Introduction

In today’s digital landscape, where remote workers are the norm, ensuring the security of our computer systems is paramount. This blog post will explore the advantages of using a Personal Identification Number (PIN) with Windows Hello for Business, highlighting why it can be a safer alternative to traditional complex passwords.

Authentication Basics

Before delving into the benefits of a PIN, let’s review some authentication basics. Traditionally, users have relied on a combination of usernames and complex passwords stored in a directory service like Windows AD or Entra ID. However, we’ve come to understand the challenges associated with complex passwords, such as the risk of being written down, reused across multiple platforms, and susceptible to social engineering attacks.

Issues with Complex Passwords

Complex passwords, while secure, pose challenges in terms of memorability and are often written down. This can be a problem if it’s written on a stolen laptop. Users may also use the same password across different platforms, making them vulnerable to data breaches. Furthermore, human tendencies to use patterns or fall victim to social engineering attacks remain significant concerns.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) has proven significant in safeguarding user’s accounts. MFA combines multiple authentication signals, such as something we know, like a password, something we have, like a hardware token, and something we are, such as biometrics, including fingerprint or facial scan. This multi-layered approach significantly enhances security.

Windows Hello and TPM

Now, let’s shift our focus to how a PIN, specifically with Windows Hello for business, addresses issues with traditional passwords while maintaining a high level of security. We’ll start by reviewing the Trusted Platform Module. The Trusted Platform Module (TPM) is a hardware-based crypto-processor available on most modern client workstations and laptops. It is tamper-resistant and bound to the hardware, making it resistant to compromise by hardware or software attacks.

Windows Hello utilizes the TPM to create and store certificates or asymmetric key pairs. Windows Hello leverages the TPM to store credential information at the initial Entra ID or Windows AD sign-in. These credentials are bound to the TPM on the hardware. The default is to use a username and password for the initial login. Another option, called a Temporary Access Pass, can be used to secure the initial login further.

When the user logs in after the initial sign-in, Windows Hello requires PIN or biometrics such as facial recognition to unlock the certificate in the TPM. The authentication is local to the device with Windows Hello for Business. Unlike traditional passwords used across multiple devices, the PIN authentication process leverages the device’s TPM and is confined to the hardware device. It is impossible to use the PIN to authenticate from a different computer.

The advantages of using a PIN with Windows Hello for Business include:

PINs are easier to remember than complex passwords. Reducing complexity also reduces the likelihood of users writing them down. Enforced account lockouts to further mitigate the risk of unauthorized access from someone trying to guess a PIN.

PINs are configurable. Administrators can enforce minimum PIN lengths and complexity requirements, providing flexibility in balancing security and usability. This is done with an Active Directory Domain Services GPO or an Intune Policy.

A PIN offers a similar level of protection as traditional MFA. Technically speaking, it is a form of MFA. Windows Hello for Business requires something we have (certificate on the TPM), something we know (PIN), or, if configured, something we are (facial scan).

Summary

Using a PIN with Windows Hello for Business offers a secure and convenient alternative to traditional complex passwords. By leveraging the TPM and incorporating multi-factor authentication principles, this approach provides a robust defense against unauthorized access. As we navigate the evolving digital security landscape, adopting innovative solutions like the PIN with Windows Hello becomes increasingly crucial.