windows hello PIN and Passkey security

blueskyler · Mar 25, 2024

hi, i use windows 11 23h2 and i would ask if is SAFE to store the passkeys (example generate from googgle account) to windows that you can viw stored under Setting-->passkey setting.

The second question is, Does the PIN related to windows hello MUST be very complicated or is irrilevant ?

Thanks

FreeBooter · Mar 25, 2024

Support for passkeys in Windows - Windows Security

Learn about passkeys and how to use them on Windows devices.

learn.microsoft.com

echo2446 · Mar 25, 2024

It's supposed to be your passkey's private key that is not viewable in any circumstances, and you are not supposed to be able to use it to authenticate yourself to a website without first authenticating yourself with Windows Hello first. If you store your passkey in another password manager, you probably can see see some info about the passkey entries as well.

The PIN is backed by TPM's antihammering (Trusted Platform Module (TPM) fundamentals - Windows Security ), so it is not "practical" to brute-force the PIN. OTH, you don't want it easy to guess within the constraints of TPM antihammering behaviors either. Microsoft recommends 6-digit numerical PIN or better. Randomly generated is the way to go. 123456 is not in fashion, and probably not any numbers your family members/roommates can guess.

andrew129260 · Mar 25, 2024

echo2446 said:
It's supposed to be your passkey's private key that is not viewable in any circumstances, and you are not supposed to be able to use it to authenticate yourself to a website without first authenticating yourself with Windows Hello first. If you store your passkey in another password manager, you probably can see see some info about the passkey entries as well.

The PIN is backed by TPM's antihammering (Trusted Platform Module (TPM) fundamentals - Windows Security ), so it is not "practical" to brute-force the PIN. OTH, you don't want it easy to guess within the constraints of TPM antihammering behaviors either. Microsoft recommends 6-digit numerical PIN or better. Randomly generated is the way to go. 123456 is not in fashion, and probably not any numbers your family members/roommates can guess.

In addition to this, it's worth knowing that you can include letters in your PIN. You simply need to enable Include letters and symbols option when you're changing your PIN.

I highly recommend using a decent password for your pin, especially as passkeys become more commonplace. This way a password is all that is needed to sign in for anything, and one password is a lot easier to remember, especially one you use to unlock your computer every time you use it.

For more information:

Change PIN for Account in Windows 11 Tutorial

This tutorial will show you how to change the PIN for your account in Windows 11. Windows Hello is a more personal, more secure way to get instant access to your Windows 11 devices using a PIN, facial recognition, or fingerprint. You'll need to set up a PIN as part of setting up fingerprint or...

www.elevenforum.com

blueskyler · Mar 25, 2024

If I create a Windows Hello PIN and use it to create a passkey, I understand that the pin and passkey are connected to the hardware where they were created, is this correct?

If for some reason my PIN or my passkey were stolen they could not be used on a device other than the one where they were generated, in this case if I use
an easy to remember PIN, is security compromised?

echo2446 · Mar 26, 2024

blueskyler said:
If I create a Windows Hello PIN and use it to create a passkey, I understand that the pin and passkey are connected to the hardware where they were created, is this correct?

Yes, they are both backed by TPM.

Your passkeys stored in Windows currently cannot be stolen (until someone finds an exploit!). Your PIN can be, but they have to have access to your computer to use the PIN/passkeys. Your PIN only matters on the local device where it is used. Being able to use your PIN implies having your device: something you know and something you have. This of course disregards remote access software that can be installed on your machine.

blueskyler · Mar 26, 2024

so in the worst case scenario, my pin(windows hello) and some passkey gets stolen.

In order to use the PIN+passkey the criminal/hacker needs to have physical access to my PC where the PIN and PASSKEY were created and the TPM (tied to the bios?) created a hardware link.
it's correct ?

echo2446 · Mar 27, 2024

Yes, physical access or remote control software like TeamViewer. Remote control software is probably when you misconfigure something you install, or you are social-engineered into installing.

PGHammer · Apr 16, 2024

blueskyler said:
hi, i use windows 11 23h2 and i would ask if is SAFE to store the passkeys (example generate from googgle account) to windows that you can viw stored under Setting-->passkey setting.

The second question is, Does the PIN related to windows hello MUST be very complicated or is irrilevant ?

Thanks

It need not be complicated - I use a four- character PIN - similar to debit cards or credit cards. It can be used along with other components of Windows Hello, or by itself. On my laptop I use the PIN by itself - on my desktop, I use a fingerprint reader or PIN - either can be used separately.