How is Windows Hello Sign-In with a PIN, More Secure Than a Password?


ilovehorses34

Member
Local time
11:42 AM
Posts
5
OS
Windows 11
Windows Version: 22H2.

I've switched to Windows Hello Sign-In with a PIN. I was pleased to see when I tried to enter in my master password in KeepassXC, Windows prompted me to enter my PIN again. I thought "great I now have a sort of 2FA when it comes to unlocking my password vault in KeepassXC. Then on a whim, I tried hitting cancel when the Windows PIN dialog came up one day. After hitting cancel, my password file was simply unlocked like I had never enabled Windows Hello to begin with.

Microsoft promotes Windows Hello as a more secure sign-in/authentication method than a simple password. But is it really more secure? I was able to simply bypass the Hello dialog to get in to my password vault in KeepassXC. This reminds me of the Win98/95 days where you'd get a user/password prompt when booting your machine. But, you could simply hit cancel and the desktop would come up.
 

My Computers

System One System Two

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    12th Gen Intel(R) Core(TM) i7-12700KF 3.60 GHz
    Motherboard
    MSI PRO Z690 P
    Memory
    Kingsinton Fury 32GBs
    Graphics Card(s)
    NVIDIA GeForce GTX 1650
    Sound Card
    Realtek® ALC897 Codec
  • Operating System
    Manjaro Linux XFCE Edition
    Computer type
    Laptop
    Manufacturer/Model
    Dell Insiprion 1564
    CPU
    Intel Core i3 350M 2.26 GHz
    Memory
    4 GB Type DDR3-1066 MHz
    Graphics card(s)
    Intel GMA HD
I believe the PIN has to be entered on your keyboard, it can't be used remotely. This makes it secure. Optionally you can include letters, numbers and special characters up to 127.
 

My Computers

System One System Two

  • OS
    11 Pro 23H2 OS build 22631.3672
    Computer type
    Laptop
    Manufacturer/Model
    Acer Swift SF114-34
    CPU
    Pentium Silver N6000 1.10GHz
    Memory
    4GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD
    Cooling
    fanless
    Internet Speed
    13Mbps
    Browser
    Brave, Edge or Firefox
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    ASUS T100TA Transformer
    Processor Intel Atom Z3740 @ 1.33GHz
    Installed RAM 2.00 GB (1.89 GB usable)
    System type 32-bit operating system, x64-based processor

    Edition Windows 10 Home
    Version 22H2 build 19045.3570
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
Thanks that makes sense.
 

My Computers

System One System Two

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    12th Gen Intel(R) Core(TM) i7-12700KF 3.60 GHz
    Motherboard
    MSI PRO Z690 P
    Memory
    Kingsinton Fury 32GBs
    Graphics Card(s)
    NVIDIA GeForce GTX 1650
    Sound Card
    Realtek® ALC897 Codec
  • Operating System
    Manjaro Linux XFCE Edition
    Computer type
    Laptop
    Manufacturer/Model
    Dell Insiprion 1564
    CPU
    Intel Core i3 350M 2.26 GHz
    Memory
    4 GB Type DDR3-1066 MHz
    Graphics card(s)
    Intel GMA HD

How is a PIN different from (and better than) a password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like t758A! could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
  • PIN is tied to the device
    One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

    Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
  • PIN is local to the device
    A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
  • PIN is backed by hardware
    The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.

    User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.

    The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
  • PIN can be complex
    The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
  • What if someone steals the laptop or phone?
    To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammering protection locks the device. You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
  • Why do you need a PIN to use biometrics?
    Windows Hello enables biometric sign-in for Windows 11: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.

    If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Hi,
What really matters is if you use hello... you'll still be asked for your password/ security questions/.... eventually
So hello to now remembering more information than just password/ security questions lol

By the way you can also be safer simply by disabling remote access completely :doh:
 
Last edited:

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Once someone has physical possession, they don't need the pin to access your hard drive. Drive can be removed and browsed from another computer.
And perhaps another type of OS if needed to view files.

And a new or wiped drive frees the device to be used again.

I do use PIN on my PC's mainly for convenience, and I use the same PIN on all 6 of them.
All PC I have at home.
 

My Computer

System One

  • OS
    windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    some kind of old ASUS MB
    CPU
    old AMD B95
    Motherboard
    ASUS
    Memory
    8gb
    Hard Drives
    ssd WD 500 gb
The real question in my opinion is: why would keepass xc even ask for this PIN? Did you configure XC to use windows hello in addition to the password (is that even configurable)? If it is, the PIN entry should be mandatory.
About the question as gathered from the title of this thread: a PIN is a small key to a big secret (TPM based) behind it.
 

My Computer

System One

  • OS
    Win11

Latest Support Threads

Back
Top Bottom