Solved Passkey Security Question


fwshaw

Active member
Member
Local time
9:42 PM
Posts
36
Visit site
OS
Windows 11 Pro
I have finally began setting up passkey access to critical accounts. I'm using my laptop with Windows 11 Hello; I'm not doing this with my iPhone.
There are three options I've seen: a face recognition, a finger print or a PIN. I've used a PIN for access. (Don't want to uncover my camera.)
Is there a problem or concerning using the same PIN for each account?

At first I thought the same PIN for several account would be less secure. But, is it less secure that using the same finger print or face for several accounts?

Also, any thought on length of the PIN; short vs long as it relates to security.

Would very much appreciate some knowledge insights to this question.

Regards,
F Shaw
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    PC Laptops, LLC
    CPU
    i9-13900HX
    Memory
    64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4050
    Hard Drives
    WD Black SN850x NVMe 1TB, MSI M450 2TB
    Mouse
    Logitech MX Anywhere 2s
    Browser
    Brave
Hi, this tutorial below is a good read.
And to steal one of Brinks images in the tutorial, the key can be as complex as you like.

IMG_5033.png

Have a read of this, it could be helpful.
Not sure how relevant to Passkey for apps but a good read.


Is there a problem or concerning using the same PIN for each account?

Not that I have read anywhere.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.4249
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.

What is Windows Hello?​

Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services.

The Windows Hello authenticator is known as a Hello. A Hello is unique to the combination of an individual device and a specific user. It does not roam across devices, is not shared with a server or calling app, and cannot easily be extracted from a device. If multiple users share a device, each user needs to set up his or her own account. Every account gets a unique Hello for that device. You can think of a Hello as a token you can use to unlock (or release) a stored credential. The Hello itself does not authenticate you to an app or service, but it releases credentials that can. In other words, the Hello is not a user credential but it is a second factor for the authenticating process.


Windows Hello authentication​

Windows Hello provides a robust way for a device to recognize an individual user, which addresses the first part of the path between a user and a requested service or data item. After the device has recognized the user, it still must authenticate the user before determining whether to grant access to a requested resource. Windows Hello provides strong 2FA that is fully integrated into Windows and replaces reusable passwords with the combination of a specific device, and a biometric gesture or PIN.

Windows Hello is not just a replacement for traditional 2FA systems, though. It is conceptually similar to smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. Windows Hello does not require the extra infrastructure components required for smart card deployment, either. In particular, you do not need a Public Key Infrastructure (PKI) to manage certificates, if you do not currently have one. Windows Hello combines the major advantages of smart cards—deployment flexibility for virtual smart cards and robust security for physical smart cards—without any of their drawbacks.

How Windows Hello works​

When the user sets up Windows Hello on his or her machine, it generates a new public–private key pair on the device. The trusted platform module (TPM) generates and protects this private key. If the device does not have a TPM chip, the private key is encrypted and protected by software. In addition TPM-enabled devices generate a block of data that can be used to attest that a key is bound to TPM. This attestation information can be used in your solution to decide if the user is granted a different authorization level for example.

To enable Windows Hello on a device, the user must have either their Microsoft Entra ID account or Microsoft Account connected in Windows settings.


Authentication​

When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called "releasing the key".

An application can never use the keys from another application, nor can someone ever use the keys from another user. These keys are used to sign requests that are sent to the identity provider or IDP, seeking access to specified resources. Applications can use specific APIs to request operations that require key material for particular actions. Access through these APIs does require explicit validation through a user gesture, and the key material is not exposed to the requesting application. Rather, the application asks for a specific action like signing a piece of data, and the Windows Hello layer handles the actual work and returns the results.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.4249
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
Many, many thanks for this useful information. As I suspected, I have MUCH to learn about this subject.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    PC Laptops, LLC
    CPU
    i9-13900HX
    Memory
    64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4050
    Hard Drives
    WD Black SN850x NVMe 1TB, MSI M450 2TB
    Mouse
    Logitech MX Anywhere 2s
    Browser
    Brave
Many, many thanks for this useful information. As I suspected, I have MUCH to learn about this subject.

You’re welcome, Mr Shaw.

They were actually the least confusing topic answers that I could find. I hope it goes well for you. We’re here if it doesn’t.

A lot of that linked page though, is for developers.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.4249
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
In addition: :alien:


 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Here are some thoughts on the theme:
  1. Not all biometrics are the same. Facial biometrics (with the infrared camera requirement) on Windows is most likely as secure as the iOS/iMac FaceID. Fingerprints will depend on the device; it's hard to evaluate if the American/Chinese brands are any different.
  2. Unless you use a simple Windows PIN, getting a fingerprint reader may be worthwhile in term of convenience. From someone coming from Win7, this is a major QOL improvement for almost all operations requiring passwords.
  3. The PIN complexity is to defeat local/on-system hacks. Again, if you use a fingerprint reader, then you can make the PIN more complex (because it is less used). The complexity should fit with Windows Hello/TPM anti-hammering protection (which articles above probably address). But it should also resist casual observations (all digit PIN may not), unless you never enter your PIN when it might be observable (in person, via camera, etc).
  4. If someone can successfully observe you using your PIN, and they have access to your device, then they have access to your accounts / passkeys. I totally think using Facial biometrics would mitigate this, using a fingerprint reader is possibly less safe but is still good, and using different PINs for different accounts would be better than using just the same one.
  5. I personally would assume that my laptop can be lost, that at some point of time, somebody would observe me using my PIN without my knowing, and would assume security posture accordingly.
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex Micro 5000
    CPU
    Intel Core i5-12500T
    Motherboard
    Dell 03V7GF
    Memory
    2 x 8GB DDR4 SO-DIMM 3200
    Graphics Card(s)
    Intel UHD Graphics 770
    Sound Card
    Intel Alder Lake-S PCH - cAVS (Audio, Voice, Speech)
    Internet Speed
    500/1,000 Mbps
    Browser
    Firefox ESR
    Antivirus
    Windows defender
I'm likely a little slow replying. But, I deeply appreciate the information provided. I've read through it several times and learned more each time. I have three Hello Passkeys working. Thank you antspants. Thank you Brink. Thank you echo2446.

I do have one question. A couple of years ago I had a Dell Inspiron laptop that abruptly stopped working. Since I had purchased it at Costco I had good warranty repair support. I sent it to the repair center. They required Windows 7 log-in password be included; a very reasonable request from my perspective. I sent it. I was NOT worried about access to sensitive information / passwords as all info was Veracrypted or inside Password Safe. Today my Windows 11 log-in information is Passkey PIN or Microsoft Account. When I log-in I can go to Win-Key I --> Accounts --> Passskeys. Then I see all the passkey accounts with their respective web site names (amazon.com) and user IDs (fwshaw@gmail). If this was my bank wouldn't a repairman / service tech be able to access my bank account? What am I missing?

Also where is the Like button so I can register "Great Support" for the answers provided to my questions?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    PC Laptops, LLC
    CPU
    i9-13900HX
    Memory
    64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4050
    Hard Drives
    WD Black SN850x NVMe 1TB, MSI M450 2TB
    Mouse
    Logitech MX Anywhere 2s
    Browser
    Brave
Also where is the Like button so I can register "Great Support" for the answers provided to my questions?

It’s the link button bottom right of each post. It’s like a smiley action, you click and hold and other icons will show. Within the like there is an icon of a man with a headset.

Regarding the security when sending in a PC for repair.

The absolout best answer I could give you, is don’t send it in as it is. At least not if it’s a hardware issue.

  • If you’re having a hardware issue, it is 100% imperitive that you backup your system (OS System Image) to an external disk with something like Hasleo Backup (Free) or Macrium Effect (Subscription however there is a free version somewhere)

  • Once you have made your system image and tested it, you wipe your computer by reinstalling Windows.

This will achieve two things​

  1. The PC/Laptop will no longer have your stuff on it
  2. It could be an indication: If when reinstalling Windows and you find that the problem you thought you had is now gone, you don’t pay a tech, you come here and we’ll do our best to help you
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.4249
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
Thanks for reply; very useful info. In the case of my Dell laptop. It was working fine. I walked out of the room for 45 minutes. When I returned the screen was black. The system seemed to be running, but I could see nothing. The repair involved replacing the display. I did have image back-up but didn't use it.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    PC Laptops, LLC
    CPU
    i9-13900HX
    Memory
    64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4050
    Hard Drives
    WD Black SN850x NVMe 1TB, MSI M450 2TB
    Mouse
    Logitech MX Anywhere 2s
    Browser
    Brave
Thank you for all the support reps. But it was actually satisfying enough to have you say you’ve learned something and actually read the replies.

I don’t know why, but that is sometimes not the case with new members. Thanks again 🙏
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.4249
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
Thanks for reply; very useful info. In the case of my Dell laptop. It was working fine. I walked out of the room for 45 minutes. When I returned the screen was black. The system seemed to be running, but I could see nothing. The repair involved replacing the display. I did have image back-up but didn't use it.
In this case, you need another admin account (like the default Administrator) that you can give to your tech. Even with an admin account, they can't use it to access your passkeys stored in other accounts. All your confidential files also need to be encrypted by EFS (Windows encrypted file system), Veracrypt, or other encryption tools.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex Micro 5000
    CPU
    Intel Core i5-12500T
    Motherboard
    Dell 03V7GF
    Memory
    2 x 8GB DDR4 SO-DIMM 3200
    Graphics Card(s)
    Intel UHD Graphics 770
    Sound Card
    Intel Alder Lake-S PCH - cAVS (Audio, Voice, Speech)
    Internet Speed
    500/1,000 Mbps
    Browser
    Firefox ESR
    Antivirus
    Windows defender
Back
Top Bottom