
Microsoft is making Windows passwordless - jhatax
https://www.theverge.com/2019/7/11/20690359/microsoft-windows-10-passwordless-password-option-update
======
sarcasmatwork
>This means PCs will use Windows Hello face authentication, fingerprints, or a
PIN code. The password option will simply disappear from the login screen, if
you decide to opt-in to this new “make your device passwordless” feature.

All bad ideas imho. How is a pin different than a password? "face
authentication" has never been accurate for people of color afaik. I cant
stand Win10, forced to use it at work but I will never use it for any of my
personal computers until they remove the phone-home-back-door-ability and the
many more dumb and silly features.

~~~
HomeDeLaPot
Aren't PINs, face recognition, and fingerprint scanning all less secure than
passwords?

Worst part is, I recently installed Windows and it FORCED me to use a PIN
until I finished setup and went back into the settings to disable it.

Why does Microsoft think passwords and consumer choice are going out of style?

~~~
Technetium_Hat
PINs are encouraged because when a password is used, it is the user's
microsoft account password. By not entering this password publicly, it
increases the security of the microsoft account.

~~~
ircdrone
Specifically, how is a pin which is usually shorter, more secure than a
password? Or how is it different from a password if it has the same
characteristics?

Edit: to me it seems like microsoft is using a password for their cloud
account, and a rebranded password for offline access.

~~~
WorldMaker
The PIN is used to unlock a private key in the hardware TPM module. The
private key is then used unlock the account. The PIN is more secure because
it's really just an unlock code for a hardware private key. It's the private
key doing the hard work of unlocking the local account (and even unlocking
secure access to the cloud account without password entry). The PIN is only
sent to the TPM on that device (and the TPM is built so that it only accepts
PINs physically entered on that device, lock outs after bad attempts, etc) and
only used to unlock that private key and not stored anywhere else or sent over
wire to any other machine.

It changes the threat model from "knows password" to "knows PIN and has
physical access to user's device".

ETA: Something the article should probably have better underscored was
Microsoft was specifically talking about "Windows Hello" PIN entry rather than
PIN usage in general.

~~~
ircdrone
“The PIN is more secure because it's really just an unlock code for a hardware
private key.” so it is a password for the hardware private key. But rebranded
as a pin so microsoft sounds as if it does something to innovate.

~~~
WorldMaker
It's not really a rebranding because the use of the word PIN here is closer to
(and derived from) the use of a PIN in the older, traditional multi-factor
sense where for instance a bank card PIN only worked with the associated bank
card present. PIN versus Password has almost always implied this sort of
multi-factor distinction, and Microsoft if anything is just reusing an old
term for what it was meant for.

------
yellowapple
How might this be compatible with Active Directory (as in _real_ Active
Directory, not the Azure version that's AD in name only)?

