Windows Hello

Overview

This article shows how two-factor enrolment works for Windows Hello users. We assume that users log in to Jira with password authentication as the primary factor. Users logging in with SAML or Kerberos on other Atlassian applications should expect a very similar user experience.

The examples shown here assume that an administrator has already added a multifactor policy which requires that users enrol in extra verification. The details on how multifactor policies may be configured is out of scope for this article.

Enrolment

When Windows Hello users are required to enrol in extra verification after logging in, they will see a screen informing them that enrolment is required, and get to choose which kind of second factor to register:

• Windows Hello, a platform authenticator in FIDO terminology
• A security key, typically attached to their device via USB or NFC 
• A legacy security key which does not support user verification with PIN or fingerprint
• A one-time code app on their phone

Windows Hello users can verify using PIN codes, fingerprints or face recognition. Setting a PIN code is required to use Windows Hello, while fingerprints and face are optional.

Users who have not enrolled any biometric factor will be asked to verify by entering their PIN:

Users who have enrolled a biometric factor such as their face or fingerprint will be able to use these when registering their Windows Hello device. Here we see a user enrolling using face recognition. 

A user registering his Windows Hello Fingerprint will see a s similar page.

Naming the registration

After registering Windows Hello, the user is asked to give their registration a name. This makes it easier to remember which device was registered in the future.

Use case summary

The final step in the registration process lists the different ways the user may use Windows Hello as an additional verification factor:

• Extra verification
• Password-less login
• WebSudo verification

Once this step is completed, the enrolment of the extra verification factor is complete, and the user can get back to work.

See it in action

See an example of how Windows Hello enrolment works from an end user perspective. The user verifies using his fingerprint, but may also use a PIN or a Windows Hello face recognition camera.

Next steps

• See how to log in without password
• See how to log in with extra verification
• Learn how to configure a multifactor policy