cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kloset
Newcomer I

Windows Hello and Compliance

Hi,

As companies are adopting "Windows Hello", I would like some feedback on how its viewed for compliance

 

As many of you know, for PCI and NIST, it is required to have a complex password and/or multi-factor authentication in use at the users endpoint. 

 

With "Windows Hello" the end user has the option to use a 4 digit pin to logon to the workstation, facial recognition, or a password. The end user can choose which one to use. 

 

Now, the Pin is only associated to that workstation, but I would expect the 4 digit pin to be less secure than a complex password. Any walk by user with knowledge of a 4 digit pin would be an easy logon.

 

 

Does the  4 digit pin 'Windows Hello' method meet the password complexity requirement for these and other compliance requirements? 

 

 

 

 

 

 

2 Replies
denbesten
Community Champion

Re: Windows Hello and Compliance


@kloset wrote:

Hi,

As companies are adopting "Windows Hello", I would like some feedback on how its viewed for compliance


Can't comment directly on PI-DSS, but rather than equating Hello to password practices, equate it to a phone unlock.  Like a phone, Hello is device local (as @kloset  notes), disables PIN/biometric authentication after a few failures and requires alternate credentials (i.e. an AD password) to restore normality.   Microsoft has a pretty good Q&A explaining how they believe PINs  and passwords differ.  

 

One really cool thing is that Hello bifurcates your attack surface.  If somebody shoulder-surfs a PIN, the bad actor has not gained the ability to login to your network accounts or RDP into your workstation.  Plus, since users are entering their AD password less often, there are less opportunities for its compromise.

 

It is possible to set Hello complexity requirements, just as one does for a password.  That said, there is a balance between data protection and user satisfaction.  By reducing drag low on common activities such as unlocking workstations, one can more easily sell other improvements such shorter screen-lock timers, longer AD passwords and use of MFA when remote.   In my organization, we did up the requirement to 6 digits to prevent years ("2019") and simple keyboard patterns ("0258", "74123").

 

 

 

kloset
Newcomer I

Re: Windows Hello and Compliance

Has anyone confirmed that Windows Hello PIN's, lets say 8 digits, meet PCI/NIST requirements.
Here is my understanding:

MFA requires 2 methods or more using these 3 aspects

  • Something you know (password, pin, secret questions/answers)
  • Something you are  biometric method (finger print, retna scan, facial recognition)
  • Something you have ( authenticator app code, RSA phob, smart card)

 

Windows Hello ties/binds pin to the single device, prevents using the PIN on other devices.

A Pin is something you know not different than a password. To meet compliance something you have (device with TPM chip) or something you are is still needed to meet MFA req's,
 

This PIN would apply to the single user device with a TPM chip, but it does not meet the req in VDI environments, where passwords and MFA are still needed.

 

Windows Pin is something you know, which is not different than a password.

When coupled with Something you are and/or  Something you have, the pin would meet the PCI/NIST requirements.

 

However PIN Complexity is subject to the same requirements: Complexity, Length, Expiration, History

This prevents shoulder surfing/walk by password compromise.. A 4 or 8 digit pin does not meet this requirement

You can require special characters, uppercase, lowercase, and digits in the Windows Hello configuration.