/password-policy-recommendations?view=o365-worldwide."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1097","DOI":"10.1007\/978-3-319-77712-2_105","article-title":"Scramble the Password Before You Type It","volume":"746","author":"Li","year":"2018","journal-title":"Adv. Intell. Syst. Comput."},{"key":"ref_21","unstructured":"Lyastani, S.G., Schilling, M., Fahl, S., Bugiel, S., and Backes, M. (2017). Studying the Impact of Managers on Password Strength and Reuse. arXiv."},{"key":"ref_22","first-page":"574","article-title":"Identity and access management in cloud environment: Mechanisms and challenges","volume":"21","author":"Indu","year":"2018","journal-title":"Eng. Sci. Technol. Int. J."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Pitropakis, N., Yfantopoulos, N., Geneiatakis, D., and Lambrinoudakis, C. (2014, January 15\u201317). Towards an augmented authenticator in the Cloud. Proceedings of the 2014 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Noida, India.","DOI":"10.1109\/ISSPIT.2014.7300603"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"701","DOI":"10.1108\/ICS-07-2019-0077","article-title":"Constructing secure and memorable passwords","volume":"28","author":"Lennartsson","year":"2020","journal-title":"Inf. Comput. Secur."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Meiklejohn, S., and Sako, K. (2018). Financial Cryptography and Data Security, Springer. FC 2018, Lecture Notes in Computer Science.","DOI":"10.1007\/978-3-662-58387-6"},{"key":"ref_26","unstructured":"(2023, January 26). ChromePass\u2014Chrome Browser Password Recovery for Windows. Available online: https:\/\/www.nirsoft.net\/utils\/chromepass.html."},{"key":"ref_27","unstructured":"(2023, January 13). Are Your Passwords in the Green?. Available online: https:\/\/www.hivesystems.io\/blog\/are-your-passwords-in-the-green."}],"container-title":["Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2410-387X\/7\/1\/9\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:35:33Z","timestamp":1760121333000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2410-387X\/7\/1\/9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,14]]},"references-count":27,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,3]]}},"alternative-id":["cryptography7010009"],"URL":"https:\/\/doi.org\/10.3390\/cryptography7010009","relation":{},"ISSN":["2410-387X"],"issn-type":[{"value":"2410-387X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,14]]}}}