cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Viewer

Windows Hello and Compliance

Hi,

As companies are adopting "Windows Hello", I would like some feedback on how its viewed for compliance

 

As many of you know, for PCI and NIST, it is required to have a complex password and/or multi-factor authentication in use at the users endpoint. 

 

With "Windows Hello" the end user has the option to use a 4 digit pin to logon to the workstation, facial recognition, or a password. The end user can choose which one to use. 

 

Now, the Pin is only associated to that workstation, but I would expect the 4 digit pin to be less secure than a complex password. Any walk by user with knowledge of a 4 digit pin would be an easy logon.

 

 

Does the  4 digit pin 'Windows Hello' method meet the password complexity requirement for these and other compliance requirements? 

 

 

 

 

 

 

1 Reply
Highlighted
Community Champion

Re: Windows Hello and Compliance


@kloset wrote:

Hi,

As companies are adopting "Windows Hello", I would like some feedback on how its viewed for compliance


Can't comment directly on PI-DSS, but rather than equating Hello to password practices, equate it to a phone unlock.  Like a phone, Hello is device local (as @kloset  notes), disables PIN/biometric authentication after a few failures and requires alternate credentials (i.e. an AD password) to restore normality.   Microsoft has a pretty good Q&A explaining how they believe PINs  and passwords differ.  

 

One really cool thing is that Hello bifurcates your attack surface.  If somebody shoulder-surfs a PIN, the bad actor has not gained the ability to login to your network accounts or RDP into your workstation.  Plus, since users are entering their AD password less often, there are less opportunities for its compromise.

 

It is possible to set Hello complexity requirements, just as one does for a password.  That said, there is a balance between data protection and user satisfaction.  By reducing drag low on common activities such as unlocking workstations, one can more easily sell other improvements such shorter screen-lock timers, longer AD passwords and use of MFA when remote.   In my organization, we did up the requirement to 6 digits to prevent years ("2019") and simple keyboard patterns ("0258", "74123").