Windows Hello Iris Scan + Password


Recommended Posts

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. :(

Link to comment
https://www.neowin.net/forum/topic/1320090-windows-hello-iris-scan-password/
Share on other sites

  On 22/01/2017 at 18:17, Bryan R. said:

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. :(

Expand  

PIN is tied to the device

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

PIN is local to the device

A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.

User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.

The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

PIN can be complex

The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

  On 22/01/2017 at 18:22, Circaflex said:

PIN is tied to the device

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

PIN is local to the device

A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

Expand  

Point taken.. So a pin of numbers is going to be more secure than my good 'ol complex password anyway.

  On 22/01/2017 at 18:17, Bryan R. said:

I have been very surprised to find that using the Iris Scanner requires a pin as well so that you can use the pin when the scan does not work. Why is a password not accepted in combination with the scanner?

 

I use it both on my Surface Pro 4 and Lumia 950. The only reason I can think of is compatibility with Windows Phone since you can't enter passwords there. It is just frustrating. :(

Expand  

Actually, the PIN replaces the password - even when the iris scan is impossible (my desktop is the ONLY computer in the house without any sort of webcam); only my Mom's desktop uses a traditional password (preference only - her notebook uses a PIN); it does NOT require Windows Hello specifically.  (All my Insider hardware uses a PIN - not a password.)

  On 24/01/2017 at 16:01, PGHammer said:

Actually, the PIN replaces the password - even when the iris scan is impossible (my desktop is the ONLY computer in the house without any sort of webcam); only my Mom's desktop uses a traditional password (preference only - her notebook uses a PIN); it does NOT require Windows Hello specifically.  (All my Insider hardware uses a PIN - not a password.)

Expand  

The password is not replaced.. My account still has a password which works for SMB authentications to shares. You wouldn't use a pin to authenticate PC to PC.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • PornHub commits to age checks for UK users by 25 July by Paul Hill Ofcom, the UK’s digital regulator, has announced that PornHub and several other porn sites have agreed to put robust age checks in place by the deadline next month on 25 July. The confirmations to Ofcom will likely be used by the regulator against the companies if they fail to comply by the deadline as justification for a fine. The companies that have publicly stated they’re going to have safeguards in place by the deadline are PornHub, BoyfriendTV, Cam4, FrolicMe, inxxx, Jerkmate, LiveHDCams, MyDirtyHobby, RedTube, Streamate, Stripchat, Tube8, and YouPorn. There may be other companies that are preparing, these are just the ones that were happy to be named. Ofcom has been given the task of making sure porn sites comply with age check rules. If companies don’t follow the rules, Ofcom has the power to impose fines and even apply for a court order to ban websites or apps from being available in the UK. These rules are part of the wider Online Safety Act, which aims, in part, to keep children safe online. So far, it has launched investigations into four porn providers for failing to comply with its requests. Oliver Griffiths, Ofcom Group Director of Online Safety said: “Society has long protected youngsters from products that aren’t suitable for them, from alcohol to smoking or gambling. But for too long children have been only a click away from harmful pornography online. “Now, change is happening. These age checks will bring pornography into line with how we treat adult services in the real world, without compromising access and privacy for over-18s.” The new age verification methods come in various shapes and sizes (pun intended) including credit card checks, open banking, and facial age estimation. While these may not keep all kids from accessing porn, they’ll act as a significant hurdle. For adults concerned about handing over information to access porn sites, Ofcom said that the measures do not harm your privacy. All of the age assurance methods are subject to the requirements of UK privacy laws, including on processing personal data. The Information Commissioner’s Office (ICO) is overseeing this area to ensure companies comply. Ofcom’s own studies have found that 3% of 8-9 year-olds have been exposed to online pornography at some point. This highlights how easy it is to find this content and clearly something has to be done. It’ll be interesting to see how these measures actually play out when they get rolled out.
    • Looks like MS is officially extending Windows 10 support while stopping just short of officially changing the end date. I teased in the last article that the process for gaining free support was a little invasive, but this is basically just giving it out for free, so I guess I'm taking back those words.
    • Microsoft shares Windows 10 ESU key guide for office PCs that don't support Windows 11 by Sayan Sen Recently, the Indian government issued a caution about the upcoming end of support for Windows 10 which is about four months away. Interestingly, on that very day, Microsoft made a major announcement regarding this as the tech giant debuted free enrollment options wherein support would be extended for another year at no extra cost. Microsoft is also trying to make it easy to set up Extended Security Updates (ESU) with a new tool. You can see in the image below: New ESU enroll wizard Following that, today, the company has shared a new guide on how to activate ESU via Intune in the case of Windows 10 office PCs that are not supported on Windows 11. First up, Microsoft has reminded users of the prerequisites of Windows 10 ESU: The system needs to be on Windows 10 22H2 with KB5046613 (November 2024 Patch Tuesday) or newer. The device needs access to the network endpoints required for client activation. The process that is used for activation needs administrative privileges on the device. The guide contains several PowerShell scripts and are meant for IT admins and system admins. One of those is a validation script "Check-Win10ESUPrereq.ps1" that Microsoft has published to help "verify a device has the required version and patch level for Windows and it can communicate to the required network endpoints." Essentially, it checks if the aforementioned requirements are satisfied and can be used for troubleshooting against those prerequisites. After the "validation," Microsoft says there are two ways to proceed with the ESU key activation. First. it can be done by either Remediation through: Detection Script (Win10ESUActivation-detect.ps1) and Remediation Script (Win10ESUActivation-remediate.ps1). And second, by Win32 Application with Win32 Install Script (Win10ESU-install.ps1) and Win32 Detection Script (Win10ESU-detection.ps1). In the case of Remediations, Microsoft mentions "some licensing considerations" due to which "some smaller companies may not have that option." Finally, Microsoft has also shared some Activation IDs for manual verification via Slmgr VB script for obtaining volume activation information: Win10 ESU Year1: f520e45e-7413-4a34-a497-d2765967d094 Win10 ESU Year2: 1043add5-23b1-4afb-9a0f-64343c8f3f8d Win10 ESU Year3: 83d49986-add3-41d7-ba33-87c7bfb5c0fb You can check the full guide and the details here on Microsoft's official Tech Community website.
    • It blows me away how overpriced Synology is. $600+ for a 3+ year old SATA NAS with only gigabit networking!! Even for 2022 that is pretty low-end hardware. Yes, the Synology software is fantastic, but if we say this hardware is worth $300 max (and that is even giving a generous premium to the fact that it is made by a respected OEM), their software is NOT worth an additional $300, especially considering it is locked to the hardware it shipped on and you have to pay that premium again for your next device. Important correction to the specs table above. Saying Disk Capacity is 72TB and even going further to detail that is 4x18, strongly implies it comes with those disks, which it does not. I would rather see it say "Max Capacity: 72TB (disks not included)."
    • well again if w11 adoption its so high there's no reason why they try to explain us why is "better" to move to w11. If they are so right about their downgraded UI, why they add some of their UI elements back things like never combine and now small icons. Last time i check majority is still on 10 over 11 so yeah millions of users that did not upgrade to w11
  • Recent Achievements

    • Conversation Starter
      Kavin25 earned a badge
      Conversation Starter
    • One Month Later
      Leonard grant earned a badge
      One Month Later
    • Week One Done
      pcdoctorsnet earned a badge
      Week One Done
    • Rising Star
      Phillip0web went up a rank
      Rising Star
    • One Month Later
      Epaminombas earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      529
    2. 2
      ATLien_0
      207
    3. 3
      +FloatingFatMan
      169
    4. 4
      Michael Scrip
      149
    5. 5
      Steven P.
      123
  • Tell a friend

    Love Neowin? Tell a friend!