Windows 10 Security Update: Change Your Password To A PIN, Says Microsoft


While Microsoft recently made an unprecedented change to the way Windows 10 cumulative updates would be rolled out from May 2020, that doesn’t mean version updates are a thing of the past. The next version of Windows 10 is expected to arrive this month, or possibly next, and bring with it some changes to security options that will surprise many. Microsoft wants users to stop using passwords and start using PINs. Yes, you read that right.
On March 10, Microsoft corporate vice-president, Yusuf Mehdi, announced that more than one billion people were using Windows 10. No great surprise there. When, on March 24, Microsoft announced that it was pausing all optional, cumulative, non-security updates to Windows 10 from May 2020, that raised a few eyebrows, but nothing more. Upping the surprise stakes, however, is the realization that the next incarnation of Windows 10, currently known to insiders as 20H1 or 2004, and which might well still reach ordinary users this month, wants you to replace passwords with PINs.
The Windows 10 20H1 update will likely bring with it a whole bunch of feature tweaks impacting everything from Cortana to Bluetooth connectivity and improvements to Notepad. So far, so meh. Where things get a lot more interesting for me are the changes that Microsoft is expected to make to security options. Reading through the latest Windows Insider Program notes for the Windows 10 20H1 build, reveals that Microsoft is continuing with its move towards a passwordless future for all users.

Swapping passwords for PINs

The insider notes for Windows 10 20H1 Build 18936 include details on how Microsoft is pushing for passwordless sign-in to Microsoft accounts on devices. This will be optional, by way of Settings|Accounts|Sign-in options using the new settings app that is slowly but surely replacing the old control panel. There will be an option here to “Make your device passwordless,” that Microsoft promises will improve security and provide a more seamless sign-in experience. “This will strengthen your device sign-in by switching all Microsoft accounts on your device to modern multifactor authentication with Windows Hello Face, Fingerprint, or PIN,” the Microsoft documentation states, “eliminating passwords from Windows.”
This requirement to use Windows Hello sign-in for Microsoft accounts will be the recommended option.
Meanwhile, Windows 10 20H1 Build 18995 brings with it, the Microsoft insider release notes reveal, another “step forward in our Passwordless journey.” That step is one that adds Windows Hello PIN support to signing-in when using safe mode.

Is a PIN more secure than a password?

All of this could leave you a little confused and wondering how a PIN can be more secure than a password? The key is understanding what the PIN protects here and how a PIN actually works in this context. Forget the idea that a four-digit PIN has to be less secure than a 25-character password, as that is missing the point. A point that Microsoft itself drives home in a 2017 posting: “The PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware.” It’s a second factor, in other words, the first being physical access to the Windows 10 device itself. If someone compromises your Microsoft account password, they can log into your Windows 10 computer from anywhere. If they compromise, guess, steal, your PIN, then they still need access to the machine itself. The PIN itself is never transmitted to the server as it’s local to the Windows 10 device, so it cannot be intercepted during transit or stolen from a compromised remote server. In other words, this move makes your Microsoft account more secure rather than making your Windows 10 device more secure, although the one leads to the other.

A bold step in the right direction

“In my view, the idea of separating physical access authentication and network access authentication is a really good idea,” Ian Thornton-Trump, CISO at Cyjax, says, adding that “users like PINs!” Anything that can harden remote access while making physical access simpler is a good move, according to Thornton-Trump. “This seems like a great way to reduce the remote attack surface,” he says, concluding, “We will need to see how the researchers go after the new feature, but I think this is a bold step in the right direction.”