cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

markrwdn
Copper Contributor

‎May 27 2020 09:07 AM

‎May 27 2020 09:07 AM

Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

To clarify my scenario, I'm looking to distribute 100 Laptops to users in a few months. I like Windows Hello for Business's biometrics functionality with TPM chips; I'm sure users would love its ability to unlock a screen in less than a second with a fingerprint. But I have issues with the PIN(s).

 

Here's the use case: a user is sent a Laptop, which is enrolled in Azure through InTune and Autopilot.

 

As part of the initial sign-in procedure the user is prompted to enter a PIN for their Windows account. This can only be numbers. This, I’m told, is unavoidable, if we want to take advantage of the other benefit of Windows Hello, such as the Biometrics (unlocking a PC with a fingerprint). I am aware that this PIN can ONLY be used on this device.

 

Once the user is signed in, the Bitlocker automated encryption process is automatically triggered on their device. The user is then requested to create ANOTHER PIN that will allow the hard drive to be unlocked on startup, which – again – can only be numbers. Similarly, I am aware that this PIN can also only be used on this device. We want Bitlocker configured; I can see hacking attempts once Windows is booted fully becoming more frequent.

 

My problem is that I find it hard to believe with any degree of likelihood that a user is not expected to use the same combination of numbers for both of these PINs and – as a result – this nullifies any two-factor authentication benefits to having a Bitlocker PIN on the device. Worse, it allows people local access to desktop and files just by knowing one PIN, even when booting the machine from cold. This is, if anything, less secure than having a Password on its own to unlock the device – the PIN in either case scenario cannot be set to expire.

 

My question is, are Microsoft looking to remove the requirement for a PIN from Windows Hello for Business at any time in future because – if not – I don’t feel comfortable using it if access to devices can be achieved in such a simple way. I was hoping that being able to accommodate (and, if anything, mandate) non-numerical characters in Bitlocker PINs – as is the case with devices that are registered with a local Domain Controller, but for some reason not in Azure – may help compensate for this, but I am told this is not the case.

 

It's not even possible to block the PIN as an option on first login after a cold boot.

 

Mark

12K Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Dave_Shay (Microsoft)
JanBakkerOrphaned

‎May 29 2020 06:58 AM

‎May 29 2020 06:58 AM

Solution

Re: Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

@markrwdn I understand your gutfeeling. Let me try to take some of that away:

 

1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.

JanBakker330_0-1590759656387.png

 

2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing... 

3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-p...

4. Bitlocker and WHfB rely on TPM  and have anti-hammering to lock the device when somone tries to spoof the PIN. 

 

1 Like
Reply
ThatGirlDiana

‎Aug 10 2022 07:17 AM

‎Aug 10 2022 07:17 AM

Re: Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

@JanBakkerOrphaned I'm looking for support documentation that discusses the affects of Bitlocker implementation, updates, changes and removal from enrolled Windows HfB users (enterprise level)

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Dave_Shay (Microsoft)
JanBakkerOrphaned

‎May 29 2020 06:58 AM

‎May 29 2020 06:58 AM

Solution

Re: Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

@markrwdn I understand your gutfeeling. Let me try to take some of that away:

 

1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.

JanBakker330_0-1590759656387.png

 

2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing... 

3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-p...

4. Bitlocker and WHfB rely on TPM  and have anti-hammering to lock the device when somone tries to spoof the PIN. 

 

View solution in original post

1 Like
Reply