Windows Hello and Compliance

kloset · ‎11-14-2019

Hi,

As companies are adopting "Windows Hello", I would like some feedback on how its viewed for compliance

As many of you know, for PCI and NIST, it is required to have a complex password and/or multi-factor authentication in use at the users endpoint.

With "Windows Hello" the end user has the option to use a 4 digit pin to logon to the workstation, facial recognition, or a password. The end user can choose which one to use.

Now, the Pin is only associated to that workstation, but I would expect the 4 digit pin to be less secure than a complex password. Any walk by user with knowledge of a 4 digit pin would be an easy logon.

Does the 4 digit pin 'Windows Hello' method meet the password complexity requirement for these and other compliance requirements?

denbesten · ‎11-14-2019

@kloset wrote:
Hi,
As companies are adopting "Windows Hello", I would like some feedback on how its viewed for compliance

Can't comment directly on PI-DSS, but rather than equating Hello to password practices, equate it to a phone unlock. Like a phone, Hello is device local (as @kloset notes), disables PIN/biometric authentication after a few failures and requires alternate credentials (i.e. an AD password) to restore normality. Microsoft has a pretty good Q&A explaining how they believe PINs and passwords differ.

One really cool thing is that Hello bifurcates your attack surface. If somebody shoulder-surfs a PIN, the bad actor has not gained the ability to login to your network accounts or RDP into your workstation. Plus, since users are entering their AD password less often, there are less opportunities for its compromise.

It is possible to set Hello complexity requirements, just as one does for a password. That said, there is a balance between data protection and user satisfaction. By reducing drag low on common activities such as unlocking workstations, one can more easily sell other improvements such shorter screen-lock timers, longer AD passwords and use of MFA when remote. In my organization, we did up the requirement to 6 digits to prevent years ("2019") and simple keyboard patterns ("0258", "74123").

kloset · ‎03-01-2021

Has anyone confirmed that Windows Hello PIN's, lets say 8 digits, meet PCI/NIST requirements.
Here is my understanding:

MFA requires 2 methods or more using these 3 aspects

Something you know (password, pin, secret questions/answers)
Something you are biometric method (finger print, retna scan, facial recognition)
Something you have ( authenticator app code, RSA phob, smart card)

Windows Hello ties/binds pin to the single device, prevents using the PIN on other devices.

A Pin is something you know not different than a password. To meet compliance something you have (device with TPM chip) or something you are is still needed to meet MFA req's,

This PIN would apply to the single user device with a TPM chip, but it does not meet the req in VDI environments, where passwords and MFA are still needed.

Windows Pin is something you know, which is not different than a password.

When coupled with Something you are and/or Something you have, the pin would meet the PCI/NIST requirements.

However PIN Complexity is subject to the same requirements: Complexity, Length, Expiration, History

This prevents shoulder surfing/walk by password compromise.. A 4 or 8 digit pin does not meet this requirement

You can require special characters, uppercase, lowercase, and digits in the Windows Hello configuration.