Windows Hello Iris Scan + Password

[Bryan R.]

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. 

[Circaflex]

  On 22/01/2017 at 18:17, Bryan R. said:

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. 

Expand  

PIN is tied to the device

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

PIN is local to the device

A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.

User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.

The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

PIN can be complex

The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

[Bryan R.]

  On 22/01/2017 at 18:22, Circaflex said:

PIN is tied to the device

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

PIN is local to the device

A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

Expand  

Point taken.. So a pin of numbers is going to be more secure than my good 'ol complex password anyway.

[goretsky Supervisor]

Hello,

 

A PIN can be more secure than a password, but just like bad passwords, there are bad PINs as well.

 

Regards,

 

Aryeh Goretsky

 

[PGHammer]

  On 22/01/2017 at 18:17, Bryan R. said:

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. 

Expand  

Actually, the PIN replaces the password - even when the iris scan is impossible (my desktop is the ONLY computer in the house without any sort of webcam); only my Mom's desktop uses a traditional password (preference only - her notebook uses a PIN); it does NOT require Windows Hello specifically.  (All my Insider hardware uses a PIN - not a password.)

[Bryan R.]

  On 24/01/2017 at 16:01, PGHammer said:

Actually, the PIN replaces the password - even when the iris scan is impossible (my desktop is the ONLY computer in the house without any sort of webcam); only my Mom's desktop uses a traditional password (preference only - her notebook uses a PIN); it does NOT require Windows Hello specifically.  (All my Insider hardware uses a PIN - not a password.)

Expand  

The password is not replaced.. My account still has a password which works for SMB authentications to shares. You wouldn't use a pin to authenticate PC to PC.