Windows Hello Iris Scan + Password

By Bryan R.
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Bryan R.

Posted
Posted

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. :(

Link to comment
https://www.neowin.net/forum/topic/1320090-windows-hello-iris-scan-password/
Share on other sites
Grand Master

Circaflex

Posted
Posted
  On 22/01/2017 at 18:17, Bryan R. said:

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. :(

Expand  

PIN is tied to the device

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

PIN is local to the device

A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.

User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.

The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

PIN can be complex

The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

Grand Master

Bryan R.

Posted
  • Author
Posted
  On 22/01/2017 at 18:22, Circaflex said:

PIN is tied to the device

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

PIN is local to the device

A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

Expand  

Point taken.. So a pin of numbers is going to be more secure than my good 'ol complex password anyway.

Grand Master

PGHammer

Posted
Posted
  On 22/01/2017 at 18:17, Bryan R. said:

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. :(

Expand  

Actually, the PIN replaces the password - even when the iris scan is impossible (my desktop is the ONLY computer in the house without any sort of webcam); only my Mom's desktop uses a traditional password (preference only - her notebook uses a PIN); it does NOT require Windows Hello specifically.  (All my Insider hardware uses a PIN - not a password.)

Grand Master

Bryan R.

Posted
  • Author
Posted
  On 24/01/2017 at 16:01, PGHammer said:

Actually, the PIN replaces the password - even when the iris scan is impossible (my desktop is the ONLY computer in the house without any sort of webcam); only my Mom's desktop uses a traditional password (preference only - her notebook uses a PIN); it does NOT require Windows Hello specifically.  (All my Insider hardware uses a PIN - not a password.)

Expand  

The password is not replaced.. My account still has a password which works for SMB authentications to shares. You wouldn't use a pin to authenticate PC to PC.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.