Why is the PIN for Windows Hello more secure than a password? | One Dev Question

Play Why is the PIN for Windows Hello more secure than a password? | One Dev Question

The Discussion

  • User profile image
    pin provide entropy? What does mean?
  • User profile image
    I'm curious about that, too.
  • User profile image
    A PIN provides encryption entropy (unknown variable or additional variable) since it isn't stored on a server and is mixed with standard passwords to produce stronger authentication standards. Password < Password + PIN. It's a kind of two-factor authentication.
  • User profile image
    Thanks for the clear explanation , today 17-04-2019 I came to know the real reason . Wish you all the best , keep sharing the videos for the IT pro and normal windows users
  • User profile image
    Joe Dreyfus

    Microsoft's pin can contain letters too--all of the characters a password can, so it's not a Personal Identification Number. It's a password. The entropy is the same. The difference is just that they are doing different things with it than they were before--namely using it with a TPM. Even the idea of not transmitting it to a server is not new--that's just how passwords worked before internet accounts (and even long after that). Calling it a pin instead of a password appears to be a marketing gimmic.

  • User profile image
    I like PIN's. Thanks for the clear explanation of how they work.
  • User profile image
    David King

    It sounds like they want to use the PIN provided + a salt from the hardware TPM to create a hash which is stored ( maybe locally on the device? ).

    Every time you enter a password it will add your PIN to the TPM salt to create a hash and compare that against the value it has stored ( somewhere ).

    This way nobody ever has your password and it cannot be decrypted, but it can be checked to be sure it's correct.

    Currently it sounds like Windows stores all the passwords for a computer locally in some SAM.config files and although the passwords are hashed it's apparently trivial to crack.

    There's no reason why they couldn't continue to use passwords, instead of PINS, and a more secure hashing algorithm / check instead of the security store they have implemented.

  • User profile image

    Need to have a biometric free way of using the Windows device without ever requiring a photo, fingerprint, voice print or any biometric data.

    Forcing biometric is anti-privacy and only serves to secure the device with the much greater risk it will be used for tracking. For example, court ordered search of a device with its usage history tied to each and every individual user.

    Loss of privacy. A very bad thing. Good for technology companies blindly thinking that more connected is always better.

    Don't want to be forced to save photos of my kids playing at the park in the cloud easily searchable by some AI driven bot for each and every police warrant.

    Encourage privacy and the right to not be forced to share your personal data or be forced to store personal data on a device. Devices can be unlocked, bypassed and data exfiltrated.

  • User profile image
    Windows Hello (Face/Fingerprint/PIN) is a modern, two-factor credential that provides users with a more secure way to sign-in to Windows 10 than a password. How can this be? Keep reading...

    >> Why are passwords insecure?
    A password is a symmetric secret that is constantly being transmitted to a server every time you authenticate, and can easily be intercepted. Because passwords are stored on a server, they can be stolen, and are susceptible to password spray attacks (when an attacker tries the same P@$$w0rd on multiple accounts belonging to a domain). Additionally, if your password is phished or stolen, it can be used to access your account from *any* device in the world.

    >> How is Windows Hello better?
    Windows Hello uses an asymmetric key-pair authentication model where your Windows Hello gesture (such as Face, Fingerprint, or PIN) provides entropy to decrypt a private key stored on your device. Successful authentication will allow you to access your cloud-based resources, such as mail, pictures, and settings tied to your Microsoft account. Unlike a password, because Windows Hello uses asymmetric key pairs (where your credential never leaves your device, and isn’t stored on a server somewhere), your credentials can’t be stolen in cases where a backend server (i.e. belonging to an identity provider or website) is compromised.

    For additional security, on devices that have a TPM (Trusted Platform Module) chip 2.0.+, the private key is backed by hardware. The TPM ship includes multiple physical security mechanisms to make it tamper resistant, such as anti-hammering protection - i.e. when someone tries to incorrectly enter your PIN too many times on your device, and malicious software is unable to tamper with the TPM either. Devices that don’t have a TPM will still benefit from software-based encryption, and software anti-hammering.

    Lastly, your Windows Hello credentials are specific to the device where they were set up. This means that even if an attacker learns your PIN, it won’t be useful unless they are able to steal your physical device as well!

    >> But isn’t a PIN easier to shoulder-surf than a password?
    You can use both numbers and letters, and make your PIN as long as you would make your password if you’re worried about somebody being able to shoulder-surf your PIN. Although this will make your PIN feel similar to a password, it’s the underlying infrastructure (described above) that sets these two authentication methods apart.
  • User profile image
    Louis Lewis

    Hi, this PIN is not new. I have been signing in this way for a long time and yes to the comments, it is secure and much easier. Same as using a PIN at an ATM.

  • User profile image
    John M

    Being forever the optimist, it would seem to me if your Windows device goes seriously south, you're screwed. All these technologies fail to take into account that computers do fail. there is no apparent way to save what would be the randomly hashed PIN on an external source to provide access under those conditions.

  • User profile image
    Mike K

    "A password is a symmetric secret that is constantly being transmitted to a server every time you authenticate, and can easily be intercepted."

    This is, to put it bluntly, bullshit. There is nothing about a password that requires it to be transmitted to a server. Take for example a Linux installation - your passwords are stored *locally* in /etc/shadow and are never sent to a server.

    What Microsoft's marketing team is trying to avoid saying here is:

    "A few years back when we decided to try and force everyone to switch to Microsoft accounts to login to their personal PCs, we started sending *those* passwords over the internet, rather than allowing users to continue using local passwords. It turns out that wasn't a great idea, so now we've re-introduced the idea of a locally-stored password, which we are calling a PIN. But we want to save face, so we've come up with a marketing-heavy explanation of what a PIN is, which incorrectly states that all passwords are transmitted over the internet, so people won't realize what a bone-headed idea we had in the first place."

    There, Microsoft Marketing Drones, I fixed it for you. Also, while we're at it could you please stop calling 3D models projected onto flat glass (i.e. the Hololens) "Holograms". Because they aren't. Not at all.

  • User profile image

    If you create a local account vs using a Microsoft account, then the password is not being transmitted to a server, correct? The password remains local to the laptop just as a PIN would.

  • User profile image
    I don't see anyone discussing Windows Hello in a corporate environment. If you use Windows 10 and either facial recognition or the fingerprint sensor you are forced to create a pin. As an administrator you cannot set policies for the pin so you cannot enforce strong passwords/pins, you cannot force a time period changes to the pin, and if you login using on the pin you are logged in with your domain username and account. So if someone knows my pin, steals my device, they can login and have access to the network. The user never has to change the pin and can use only it to log in daily. So I don't understand why Microsoft doesn't allow you to manage the pin setting if the machine is a member of a domain. Let us manage or disable it, we have encrypted AD you aren't transferring clear text passwords these days.
  • User profile image

    @BS74 Thank you so much for speaking my mind. Microsoft has so far yet to address the corporate environment for PIN and fingerprint. It is seriously a security flaw.

  • User profile image
    Jack H

    @bs74: I used your arguments today when I was asked by top executives why they cannot log in with their Windows Hello cameras. Thank you for your comments. Here's hoping someday Microsoft gives us proper GPOs for managing pin complexity and expiration.

Add Your 2 Cents