Microsoft Hello, why securing your device with a PIN is good.

Windows Hello is a biometrics-base technology that enables Windows 10 users a more personal and secure way to access their Windows 10 devices either by using facial recognition, fingerprint, iris scan, or PIN.

Microsoft is moving away from passwords as they are thought to be less secure for a load of reasons, however, the fundamental issues for me are that:

  • People tend to use the same passwords for different applications.
  • Unless you are logging into Windows 10 with an off-line username and password you will be using your Microsoft account credentials. If that gets into the wrong hands then not only is your Windows 10 device compromised, your Microsoft account is exposed as well.
  • The above problem is also compounded if you also use Microsoft One Drive as your cloud storage solution, as this also uses your Microsoft credentials to allow access to the service.

How does Hello work?

Once configured Windows Hello is designed to recognise the users face, iris or fingerprint and once recognised, automatically logging them into their PC. For face and Iris recognition this is just a matter of looking at the computer’s camera or in the use case of fingerprint recognition, a fingerprint sensor.

A standard web camera cannot be used for face or iris recognition. Instead a RealSense depth camera module is used along with infrared sensors. The camera uses advanced technology which can tell the difference between the actual user looking into the camera or a photograph.

So that’s great if you have an all singing and dancing laptop with the latest security tech, but what about user’s current devices, can they be made more secure? Well, the answer is yes, and this is where a PIN can help secure devices.

Use PIN

A Windows Hello PIN is an alternative password used to unlock your Windows 10 device. This PIN is unique to the individual device and is never transmitted to a server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

A Windows PIN can be complex, in other words you can use letters and special characters like you would a normal password.

How to setup Windows 10 to use a PIN

PIN setup is mandatory when upgrading Windows 10 version 1607 onwards. However, if for any reason you want to change your PIN you can do so by following this procedure.

Got to Settings\Accounts\Sign-in-options. You should now see the following.

Now click on the Windows Hello PIN option and you should now see the following.

Click on the change button and the Change your PIN dialogue will appear.

Now enter your current PIN and then enter a new PIN and then confirm the new PIN by entering it again. You will note that there is a tick box that will enable the addition of letters and symbols. Finally, click okay and the new PIN will be created.

If you want to enforce the use of a PIN instead of a password, you will need to toggle the Require Windows Hello sign-in for Microsoft accounts to the on position as illustrated below.

Close the settings window and then logout and then login again you will now be prompted to use your PIN to access the device.

Forgotten you PIN

If for any reason you have forgotten your PIN, you can reset it by clicking on the Forgotten PIN link. You will be asked to login using your Microsoft credentials. Once logged in you will see a warning that by changing your PIN you will be logged out of existing accounts on the device etc. If you are happy to proceed, click on the Continue button to change the PIN and follow any prompts to save the changes. You should now be able to log back into your device using your new PIN.

Conclusion

Using Windows Hello PIN is a more secure way to lockdown your device without having to use your Microsoft credentials. A Microsoft PIN can only be used on the device that it was created on. In effect, If the device in question has been stolen, it cannot be accessed without the correct PIN.