Windows 10 will support 'do not use password' authentication method for Microsoft account


by rawpixel

On July 10, 2019 Microsoft precedes Windows 10 20H1, which will be officially released in spring 2020, for users of the Windows Insider Program, a collaborator group with access to the latest features of Windows 10 before the public release. released. In Windows 10 20H1, 'The ability to sign in to a Microsoft account without a password on a Windows 10 device is added.'

Announcing Windows 10 Insider Preview Build 18936 | Windows Experience Blog
https://blogs.windows.com/windowsexperience/2019/07/10/announcing-windows-10-insider-preview-build-18936/

According to Microsoft, Windows 10 20H1 has 'a phone app that can be used on a Surface device' and 'a function that can easily create an event from the taskbar'.


In addition to these new features, Microsoft is proposing 'Sign in to a Microsoft account without password'. On Windows 10 20H1 devices, you can select a method that does not use a password when signing in to a Microsoft account, and you can use Windows Hello using a fingerprint or face authentication method, or sign in using a PIN code. That's right.


Since you can sign in to your account by entering at least a 4-digit PIN code, many people may be more concerned about security than passwords that use long strings. However, Microsoft claims that signing in with a PIN code is 'more secure than entering a password.'

Microsoft has released a commentary movie on YouTube on the question of why it is safe to sign in with a PIN code.

Why is the PIN for Windows Hello more secure than a password? | One Dev Question-YouTube


'You may be wondering why a PIN code that is simpler than a password is more secure than a password,' said Dana Huang, director of Microsoft's security engineering department.


The answer is, 'The password is symmetric key encryption (common key encryption) , while the PIN code is not.' In symmetric key encryption, it is necessary to confirm whether the password is correct or not by using a key stored on the server side. However, in the PIN code, the information necessary for signing in is stored on the device used by the user.

If a malicious attacker knows someone's password, for example, if he or she sees a password being entered, the attacker can enter the password from any device, whether on his device or on a PC such as an internet cafe. Access to your account. The correct password can only be verified with the server, so it doesn't matter who is signed in with what device. On the other hand, the PIN code provided by Windows Hello is only for certain devices when the information required to sign in is present, so even if the PIN code is leaked, the attacker must obtain the correct device. I can not sign in to my account.

If you enter the password in various places, the risk of the password becoming known to a third party increases accordingly. On the other hand, if you usually only enter the PIN code associated with the device without using a password, a third party can not easily access the account unless the device itself is stolen. Huang claims that the PIN code is strongly protected by the Trusted Platform Module (TPM) of the security technology installed in the device.

by stevepb

Note that Windows 10 20H1 is an early version and may contain many bugs. As a result, Microsoft will seek feedback from Windows Insider Program users and plan to improve it before it is officially released.

in Software,   Security, Posted by log1h_ik