What can I build today with Azure Mixed Reality Services? | One Dev Question

How can a Windows Hello PIN be more secure than a password? We asked Dana Huang, Director of Engineering for Windows Security, to find out how this works. Interesting stuff, with lots more info at http://msft.social/e1XPns
Microsoft's pin can contain letters too--all of the characters a password can, so it's not a Personal Identification Number. It's a password. The entropy is the same. The difference is just that they are doing different things with it than they were before--namely using it with a TPM. Even the idea of not transmitting it to a server is not new--that's just how passwords worked before internet accounts (and even long after that). Calling it a pin instead of a password appears to be a marketing gimmic.
It sounds like they want to use the PIN provided + a salt from the hardware TPM to create a hash which is stored ( maybe locally on the device? ).
Every time you enter a password it will add your PIN to the TPM salt to create a hash and compare that against the value it has stored ( somewhere ).
This way nobody ever has your password and it cannot be decrypted, but it can be checked to be sure it's correct.
Currently it sounds like Windows stores all the passwords for a computer locally in some SAM.config files and although the passwords are hashed it's apparently trivial to crack.
There's no reason why they couldn't continue to use passwords, instead of PINS, and a more secure hashing algorithm / check instead of the security store they have implemented.
Need to have a biometric free way of using the Windows device without ever requiring a photo, fingerprint, voice print or any biometric data.
Forcing biometric is anti-privacy and only serves to secure the device with the much greater risk it will be used for tracking. For example, court ordered search of a device with its usage history tied to each and every individual user.
Loss of privacy. A very bad thing. Good for technology companies blindly thinking that more connected is always better.
Don't want to be forced to save photos of my kids playing at the park in the cloud easily searchable by some AI driven bot for each and every police warrant.
Encourage privacy and the right to not be forced to share your personal data or be forced to store personal data on a device. Devices can be unlocked, bypassed and data exfiltrated.
Hi, this PIN is not new. I have been signing in this way for a long time and yes to the comments, it is secure and much easier. Same as using a PIN at an ATM.
Being forever the optimist, it would seem to me if your Windows device goes seriously south, you're screwed. All these technologies fail to take into account that computers do fail. there is no apparent way to save what would be the randomly hashed PIN on an external source to provide access under those conditions.
"A password is a symmetric secret that is constantly being transmitted to a server every time you authenticate, and can easily be intercepted."
This is, to put it bluntly, bullshit. There is nothing about a password that requires it to be transmitted to a server. Take for example a Linux installation - your passwords are stored *locally* in /etc/shadow and are never sent to a server.
What Microsoft's marketing team is trying to avoid saying here is:
"A few years back when we decided to try and force everyone to switch to Microsoft accounts to login to their personal PCs, we started sending *those* passwords over the internet, rather than allowing users to continue using local passwords. It turns out that wasn't a great idea, so now we've re-introduced the idea of a locally-stored password, which we are calling a PIN. But we want to save face, so we've come up with a marketing-heavy explanation of what a PIN is, which incorrectly states that all passwords are transmitted over the internet, so people won't realize what a bone-headed idea we had in the first place."
There, Microsoft Marketing Drones, I fixed it for you. Also, while we're at it could you please stop calling 3D models projected onto flat glass (i.e. the Hololens) "Holograms". Because they aren't. Not at all.
If you create a local account vs using a Microsoft account, then the password is not being transmitted to a server, correct? The password remains local to the laptop just as a PIN would.