Why is the PIN for Windows Hello more secure than a password? | One Dev Question

Sign in to queue

Description

How can a Windows Hello PIN be more secure than a password? We asked Dana Huang, Director of Engineering for Windows Security, to find out how this works. Interesting stuff, with lots more info at http://msft.social/e1XPns

Embed

Download

The Discussion

  • User profile image
    ArneG
    pin provide entropy? What does mean?
  • User profile image
    RodAtWork
    I'm curious about that, too.
  • User profile image
    Thoughtscri​pt
    A PIN provides encryption entropy (unknown variable or additional variable) since it isn't stored on a server and is mixed with standard passwords to produce stronger authentication standards. Password < Password + PIN. It's a kind of two-factor authentication.
  • User profile image
    RAJU2529
    Thanks for the clear explanation , today 17-04-2019 I came to know the real reason . Wish you all the best , keep sharing the videos for the IT pro and normal windows users
  • User profile image
    Joe Dreyfus

    Microsoft's pin can contain letters too--all of the characters a password can, so it's not a Personal Identification Number. It's a password. The entropy is the same. The difference is just that they are doing different things with it than they were before--namely using it with a TPM. Even the idea of not transmitting it to a server is not new--that's just how passwords worked before internet accounts (and even long after that). Calling it a pin instead of a password appears to be a marketing gimmic.

  • User profile image
    dpetty
    I like PIN's. Thanks for the clear explanation of how they work.
  • User profile image
    David King

    It sounds like they want to use the PIN provided + a salt from the hardware TPM to create a hash which is stored ( maybe locally on the device? ).

    Every time you enter a password it will add your PIN to the TPM salt to create a hash and compare that against the value it has stored ( somewhere ).

    This way nobody ever has your password and it cannot be decrypted, but it can be checked to be sure it's correct.

    Currently it sounds like Windows stores all the passwords for a computer locally in some SAM.config files and although the passwords are hashed it's apparently trivial to crack.

    There's no reason why they couldn't continue to use passwords, instead of PINS, and a more secure hashing algorithm / check instead of the security store they have implemented.

  • User profile image
    Robert

    Need to have a biometric free way of using the Windows device without ever requiring a photo, fingerprint, voice print or any biometric data.

    Forcing biometric is anti-privacy and only serves to secure the device with the much greater risk it will be used for tracking. For example, court ordered search of a device with its usage history tied to each and every individual user.

    Loss of privacy. A very bad thing. Good for technology companies blindly thinking that more connected is always better.

    Don't want to be forced to save photos of my kids playing at the park in the cloud easily searchable by some AI driven bot for each and every police warrant.

    Encourage privacy and the right to not be forced to share your personal data or be forced to store personal data on a device. Devices can be unlocked, bypassed and data exfiltrated.

  • User profile image
    Anastasiya​MSFT
    Windows Hello (Face/Fingerprint/PIN) is a modern, two-factor credential that provides users with a more secure way to sign-in to Windows 10 than a password. How can this be? Keep reading...

    >> Why are passwords insecure?
    A password is a symmetric secret that is constantly being transmitted to a server every time you authenticate, and can easily be intercepted. Because passwords are stored on a server, they can be stolen, and are susceptible to password spray attacks (when an attacker tries the same P@$$w0rd on multiple accounts belonging to a domain). Additionally, if your password is phished or stolen, it can be used to access your account from *any* device in the world.

    >> How is Windows Hello better?
    Windows Hello uses an asymmetric key-pair authentication model where your Windows Hello gesture (such as Face, Fingerprint, or PIN) provides entropy to decrypt a private key stored on your device. Successful authentication will allow you to access your cloud-based resources, such as mail, pictures, and settings tied to your Microsoft account. Unlike a password, because Windows Hello uses asymmetric key pairs (where your credential never leaves your device, and isn’t stored on a server somewhere), your credentials can’t be stolen in cases where a backend server (i.e. belonging to an identity provider or website) is compromised.

    For additional security, on devices that have a TPM (Trusted Platform Module) chip 2.0.+, the private key is backed by hardware. The TPM ship includes multiple physical security mechanisms to make it tamper resistant, such as anti-hammering protection - i.e. when someone tries to incorrectly enter your PIN too many times on your device, and malicious software is unable to tamper with the TPM either. Devices that don’t have a TPM will still benefit from software-based encryption, and software anti-hammering.

    Lastly, your Windows Hello credentials are specific to the device where they were set up. This means that even if an attacker learns your PIN, it won’t be useful unless they are able to steal your physical device as well!

    >> But isn’t a PIN easier to shoulder-surf than a password?
    You can use both numbers and letters, and make your PIN as long as you would make your password if you’re worried about somebody being able to shoulder-surf your PIN. Although this will make your PIN feel similar to a password, it’s the underlying infrastructure (described above) that sets these two authentication methods apart.

Add Your 2 Cents