Windows Hello convenience PIN turns out to be less secure than I thought?

What @itsme1 and @Marcus Vinicus said about Windows Hello using the TPM is correct. Here's the Microsoft page, which says that "a Windows Hello PIN is backed by a Trusted Platform Module (TPM) chip..."


Convenience PINs are from the era before Windows Hello, so they're not even relevant, unless you're running some super old build of Windows 10, in which case you have more important issues.

Marcus Vinicus said:

I've assembled table after doing some research.

Comparing Windows Hello vs. Windows Hello for Business | TechTarget

Organizations should learn the differences between Windows Hello and Windows Hello for Business to make sure they deploy the right one.

www.techtarget.com

Click to expand...

Although I am not taking the OP's position (about local account login not being protected by TPM on consumers' computers), the article above does contain information that supports the OP's concern:

Authentication with Windows Hello​

When enabling Windows Hello, users must first authenticate to their Microsoft accounts or to an identity provider that supports Fast Identity Online (FIDO) 2 authentication. Users can also authenticate to a local account, but this approach doesn't offer the same level of security because it's not backed by an asymmetric key.

Click to expand...

The quoted information pretty much says that unless the authentication mechanism supports asymmetric keys (like FIDO2 with an online Microsoft account), local account authentication—presumably not supporting FIDO2—may not have the same kind of protection.

The question is: does Microsoft local account authentication on consumer devices currently support asymmetric keys, which would invalidate the TechTarget (May 2025) article above?

echo2446 said:

The quoted information pretty much says that unless the authentication mechanism supports asymmetric keys (like FIDO2 with an online Microsoft account), local account authentication—presumably not supporting FIDO2—may not have the same kind of protection.

The question is: does Microsoft local account authentication on consumer devices currently support asymmetric keys, which would invalidate the TechTarget (May 2025) article above?

Click to expand...

That's what I said in post 7. Local accounts, using passwords, are not using asymmetric keys. That has nothing to do with whether Windows Hello PINs use the TPM and asymmetric keys, which is what was claimed in post 1 and repeated afterward.

Marcus Vinicus said:

With the Personal vs Business variant's, one major difference is Business uses MFA.

Click to expand...

I don't think there's a difference there. Personal includes MFA.

BruceR said:

I don't think there's a difference there. Personal includes MFA.

Click to expand...

Windows Hello Personal currently doesn’t use MFA for the Windows desktop sign‑in.
Business/Entra ID enforces MFA as part of the identity system.

With a Microsoft Account (Personal), Windows Hello is a single‑step sign‑in. There’s no second factor prompt — it’s just one action.
With Business/Entra ID, MFA is part of the cloud identity flow: password → second factor → token → SSO.

Cloudflare defines MFA as follows.

"Multi-factor authentication checks multiple aspects of a person's identity before allowing them access to an application or database, instead of just checking one. It is much more secure than single-factor authentication."