MicrosoftConstantinoTobio You said you had multiple security incidents related to PINs being shoulder surfed. That implies someone knew they or someone else had been shoulder surfed and then reported it to make an incident out of it.
Windows Hello is phishing resistant since the PIN cannot be used remotely to access resources. Microsoft includes Windows Hello in their short list of phishing resistant authentication.
If a password is shoulder surfed, phished, or captured via key logging on any device, it could potentially be used remotely by an attacker on other devices. This is not true for the PIN.
If accounts being compromised via shoulder surfing are a recurring problem in your environment, you can cure that by disabling both password and Windows Hello use and require everyone to use FIDO2 security keys and smart cards.
A long PIN does help because, that discourages use of PIN instead of biometrics (why would they regularly type a 20 character PIN, when they have biometrics available) and a longer PIN is more difficult to shoulder surf and memorize by someone watching without writing it down.
The long PIN would likely never get used except for initial biometrics set up or if there was an issue with the biometrics.
The device can also be “brazenly stolen out of their hands” while already unlocked and in use. Then what?
