Do you use an Admin account or Standard User Account?

[simmerskool]

Yes, I understand, but your desktop can accept the Trusted Platform Module (TPM). See the image of a TPM chip below, what model is your motherboard?

Spoiler

View attachment 272833

asus X99-AII

Forget TPM here now. The PIN is more secure because it is tied to your device. One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! Do you understand now?
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

Yes, got it, I'm always thinking of movies from 1940s - 50s where the bad guys break into your house and do bad things. So for anyone who could sit down at this keyboard, it IS easier, but away from this device unbreakable. Thanks.

In addition to what @piquiteco has posted, I'll add that because the PIN is tied to the machine, repeated attempts to brute-force the PIN will fail because the TPM anti-hammering technology will lock the machine, keeping it safe.

and if hammering locks the machine, how do I ever get back in?? I fumble around in am until coffee kicks in.

 

[oldschool]

So for anyone who could sit down at this keyboard, it IS easier,

No, as I explained above. PIN is superior to password.

and if hammering locks the machine, how do I ever get back in??

I can't answer what happens precisely, but I'm pretty certain that you could. You could ask on the MS forums.

 

[upnorth]

and if hammering locks the machine, how do I ever get back in??

How to Reset Your Windows PIN If You Forget It

A good password or PIN is difficult to crack but can be difficult to remember. If you forgot or lost your Windows login PIN, you won’t be able to retrieve it, but you can change it. Here’s how.

www.howtogeek.com

 

[oldschool]

@simmerskool here's the MS documentation TPM 2.0 anti-hammering

For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.

You can see from the italicized text that users are able to gain access after prescribed lockout time.

It always helps when users go directly to the documentation.

 

[upnorth]

It always helps when users go directly to the documentation.

Also helps reading what users actually ask for! My bad.

 

[simmerskool]

@simmerskool here's the MS documentation TPM 2.0 anti-hammering

You can see from the italicized text that users are able to gain access after prescribed lockout time.

It always helps when users go directly to the documentation.

I doubt I said my system has TPM 2.0. I do know that MS pchealthcheck said my system has 3 issues prohibiting win11, one of which is TPM 2.0 must be supported, so I assume I have TPM 1.2, and I use to know that for sure but some reason I'm looking tonight, and I can't find it. Oh well. I also know that I was able to set up a Windows Hello PIN yesterday. I remain a tad murky whether I have TPM 2.0 or 1.2 (or...?) if that matters re hammering. Apparently according to the same link, 2.0 is substantially different than 1.2. I have this vague recollection from the past of being locked out after N password failures on some devices so doubtful (to me) that anti-hammering is unique to Windows Hello PIN. just sayin' Good info thanks!!

 

[blackice]

Every time I see this thread pop up again I chuckle a little. Everyone took the discussion deep. Meanwhile I’m on admin account again (for a long time) until MSI Afterburner either dies or will start automatically on boot with SUA.

 

[piquiteco]

I remain a tad murky whether I have TPM 2.0 or 1.2 (or...?) if that matters re hammering. Apparently according to the same link, 2.0 is substantially different than 1.2

TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
TPM recommendations (Windows)

 

[simmerskool]

TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
TPM recommendations (Windows)

fwiw my asus X99-II and Xeon are circa 2016-17... I was looking at specs last night and could not find info what I wanted. I then ran win System app and it says:
Device Encryption Support Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, TPM is not usable.

Yet somehow I managed to fall asleep last night I have no clear idea how, or if, this affects Windows Hello PIN... (too lazy to hammer it 32 times, I'd probably break something )

 

[piquiteco]

fwiw my asus X99-II and Xeon are circa 2016-17... I was looking at specs last night and could not find info what I wanted. I then ran win System app and it says:
Device Encryption Support Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, TPM is not usable.

If the device does not have a TPM chip, the private key is encrypted and protected by software. More information here -> Windows Hello - UWP applications

@simmerskool TPM is FIDO Alliance compliant and is a security key works similar to YubiKey see I added Windows hello as a security key in my Dropbox I logged in then entered my PIN and it worked see in the spoiler screenshots. Windows Hello is a FIDO2 Certified authenticator. Windows Hello FIDO2 Certification

Spoiler: Security keys

 

[simmerskool]

If the device does not have a TPM chip, the private key is encrypted and protected by software. More information here -> Windows Hello - UWP applications

the link about TPM, no chip, then software also says: "To enable Windows Hello on a device, the user must have either their Azure Active Directory account or Microsoft Account connected in Windows settings." ?? I thought your or @oldschool or someone said either you don't need a MS account or it is not link to MS account reference privacy, (or perhaps I misunderstood or inferred that??)

@simmerskool TPM is FIDO Alliance compliant and is a security key works similar to YubiKey see I added Windows hello as a security key in my Dropbox I logged in then entered my PIN and it worked see in the spoiler screenshots. Windows Hello is a FIDO2 Certified authenticator. Windows Hello FIDO2 Certification

Spoiler: Security keys

View attachment 272855
View attachment 272856

ok, I use my yubikey(s) on my hardware Host where I can, but when I'm going online now-a-days 99% of time I'm using VM Guest and I'm finding yubikey use in a VM is problematic, and I don't think it is just me given the research I skimmed through on this.

 

[piquiteco]

the link about TPM, no chip, then software also says: "To enable Windows Hello on a device, the user must have either their Azure Active Directory account or Microsoft Account connected in Windows settings." ?? I thought your or @oldschool or someone said either you don't need a MS account or it is not link to MS account reference privacy, (or perhaps I misunderstood or inferred that??)

I am logged in with a Microsoft account, and Windows Hello is working. No you need to, you forgot that Microsoft likes everyone to stay logged into their account, this is their marketing, not everything you read on the Microsoft site you take into consideration. They say this because of the syncing of settings, your email accounts, the store I will unplug here and test to see if it works without being logged into Microsoft. Windows Hello resides in windows 10 and 11 and you have TPM 2.0 you are more secure because it is a more modern technology. TPM 2.0 started appearing around 2017.

ok, I use my yubikey(s) on my hardware Host where I can, but when I'm going online now-a-days 99% of time I'm using VM Guest and I'm finding yubikey use in a VM is problematic, and I don't think it is just me given the research I skimmed through on this.

Vmware? When I used USB stick I had problems in VirtualBox, I did not test yubikey(s) because I did not have and for now I do not have yet, I would have to send a PM, about it, this week I will solve about the purchase of yubikey(s), then I test and share with you and we find out why it does not work in VM, it was supposed to work in theory, now in practice you said it is not working. And it is interesting to use a VM to surf the web, use Linux, Tor you are more relaxed about malware and hacker using a VM.

 

[oldschool]

I thought your or @oldschool or someone said either you don't need a MS account or it is not link to MS account reference privacy, (or perhaps I misunderstood or inferred that??)

You don't have to use your MS account to use PIN for computer access, but you do need it to use PIN for elevation prompts. The latter is what makes using PIN particularly attractive to me.

 

[Shadowra]

Standard for me.
I copied a bit what Linux does which does not create an Admin account by default, but a limited account and asks for an elevation of privilege to do actions.
And I like this security and not a 100% admin system. It's also a good way to avoid some malwares

 

[Pixelman]

I have a question.

I used password for my login, so I decided to add a PIN. The thing is, I can not remove my password to only have a PIN for login.
Removing my password I get a notification that PIN requires to have a password. All I want is to use a PIN without a password. I don't use a MS account.

Why is that?

 

[simmerskool]

I am logged in with a Microsoft account, and Windows Hello is working. No you need to, you forgot that Microsoft likes everyone to stay logged into their account, this is their marketing, not everything you read on the Microsoft site you take into consideration. They say this because of the syncing of settings, your email accounts, the store I will unplug here and test to see if it works without being logged into Microsoft. Windows Hello resides in windows 10 and 11 and you have TPM 2.0 you are more secure because it is a more modern technology. TPM 2.0 started appearing around 2017.

Vmware? When I used USB stick I had problems in VirtualBox, I did not test yubikey(s) because I did not have and for now I do not have yet, I would have to send a PM, about it, this week I will solve about the purchase of yubikey(s), then I test and share with you and we find out why it does not work in VM, it was supposed to work in theory, now in practice you said it is not working. And it is interesting to use a VM to surf the web, use Linux, Tor you are more relaxed about malware and hacker using a VM.

I don't sync my accounts except for syncing between my mac_mini and my iphone (apple icloud) no MS mail, etc. USB flash drives work aok for me in VMware, but not the yubikeys?? Yes, I have linux_vm too and use it. Yes I am more relaxed about malware using a VM_win10vm.

 

[oldschool]

I have a question.

I used password for my login, so I decided to add a PIN. The thing is, I can not remove my password to only have a PIN for login.
Removing my password I get a notification that PIN requires to have a password. All I want is to use a PIN without a password. I don't use a MS account.

Why is that?

It's because your password is still required for elevation prompts, as explained in my post #115 above.

 

[simmerskool]

It's because your password is still required for elevation prompts, as explained in my post #115 above.

yes but, I'm 99.99% sure that I am now using my new_ish PIN for elevation prompts, the admin acct has a PIN, and the sua has a PIN on some of my VM. Other VM have only pw.

 

[ForgottenSeer 98186]

I am logged in with a Microsoft account, and Windows Hello is working. No you need to, you forgot that Microsoft likes everyone to stay logged into their account, this is their marketing, not everything you read on the Microsoft site you take into consideration. They say this because of the syncing of settings, your email accounts, the store I will unplug here and test to see if it works without being logged into Microsoft. Windows Hello resides in windows 10 and 11 and you have TPM 2.0 you are more secure because it is a more modern technology. TPM 2.0 started appearing around 2017.

Microsoft Account and syncing (browser extensions and desktop settings) offers some convenience. Microsoft store app sync is more problematic, when it starts to install apps for AMD on Intel system, and vice versa. Now the Microsoft Account permits easy transfer of Microsoft software transfer from an old to a new system, without having to purchase a new license and without having to go through very slow Microsoft support.

With the accelerated pace at which Microsoft is changing its hardware requirements, I will not be surprised if a system purchased in 2021 will not be accepted for the next major version of Windows in 2024. Ah well, can always migrate to Linux.

 

[Ink]

I used password for my login, so I decided to add a PIN. The thing is, I can not remove my password to only have a PIN for login.
Removing my password I get a notification that PIN requires to have a password. All I want is to use a PIN without a password. I don't use a MS account.

Try removing all login security and start again.