Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 22, 2015 5:42 PM
We're looking into allowing our users use Windows Hello as our machines have compatible fingerprint scanners. However, Windows Hello prompts to input a PIN before allowing the use of Windows Hello. This is entirely useless as our users obviously already have their account passwords. Is there a way to disable the PIN requirement of Windows Hello?
All replies (33)
Monday, October 26, 2015 6:08 AM ✅Answered
Hi Entegy,
At the launch of Windows 10, the operating system supported three Hello types: PIN, Facial recognition. AND Fingerprint recognition.
Before you can use Windows Hello to enable biometrics on a device, you must choose a PIN as your initial Hello gesture. After you’ve set a PIN, you can add biometric gestures if you want to. You can always use the PIN gesture to release your credentials, so you can still unlock and use your device even if you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
So the answer here is no, there is no way to disable the PIN, instead, we could change it, at least for the current situation.
Regards
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Friday, October 23, 2015 9:29 AM
Entegy,
Please check to see if the guard below would help:
Microsoft Passport guide
https://technet.microsoft.com/en-us/library/mt589441(v=vs.85).aspx
Regards
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Friday, October 23, 2015 6:46 PM
Nothing really in there about disabling the PIN requirement.
Monday, October 26, 2015 2:00 PM | 8 votes
Thank you for the straightforward answer. That's definitely going into feedback because forcing the PIN is silly. It adds a less secure method of entry than their account password.
Monday, October 26, 2015 8:22 PM | 1 vote
I just purchased a Surface Pro 4 keyboard for use with my SP3 and ran into the same issue. I definitely don't want a pin, but I do want the fingerprint reader. Having a pin is just too insecure.
Wednesday, October 28, 2015 12:10 AM
In Windows 10, PIN login is part of the new Microsoft Passport feature (described here) and is more secure than a traditional password. In particular:
Microsoft Passport provides strong 2FA, fully integrated into Windows, that replaces reusable passwords with the combination of a specific device and a Hello or PIN. Microsoft Passport isn’t just a replacement for traditional 2FA systems, though. It’s conceptually similar to smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. Microsoft Passport doesn’t require the extra infrastructure components required for smart card deployment, either. In particular, you don’t need a PKI if you don’t currently have one. Microsoft Passport combines the major advantage of smart cards — deployment flexibility for virtual smart cards and robust security for physical smart cards — without any of their drawbacks.
Wednesday, October 28, 2015 12:33 AM | 1 vote
A PIN is not more secure than their domain account password that expires and has enforced complexity. It's simpler, and just another thing for the user to remember.
I can completely understand a PIN requirement on a phone or a personal computer, but not on a domain-joined computer.
Thursday, October 29, 2015 8:06 PM
Microsoft Passport for Work offers complexity settings that match password complexity. In the release after RTM it will also include Expiration and History settings.
The term 'PIN' is used generally, but it can contain any combination of upper and lower case alphanumeric, special character and/or digits as defined in the complexity settings under Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Passport for Work.
The PIN in Windows 8.1 was a convenient logon option for consumers that offered little security and has been replaced in Windows 10. The 'PIN' in Microsoft Passport is more secure than passwords because there is no shared secret that can be harvested from a stolen server. The PIN is the primary gesture that Windows Hello requires. The PIN allows the system to gain access to the private/public key or certificate that is attested as being bound to the hardware TPM. The private key never leaves the device and all the server has is a copy of the public key on the user account. This is two-factor authentication much like virtual smart card. The user must type the correct 'PIN' in order to gain access to the keys in TPM. Having the 'PIN' won't help unless the person also has access to the device.
Here is a good document outlining the benefits of Microsoft Passport.
Manage identity verification using Microsoft Passport
https://technet.microsoft.com/en-us/library/mt219735%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Wednesday, November 25, 2015 10:00 PM
When you use PIN you can define the length and the PIN is only stored in the very secure Passport on your local machine. If you use TPM you cant even extract it. This is the 2nd factor (machine plus another factor) to avoid Passwords. With passport we get rid of these as they are risky to use especially in areas where you can not make sure that a man in the middle attack would start or even when you are in an internet cafe.
We are now in a world where passwords alone are not anymore sufficient.
Checkout also this blog entry.
http://www.ms-labrats.de/2015/11/windows-hello-you-get-addicted-to-it.html
Monday, June 13, 2016 6:06 PM
Since the private key is in the hardware TPM, each time the PIN is setup on a different machine, the pin can be different. So it is not only remembering the pin but also which pin belongs to which particular logon on a particular machine.
Love to see defenses to PtH, but right now, an employee needs access to this machine to do something productive. There must be some GPO or registry setting to disable for now.
Friday, December 16, 2016 12:51 AM
The current state is really bad. Nobody is going to convince me, that a simple PIN is more secure than a complex password. Especially since the PIN can only be a numeric sequence, as Windows 10 won't let you use anything else than numbers.
I take security very seriously - two factor authentication is the minimum standard for me, I use VPN everywhere, I have TPM chips and full encryption enabled on all my devices. Recently I bought Surface Pro 4 with Hello facial recognition and a fingerprint scanner on the type cover, upgrading from my previous SP3. And I am very disappointed thanks to this enforced policy. The PIN, as it is defined now, is much easier to steal than a full password - for example when a hidden camera is watching you - while you log in with it. Storing the PIN inside the TPM is no argument. You can store the MS Account password there as well. If the only other place where the MS Account password is stored is the MS cloud, then it should be completely safe. Are you trying to tell me it's not? Because if someone's able to breach the MS cloud security, then then don't really need access to my device, as they already have access to all the sensitive info in the cloud.
Please, allow us to use the MS Account password instead of the PIN! The PIN is useless.
Friday, December 16, 2016 8:32 PM
The current state is really bad. Nobody is going to convince me, that a simple PIN is more secure than a complex password. Especially since the PIN can only be a numeric sequence, as Windows 10 won't let you use anything else than numbers.[..]
Please, allow us to use the MS Account password instead of the PIN! The PIN is useless.
I really second that.
I don't want to use a less secure pin in order to log on to my computer. It's only 4 digits and can be stolen easily.
Why can't I use a local user password or a smart card with certificate (but outside of the AD / without PKI) in combination with the fingerprint?
Wednesday, June 28, 2017 4:10 PM
Why a PIN is better than password
Wednesday, June 28, 2017 4:14 PM
PIN can be complex
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
Problem solved
Wednesday, June 28, 2017 4:32 PM
That doesn't matter when you don't want your users two know two passwords just to use a fingerprint sensor.
Tuesday, July 4, 2017 10:11 PM
Imagine Windows Hello allows disabled PIN code, you have disabled it and users can only use biometrics or AD password.
Now for some reason, a user can't use biometric, indeed it's impossible to ensure that a biometric will always recognize a user contrary to a (complex) PIN code you will be always be able to type: so your user will have to type the AD password.
Another possibility is an attacker who takes your biometrics devices down (i.e just disable your sensor an/or cam device) in order to force you to use your keyboard and steal your credentials: user will fallback typing the AD password also.
This is exactly conflicting with the primary goal of Windows Hello which is to avoid the use of the AD password (except during provisioning). PIN code is safer because only valid for the local machine
Conclusion: You should not disable PIN code, and I think that why for security reasons MS doesn't allow that. Consequence is we have to accept Windows Hello users have to remember at least two passwords. Could be even more than two if users have more than one Windows Hello devices.
Tuesday, July 4, 2017 10:18 PM
Consequence is we have to accept Windows Hello users have to remember at least two passwords.
And thus it will fail to be adopted.
Your argument also makes zero sense. If I force a PIN to be as complex as the AD password, then I've now just told the user to make two passwords they hate (nobody likes complex password policies), and one will only work on one machine.
Plus, if an attacker has the system access to start disabling hardware, I have much bigger problems and any user passwords are already likely compromised.
Wednesday, July 26, 2017 3:40 PM
I absolutely agree with you. The Pin is very insecure. It must be a number AND be only 4 digits. So to be secure, I'm really forced to not use fingerprint or iris or pin. Only password.
I do however love using the MS Authenticator app and approve sign-in with my phone for various sites, etc.
Wednesday, July 26, 2017 9:59 PM
I agree with you Entegy, a complex PIN will make adoption of Windows Hello difficult and also a risk that users put the same complex PIN code as the domain password... I've never said that's a good idea to enable the PIN complexity but just mentionned that the possibility exists for those who are interested anyway or say the contrary.
My personnal opinion is that in enterprise environment, 4 digits is indeed maybe too unsecure, but 6 or 8 digit-only PIN (requires Hello for Enterprise) seems acceptable for me in corporate, like we do for our iphones (6 digits PIN).
Regarding non corporate device, 4-digit PIN for me it's OK and that's Microsoft proposes. Indeed more digit will make large public acceptation very difficult.
I think people tend to think that 4 pin code on Windows 10 computers is not secure because it's a computer form factor and NOT a tablet or mobile, WHEREAS it's the same OS security and Hello technology. But also because PIN code technology is relatively new to computers.
So if you consider that a 4digit PIN code is secure enough for your iPad, iPhone or Windows 10 tablet or Mobile then it's secure enough for Windows 10 Laptop or Desktop
Wednesday, July 26, 2017 10:12 PM
I don't agree. I won't explain my opinion but i can suggest you to read this explanation if you did not already /en-US/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password
Wednesday, July 26, 2017 11:25 PM
Complex passwords are ennoying for users and i think everybody agree. So remember, why nowaday are we requiring users to remember complex passwords on their computers?? And why a credit card is only 4 digit PIN ?
Complex passwords are necessary because used as a secret key for securing communication over networks (NTLM hashes, Hash functions, Kerberos authentication, etc...) this is only WHY complex passwords are needed.
The confusion is here: most people think and/or decided that complex passwords are necessary to protect against physically present malicious user behind users' shoulder looking at their keyboards. No, i don't agree, requiring complex passwords came from the necessity to secure the network authentication/communication.
Thanks to TPM chips and Hello Enterprise i can see two important wins: the necessity to type complex passwords is now gone, that make users happy. And at the sametime enhance security, because as explained by MS: When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. This key pair is far more secure than complex passwords.
Sunday, August 13, 2017 3:52 AM
"PIN *can* be complex", but by default it is insecure.
But *"administrators can set policies" *to make it complex.
But when Grandma wants to use her fingerprint on her home laptop, she has no administrator to set group policy.
So she will set her pin to "1234" ..."like an idiot would have on his luggage".
Windows Hello took good biometric security, and crippled it with an irrelevant dependency on PINs that are insecure by default.
Summary: Tying fingerprints to PINs = 1234
Friday, October 20, 2017 8:20 PM
That's no more true, you can't set 1234 as PIN neither any others PIN having a common pattern
Windows Hello by default blocks this, since Windows 10 version 1703 build 15063 (from my seaches on Internet)
the common PIN patterns blocked are described:
Tuesday, November 14, 2017 9:25 AM | 1 vote
To me it doesn't even matter if common patterns are blocked. While Windows Hello forces you to add a pin as backup I will not be adopting it. I believe the same can be said of the vast majority of enterprises. And no one anywhere is going to convince me that a simple 4 digit pin is as secure as a complex expiring password.
Wednesday, July 4, 2018 1:19 PM
The PIN is absolutely more secure than a password, because this is about remedying a security flaw introduced by tying Microsoft Account login credentials to Windows User login passwords.
- Complex Password to Microsoft Account: Can be brute-forced anywhere without access to your machine
- Simpler 6~8 Digit PIN to Windows Hello bound with TPM: Nearly impossible to brute-force, as TPM limits number of attempts as well as introducing time delays + access to your machine required
Friday, July 20, 2018 11:49 AM
The PIN is necessary as it is used to generate the hash that will encrypt the biometric input (i.e. fingerprint, facial recognition) in the TPM chip.
Monday, August 13, 2018 4:06 PM
Public key cryptography (which MS is now apparently raving about) has been with us since at least the 80s. I've used it for decades to log into linux machines securely.
Now, I appreciate that MS is finally acknowledging that their approach to date has been awful, but the resolution to a long-standing security failing is *not* to switch to the shortest, most insecure password format on the planet.
And no, raving about what a TPM is does not baffle me with science nor make your argument compelling. There's nothing you can do with a TPM and a PIN that you can't do with a TPM and a password more securely.
Wednesday, August 15, 2018 8:57 PM
A PIN is not improved security because now if users are forced to remember a password and a machine-specific PIN, the machine-specific PIN is going to get written down and stored on the user's desk somewhere since it won't be used often and the first time a user forgets it, they are going to write it down.
But I'm sure the view from the Ivory Tower makes it looks like "improved security".
Tuesday, February 12, 2019 7:52 PM
And why a credit card is only 4 digit PIN ?
Are you serious? It is because the card is the physical key itself, you carry it with you and don't leave unattended, its PIN is merely an additional security measure added on top of this.
No, i don't agree, requiring complex passwords came from the necessity to secure the network authentication/communication.
So you consider this enough to withdraw any right for physical security, am I getting you right? So, say, you have a PIN like 1113 and cut a finger so you had to enter your PIN. Someone looks at your keyboard and sees that a couple of fresh (bloody?) fingerprints on keys 1 and 3. Guess how many PINs will they have to check for the "brute-force". Spoiler: 14 in the best (for you) scenario. 1 to 14 it will be guessed on the first attempt
Tuesday, February 12, 2019 11:47 PM
Are you serious? It is because the card is the physical key itself, you carry it with you and don't leave unattended, its PIN is merely an additional security measure added on top of this.
The TPM can be considered as the physical key itself, the PIN is merely an addtionnal measure added on top of this.
So you consider this enough to withdraw any right for physical security, am I getting you right? So, say, you have a PIN like 1113 and cut a finger so you had to enter your PIN. Someone looks at your keyboard and sees that a couple of fresh (bloody?) fingerprints on keys 1 and 3.
Not all people on earth are paranoid like you, not all computers in the world are corporate ones or do have sensitive data, not all computers do have a physical keyboard but only a touchscreen. You are free to enforce complex PIN code including the alphabetical chars if you want. The minimum recommended PIN is 6-digits for corporate mobiles and Windows Hello computers. Finally The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
Monday, May 20, 2019 8:49 PM | 1 vote
I don't want a pin. I already have a password. The whole point in using a fingerprint is to simplify login while maintaining security. Adding another password to remember is counter productive, and silly.
[url="http://catalog.create.msdn.com/en-US/GameDetails.aspx?catalogEntryId=f791d3a1-57a0-4db3-abf6-83be170d7fa7&type=1"]Mars Revenge[/url], now in peer review!
Wednesday, July 24, 2019 9:48 PM | 1 vote
It is amazing how naive some professionals can be: The argument that a PIN is more secure because is stored in TPM is hilarious.
Seriously, weakest point is not where the pin/password is stored but how complex it is. Having domain users to change/remember their own password with acceptable complexity is a pain for any help desk in any organization, but now Microsoft in order to simplify the user experience wants the users to remember a second credential: The domain password and also a (possibly complex) PIN, do you see the backfire?
Let home users to use a pin if you want, but fallback mechanism for domain users must be allowed to be active directory domain password, please stop this nonsense. The brains which though this nonsense should be fired, the incompetence exceeds the usual threshold... Nothing personal.
Thank you and regards
Thursday, July 25, 2019 1:14 PM
Passwords are obsoletes.
Microsoft himself working on eliminate passwords
Read their recent whitepaper
https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2KEup