Secure Windows Login | Windows Hello & Security Key
Secure Windows Login
Windows users have lost many battles to hackers and intruders due to the insecure nature of traditional password-only logins, hence the necessity of using more secure Windows login methods.
To make your login to Windows more secure, Microsoft offers several alternative login methods including Windows Hello, security key, picture password, and two-step verification. In this article, we explain all these login options to help you enjoy more secure Windows logins.
The first step is to access the login settings on Windows. To do so in Windows 10, go to Start > Settings > Accounts > Sign-in options where you can see all the available sign-in methods, which include:
⦁ Windows Hello Face
⦁ Windows Hello Fingerprint
⦁ Windows Hello PIN
⦁ Security key
⦁ Picture password
Windows Hello Face and Fingerprint
Windows Hello is a new and improved Windows login option that is available in Windows 10 Version 1809 or later. You can also use Windows Hello to sign in to your Active Directory account, your Microsoft Azure Active Directory (Azure AD) account, and your Microsoft account on the Internet, for which you need to have the Microsoft Edge browser installed on your system.
Using biometric properties (e.g. through facial recognition), Windows Hello enables you to log in to Windows three times faster than a password login. But more importantly, it is a much more secure method, since no one else has the same fingerprint or iris specifications as you.
For facial recognition, Windows Hello uses special cameras that exploit IR light to be able to tell the difference between a photograph or scan and a living person. To scan your fingerprint, Windows Hello needs a capacitive fingerprint sensor. Using fingerprint readers in Windows systems is nothing new, but the current generation of sensors works much more accurately.
Still, some people may have reservations about using their face or fingerprint to sign in to computer programs, because of privacy issues. Well, according to Microsoft, you have nothing to worry about, since Windows does not save any image of your face, iris, or fingerprint anywhere, even on your own device.
So what data is collected by Windows Hello? Upon setting up Windows Hello biometrics, it uses the data from the face camera, iris sensor, or fingerprint reader to create a graph-like data representation and then saves this graph (not your actual biometric data or photos) on your device, but only after encrypting it.
Windows Hello Pin
Other than biometric logins, Windows Hello has one more secure Windows login option for you called Windows Hello PIN. You can set up a PIN as a backup for your biometric login or security key (recommended), but you can also use it on its own. So what is the difference between a password and a PIN? And why is PIN better than a password?
Just like a password, a PIN is a set of characters. Traditionally, PINs consist of only numbers, but in Windows Hello you can opt to use letters and special characters in your PIN, as well. Of course, Windows Hello does not let you define too obvious and/or common character patterns as your PIN, but other than that, it does not look like PINs are much different from passwords. It is because their difference is mainly in their application and meaning, not in their exterior format.
Why is PIN safer than password?
For starters, PIN is tied to the specific system on which it was defined. So if someone figures out your password, they cannot use it, unless they have access to your physical device. So, in a way, using a PIN imitates two-factor authentication, with the PIN and your physical system being the two required factors.
Another important difference is that PIN is local to the device, i.e., unlike passwords that need to be sent to the server and risks getting stolen from the server or during transmission, a PIN only stays on the local system and isn't stored on the server. When the PIN is defined by the user, it builds a trusted relationship with the identity provider that results in the creation of an asymmetric key pair for authentication. When the user enters their PIN, it unlocks the authentication key and uses it to sign the request that is sent to the authenticating server.
Another advantage of the Windows Hello PIN is that it is backed by hardware. A Trusted Platform Module (TPM) chip, which is a secure crypto-processor, supports Hello PIN.
Windows login with a security key
Another more secure replacement for the username/password login in Windows 10 is FIDO 2–compliant security keys. A security key is a physical device like a USB key that needs to be plugged into your computer or an NFC key that can be used by an NFC reader. Fast Identity Online (FIDO) is an alliance representing 250 organizations from various industries on a joint mission to solve the world’s password problem and provide simpler, stronger authentication for computer apps.
Microsoft and its partners, including Yubico, HID, and Feitian, have been working on FIDO2 security keys to enable secure Windows login, especially for shared devices. For instance, these security keys let you walk up to any device belonging to your organization and authenticate to an Azure AD joined Windows 10 PC, in a fast and easy and yet, secure way.
Unlike traditional passwords, these keys exploit high-security, public-key cryptography to allow reliable and secure authentication. These keys enjoy all the benefits of a Trusted Platform Module (TPM), and as a bonus, they are portable, which makes them a great fit for places with shared systems and mobile workers.
For additional security, along with your security key, you are required to use a second factor like a fingerprint (usually integrated into the security key) or a PIN, so if the security key is lost or stolen, your system will not be at risk.
Windows login with Picture Password
Picture password is another alternative for traditional passwords that can be used for touchscreen PCs. You select a picture and use some gestures to create a password that's uniquely yours.
When you've chosen a picture, you use the touchscreen to draw and create a combination of circles, straight lines, and taps. So eventually, your picture password consists of the picture you chose, as well as the size, position, and direction of your gestures.
Two-step verification and Microsoft Authenticator app
Two-step verification or Two-factor authentication (aka 2FA) is a secure authentication method in which a user’s claimed identity is verified only after successfully providing two pieces of evidence required by the authentication mechanism. So, if someone steals your password, they cannot hack your account without having access to the second factor.
As mentioned earlier, 2FA is implemented in a few Windows login methods. But here, we are referring to turning on two-step verification for your Microsoft account.
If you turn on this security feature, you’ll get a security code to your email, phone, or Microsoft authenticator app every time you sign in on a new device or from a new location. When two-step verification is turned off, verifying your identity with security codes is only required when more serious risks to your account security is detected.
To turn on Two-step verification, use a web browser to login to your Microsoft account. Then go to the security page and click on more options. You can turn on the Two-step verification, there.
Many security experts believe that sooner or later, passwords have to go. That’s why Windows has offered several more secure Windows login methods to replace passwords. Now, it is up to you to consider your personal and professional requirements and decide which login method is a better choice for you.
Windows also offers some other security options; for example, Windows dynamic lock can use devices (like your phone) that are paired with your PC to detect when you are away and automatically lock your system. Another example is Windows secure sign-in which hides the login page until Ctrl+At+Del is pressed by the user. This guarantees that what the user sees is really the authentic Windows sign-in screen, and not a fake sign-in page created by malicious programs that mimic Windows sign-in to retrieve passwords. Such options can also be used to create a more personalized and secure login for you.