Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems Windows IT

Microsoft is Making Windows 10 Passwordless (theverge.com) 247

Microsoft is planning to make Windows 10 PCs work without passwords. From a report: While the company has been working on removing passwords from Windows 10 and its Microsoft Accounts for a number of months now, the next major update to Windows 10 next year will go one step further. You'll soon be able to enable a passwordless sign-in for Microsoft accounts on a Windows 10 device. This means PCs will use Windows Hello face authentication, fingerprints, or a PIN code. The password option will simply disappear from the login screen, if you decide to opt in to this new "make your device passwordless" feature. [...] This will also extend to business users through Azure Active Directory, allowing businesses to go fully passwordless with security keys, the authenticator app, or Windows Hello.
This discussion has been archived. No new comments can be posted.

Microsoft is Making Windows 10 Passwordless

Comments Filter:
  • by Anonymous Coward on Friday July 12, 2019 @09:47AM (#58913560)

    You'd have to be insane to use a "Microsoft account". The sheer *thought* of logging in to a Microsoft account and attaching it to your computer makes my skin crawl.

    • by CastrTroy ( 595695 ) on Friday July 12, 2019 @11:12AM (#58914044)

      How is it any different from using your Google or Apple account to sign into your phone?

      • I just leave everything unlocked. The devices are for my convenience, not to inconvenience me,

        I’ll never use the fingerprint reader. Turns out some of us have fingerprints that can’t be reliably read, no matter how many times we re-register out digits. And when I turn on my computer, I want it ready to go, not waiting for me to log in.

        My phone is unlocked for MY safety. If I pass out in the middle of the street (it’s happened) I want the EMTs to be able to both see my medical informat

        • re unlocked for safety: my android shows that information even when locked

        • I want the EMTs to be able to both see my medical information and to contact my relatives and friends as necessary.

          EMTs are not going to mess around with your phone to accomplish either of these things. EMTs will treat your symptoms according to their training until such time as your care is transferred to and accepted by a higher medical authority.

          My pedantry aside, your point is taken.

        • My phone is unlocked for MY safety. If I pass out in the middle of the street (it's happened) I want the EMTs to be able to both see my medical information and to contact my relatives and friends as necessary.

          Get a medic alert bracelet. EMTs (and ER nurses) know to look at those for information. They will not waste time checking you for a cell phone on the off chance it will give them useful information about your condition.

      • by Tom ( 822 )

        How is it any different from using your Google or Apple account to sign into your phone?

        Neither of them have an uninterrupted 30+ year history of screwing over everyone who trusts them with anything.

        • Neither of them have an uninterrupted 30+ year history of screwing over everyone who trusts them with anything.

          Except we are talking about accounts which in MS's terms would imply the long standing Hotmail account. Yeah Microsoft has a much longer history of not screwing customers over than Google or Apple.

      • by dog77 ( 1005249 )
        Windows 10 does not give you an option sign into your device using a device password. One of the options it does give you is to sign in with your Microsoft account. Using a Microsoft account is a bad idea because if someone sees what you type in and you are not using two factor authentication, it gives them access to your account. Apple and I think Google only make you sign into the account once and allow you to use a device password.
    • The sheer *thought* of logging in to a Microsoft account and attaching it to your computer makes my skin crawl.

      And yet, you eat your boogers. Go figure.

    • You'd have to be insane to use a "Microsoft account". The sheer *thought* of logging in to a Microsoft account and attaching it to your computer makes my skin crawl.

      Why? What's the basis for your unqualified statement? I mean Microsoft Accounts are good enough for Fortune 500 companies, so do you think my gaming PC is somehow going to have more risky material on it than my work computer which handles sensitive information?

      • by dog77 ( 1005249 )
        I did not make the statement, but I agree that it is a bad idea. Whenever you type in your username and password you are risking that someone saw it and can potentially access your account from another device. Obviously two factor authentication helps with this problem. The biometric and pin login that Microsoft supports are good options, but It is still silly that Microsoft does not allow you to do what everyone else allows, which is use a device password.
  • Good! (Score:4, Interesting)

    by Anonymous Coward on Friday July 12, 2019 @09:49AM (#58913568)

    For those of us who are even a little tech literate, we always used good passwords by default. For the overwhelming majority of vidiots who cant's set the clock on their microwave, this is actually more secure for them.

    • Re:Good! (Score:5, Insightful)

      by WaffleMonster ( 969671 ) on Friday July 12, 2019 @10:02AM (#58913644)

      For those of us who are even a little tech literate, we always used good passwords by default. For the overwhelming majority of vidiots who cant's set the clock on their microwave, this is actually more secure for them.

      Secure from what? Most people have never given a fuck about logging on in the first place. To them its like having to enter a password when turning on the TV or game console.

      • "Secure from what? Most people have never given a fuck about logging on in the first place. To them its like having to enter a password when turning on the TV or game console."

        Exactly! And since my computer is connected to my TV where I watch everything, I don't have a password for Windows as well.
        Never had. Otherwise, uTorrent couldn't continue to pirate in the background when Windows decides to reboot for one reason or another in the middle of the night.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      How is a 4 digit pin better than a password?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

        • If you think a "secret code" branded "PIN" is in any way different from a "secret code" labelled "password", you really have to be retarded.

          Storing "secret codes" as a salted hash is more secure than storing them in plain text, but that doesn't mean they suddenly stop being "secret codes".

          This is actually insulting.

          • They are different, a PIN would have each digit comprised of a number 0-9 where as a password would have far more possibilities with numbers letters and special characters. Either way people are still going use stupid things like the kid's/spouse's birthday, anniversaries, etc...

          • If you think a "secret code" branded "PIN" is in any way different from a "secret code" labelled "password", you really have to be retarded.

            Yeah but not as retarded as someone who doesn't read the link and then says something completely irrelevant.

      • by Comboman ( 895500 ) on Friday July 12, 2019 @10:40AM (#58913874)
        A hacker has revealed a list of 4 digits PINs used by many banks, on-line services and credit cards. If your PIN is on this list [deviantart.com], change it immediately.
      • by tk77 ( 1774336 )

        How is a 4 digit pin better than a password?

        I use a complex PIN on my Surface Pro, which basically resembles a normal password. Where a TPM is available, the PIN is secured by it.

        Additionally, in the event you have your login tied to your MS account (which Windows tries to get you to do by default, so this is probably what most users do), the PIN will be more secure because all authentication is then local to the device.

      • For local connections Keyboard to Computer
        Many levels of authentication has implicitly been processed.
        The person gained physical access to the building, often with a key, or a key card, someone letting them in the building or a fob.
        The person knows which computer to use, and which account to use.
        The Person then know the pin.

        Being a simple number it is easier and quicker to log in and also less of a hassle to lock you system when you are not around.

        Now Pins will in general suck with network access, because a

    • Actually according to TFA "passwordless" means:

      ...PCs will use Windows Hello face authentication, fingerprints, or a PIN code.

      This means it will be less secure, not more since for the large number of devices without support for face or fingerprint recognition you are now reduced to a PIN code which has a limited number of digits all of which must be digits. This is just a subset of the strings allowed for a password which means it is neither passwordless nor more secure.

    • For those of us who are even a little tech literate, we always used good passwords by default.

      Actually those of us who are tech literate use 2FA, and one of those factors does not have to be a password.

  • I'm assuming they are using the laptop/desktop camera to unlock via face - that's super easily bypassed by a photo..

    It is nice to have alternate login mechanisms (I use an Apple Watch), but eschpeially when Microsoft is logging you into all kinds of accounts that might have sensitive data with that Microsoft login, you want to be more cautious about security - not less.

    • by click2005 ( 921437 ) * on Friday July 12, 2019 @09:58AM (#58913614)

      I would instantly reject the two options that would allow logins without my consent and PINs are less secure than a good password.
      This whole thing is just Microsoft continuing its "i'm late to the party but I do that too (albeit badly)" attitude to features these days.

      • and PINs are less secure than a good password.

        Is this ignorance talking?

        Password: Stored locally on a drive, or sent to the internet for verification. PIN: Stored in TPM.
        Password: Secured by software. PIN: Secured by hardware.
        Password: Linked to account, know your password, great I now can use *all* your Windows based devices. PIN: Specific to device.

        Password: Any complexity you like.
        PIN: Any complexity you like.

        Oh what you thought PINs had to be 4 digit numbers? Are you talking a Windows 10 machine or getting money from an ATM?

    • by EvilSS ( 557649 ) on Friday July 12, 2019 @09:59AM (#58913624)

      I'm assuming they are using the laptop/desktop camera to unlock via face

      It requires an 3D mapping capable camera to enable it on Windows. A regular webcam won't work.

      • It requires an 3D mapping capable camera

        Ok, that does make a lot more sense - except how many Windows laptops have that as a feature? Does the Surface even have that currently?

        • Re:Thanks! (Score:4, Informative)

          by EvilSS ( 557649 ) on Friday July 12, 2019 @10:04AM (#58913656)

          It requires an 3D mapping capable camera

          Ok, that does make a lot more sense - except how many Windows laptops have that as a feature? Does the Surface even have that currently?

          Yes, surface currently has that. Here is a quick list of some other models with it (pretty sure it's not comprehensive): https://www.windowscentral.com/complete-list-laptops-support-windows-hello [windowscentral.com]

        • Ok, that does make a lot more sense - except how many Windows laptops have that as a feature? Does the Surface even have that currently?

          Many laptops do. If your laptop is a premium device (Dell XPS, HP Specter, Lenovo Yoga) it is very high on the most likely compatible list. If your desktop computer webcam is 4K it pretty much very likely compatible as well. All Surface devices made since 2015 support it.

          Though for webcams it does rule out the cheapies quite conclusively. The cheapest I've seen is the Lilbit for $65 but it's a damn crap webcam almost exclusively designed just for computer login.

  • PIN versus password (Score:5, Interesting)

    by Anonymous Coward on Friday July 12, 2019 @09:52AM (#58913588)

    What's the difference between a PIN and a password?

    • less security, but greater ease of use I guess?

      Seems like a pretty terrible decision.

      • Ties in with the Bitlocker maximum password length being 20 characters. Presumably 20 is NSA's hash table limit for AES-128, which is the Bitlocker default.

      • less security, but greater ease of use I guess?

        Seems like a pretty terrible decision.

        You'd be wrong. On Windows 10 a PIN can be as complex as you want up to a maximum of 127 alpha-numeric or symbolic characters. But the other benefits are:

        - Tied to the device, not the account. Compromise a PIN and you compromise 1 device. Compromise a password and you have access to all MS devices, online emails, and cloud data.
        - Being local a failed attempt doesn't attempt an internet connection to verify if an updated password is available on the MS account. While this connection should be encrypted it's

    • by Joce640k ( 829181 ) on Friday July 12, 2019 @09:56AM (#58913598) Homepage

      You don't get to choose "password" as your PIN.

    • by EvilSS ( 557649 )
      PINs are device specific. So you can use the same account on multiple Windows devices, but have a PIN specific to each device.
      • by caseih ( 160668 )

        How many people are going to use a separate pin number for each computer? Most likely they'll use the same pin number they use on their bank cards and anything else that requires a pin number.

        • by sinij ( 911942 )

          Exactly. So now compromising Windows 10 based home computer will be that much more lucrative - you will also likely to get victim's bank PIN.

        • by EvilSS ( 557649 )
          You could say the same thing about passwords.
    • The PIN can't be used for remote login (RDP, SMB, etc.). Also the PIN prompt screen will likely lock out after a small number of failed attempts. You then have to login using the real password, or wait a certain time.

      • by Zorro ( 15797 )

        Oh yes it can!

        You tie that pin to an account and a domain.

        But you have to know the complete account name and domain name and type it in by hand every time.

        Username and pin isn't quite the same. At least this works with Active Directory.

        • it's not as if the account and domain name were secret

          if you can connect remotely via SMB using only the PIN this is a big security flaw

    • Functionally, there needn't be one. My gaming PC at home is configured to use my Microsoft account, but I don't have my Microsoft account's lengthy, randomly-generated password memorized, which made logging in rather tedious, so I configured the PC to instead use a PIN. An alphanumeric PIN. An alphanumeric PIN that simply corresponded to the password I was previously using on that PC. Yay for "better security"?

    • A PIN, being numerical, doesn't come with the requirement to have at least three each of lower case, upper case, numeric, punctuation, cyrillic, simplified Chinese, and Assyrian. That makes it much easier for the mobile proles who don't have a keyboard to enter it.

      • There is no requirement for the PIN in windows to be numerical. There is a requirement for it to be between 4 and 127 numbers letters or symbols in length though. And windows monitors for patterns, no qwerty, 1234, etc.

    • by Tom ( 822 )

      You don't enter the PIN on the computer, you enter it on your smartphone. The smartphone then communicates with the computer (BT, NFC, whatever) and tells it that you're authenticated. If that communication is implemented properly (certificate based, challenge-response, etc.) this scheme can be very secure and it makes it almost impossible for a remote attacker to break into your account.

      Of course, it introduces a weakness for attackers who can physically steal your phone, but then again they could probably

      • You don't enter the PIN on the computer, you enter it on your smartphone. The smartphone then communicates with the computer (BT, NFC, whatever) and tells it that you're authenticated.

        There are a lot of people who don't know what they are talking about in these comment section, but you're in a league of your own when it comes to being waaaaay off the mark.

        You are talking about phone based 2FA, something completely different from a PIN on a Windows device, and something which by necessity actually forces you to set a PIN on a Windows device.

  • Windows Hello face authentication: A system dependent on el-cheapo webcams with inconsistent features that certainly cannot meaningfully guarantee depth, so a half decent printed image can access it in most cases.

    Fingerprints: The best of the lot, but the sorts of fingerprint readers built into computers are also inconsistent with their resolution. I've also had issues with drivers causing Windows to get cranky, and either people will have to have the foresight to register two fingers on each hand, or have an algorithm with enough latitude that its security gets undone.

    PIN code: So, a shorter password with a more stringent lockout policy?

    Security keys: So, a password that changes at intervals and is set by a third party?

    Authenticator app: So, a password delivered via appy-app?

    Windows Hello: Didn't we start with this?

    Now look, I'm not arguing that these options aren't, at some level at least, ultimately a good thing, if for no other reason than because it puts Windows at parity with the mobile devices most people have grown accustomed to. Used security is going to be more secure than unused security, regardless of how well it ranks with having a password like //Slashd0+4@aIl2C2d@y, even if it doesn't land on a sticky note next to the monitor.

    My point is simply that you don't get to call it 'going passwordless' when half the options are still a thing a user types in.

    • so a half decent printed image can access it in most cases.

      Half decent printed image, with anti-spoofing disabled and a near IR photo looking directly into the camera. Also physical access to the machine and even then probably limited access. Also physical access to the user at some point to take a near infrared photo of the face from up-close.

      A hacker in Russia has none of those things unless it's a highly targeted attack. In which case you're probably fucked anyway.

      PIN code: So, a shorter password with a more stringent lockout policy?

      And presumably no usage on websites whose password database has been hacked.

      Security keys/Authenticator: So, a password that changes at intervals and is set by a third party?

      Ditto to face and pi

    • A system dependent on el-cheapo webcams

      I've never seen an el-cheapo webcam compatible with Windows Hello, and I've looked. The cheapest I've found is in the order of $60 and it's a terrible webcam being a specific login based device. Most Hello compatible webcams cost more than my 1TB SSD did.

    • Hate to double post but I should correct the rest of your post too.

      A system dependent on el-cheapo webcams

      I've never seen an el-cheapo webcam compatible with Windows Hello, and I've looked. The cheapest I've found is in the order of $60 and it's a terrible webcam being a specific login based device. Most Hello compatible webcams cost more than my 1TB SSD did. No, images do not work for bypassing the current version of Windows Hello.

      PIN code: So, a shorter password with a more stringent lockout policy?

      Why is it shorter? PIN codes have the same requirements as passwords. They must be less than 127 numbers letters or

  • No thanks. (Score:5, Interesting)

    by sconeu ( 64226 ) on Friday July 12, 2019 @10:08AM (#58913678) Homepage Journal

    I seem to recall hearing about a court ruling (related to Apple Touch ID) that your biometrics weren't protected by the Fifth Amendment, but a password was.

    • ...biometrics weren't protected by the Fifth Amendment, but a password was.

      When you consider that Microsoft has had NSA back doors into Windows for decades, it should come as no surprise that your security isn't at the top of Microsoft's list of concerns.

    • by mark-t ( 151149 )
      So what we need to do is develop biometric systems that are examine the user's brain activity, and can recognize not only when the authorized user is accessing it, but also examine things like stress levels, as well as more mundane things like heart rate, breathing patterns etc, to determine if they are attempting to gain access only under some sort of duress, and refuse access to otherwise locked systems in such a case.
      • No, what we need to do is stop storing sensitive stuff on digital devices when it’s much more secure to just keep all sensitive information between your two ears and never share it unless absolutely necessary, and only face to face.

        There aren’t THAT many things that you actually need to keep secret.

        • by mark-t ( 151149 )

          There arenâ(TM)t THAT many things that you actually need to keep secret.

          True.

          But my point is that if such protections were ubiquitous, then nobody would bother to even try.

          Also, information secured "between your ears" is still subject to the $5 wrench decryption method [xkcd.com].

          If a wetware solution examined your own brain wave patterns and wouldn't allow access to otherwise secured content when you were under duress, then even that decryption approach would be defeated.

          Thereby, again, achieving the des

  • by account_deleted ( 4530225 ) on Friday July 12, 2019 @10:19AM (#58913758)
    Comment removed based on user account deletion
  • by stevegee58 ( 1179505 ) on Friday July 12, 2019 @10:24AM (#58913790) Journal
    How can I plead the 5th and remain silent about my passwords if law enforcement can just thrust my face in front of my webcam?
    • If law enforcement can thrust your face in front of your webcam they will just torture the password out of you or set you up, or throw you forever in prison because clearly you're a terrorist.

  • And the attack also made me forget my pin i will be locked out of my account?
  • What about laptops that are not on a network?
    captive portal?

    local admin (Non domain) accounts

    Other admin users that may only need to login to a system to install stuff?

  • Just how is biometrics, PIN numbers, and/or face recognition work with AD credentials? We're going to have a horrible time dealing with this.

  • by simply not connecting to Microsoft online and not requiring a password to access. Works great and has never failed in 3 years.
  • I'm already looking forward to logging in one day and receiving the message, "Your face has expired and must be changed."
  • passwordless is a good idea. A really, really good idea. I've been following various schemes for years and tried a couple from back when smartcards were a thing.

    So passwordless - yes!

    But Microsoft? They're the last people on the planet whom I trust to get this right.

  • ...how long will it take for Apple to beat Microsoft to the punch? You mean Apple didn't already have this feature in the works??? Man, shareholders are just going to let Tim Cook ride Apple into the ground.

  • Interestingly, I was able to make my PIN be an alphanumeric value of many characters so....still a password.

  • My laptop has a finger print reader, I just use that.

It was kinda like stuffing the wrong card in a computer, when you're stickin' those artificial stimulants in your arm. -- Dion, noted computer scientist

Working...