Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

%3CLINGO-SUB%20id%3D%22lingo-sub-1421086%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%20and%20Bitlocker%20-%20By-design%20Security%2FFactor%20Authentication%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421086%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20clarify%20my%20scenario%2C%20I'm%20looking%20to%20distribute%20100%20Laptops%20to%20users%20in%20a%20few%20months.%20I%20like%20Windows%20Hello%20for%20Business's%20biometrics%20functionality%20with%20TPM%20chips%3B%20I'm%20sure%20users%20would%20love%20its%20ability%20to%20unlock%20a%20screen%20in%20less%20than%20a%20second%20with%20a%20fingerprint.%20But%20I%20have%20issues%20with%20the%20PIN(s).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20the%20use%20case%3A%20a%20user%20is%20sent%20a%20Laptop%2C%20which%20is%20enrolled%20in%20Azure%20through%20InTune%20and%20Autopilot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20part%20of%20the%20initial%20sign-in%20procedure%20the%20user%20is%20prompted%20to%20enter%20a%20PIN%20for%20their%20Windows%20account.%20This%20can%20only%20be%20numbers.%20This%2C%20I%E2%80%99m%20told%2C%20is%20unavoidable%2C%20if%20we%20want%20to%20take%20advantage%20of%20the%20other%20benefit%20of%20Windows%20Hello%2C%20such%20as%20the%20Biometrics%20(unlocking%20a%20PC%20with%20a%20fingerprint).%20I%20am%20aware%20that%20this%20PIN%20can%20%3CSTRONG%3EONLY%3C%2FSTRONG%3E%20be%20used%20on%20this%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20the%20user%20is%20signed%20in%2C%20the%20Bitlocker%20automated%20encryption%20process%20is%20automatically%20triggered%20on%20their%20device.%20The%20user%20is%20then%20requested%20to%20create%20ANOTHER%20PIN%20that%20will%20allow%20the%20hard%20drive%20to%20be%20unlocked%20on%20startup%2C%20which%20%E2%80%93%20again%20%E2%80%93%20can%20only%20be%20numbers.%20Similarly%2C%20I%20am%20aware%20that%20this%20PIN%20can%20also%20only%20be%20used%20on%20this%20device.%20We%20want%20Bitlocker%20configured%3B%20I%20can%20see%20hacking%20attempts%20once%20Windows%20is%20booted%20fully%20becoming%20more%20frequent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20problem%20is%20that%20I%20find%20it%20hard%20to%20believe%20with%20any%20degree%20of%20likelihood%20that%20a%20user%20is%20not%20expected%20to%20use%20%3CEM%3Ethe%20same%20combination%20of%20numbers%20%3C%2FEM%3Efor%20both%20of%20these%20PINs%20and%20%E2%80%93%20as%20a%20result%20%E2%80%93%20this%20nullifies%20any%20two-factor%20authentication%20benefits%20to%20having%20a%20Bitlocker%20PIN%20on%20the%20device.%20Worse%2C%20it%20allows%20people%20local%20access%20to%20desktop%20and%20files%20%3CEM%3Ejust%20by%20knowing%20one%20PIN%2C%20%3C%2FEM%3Eeven%20when%20booting%20the%20machine%20from%20cold.%20This%20is%2C%20if%20anything%2C%20less%20secure%20than%20having%20a%20Password%20on%20its%20own%20to%20unlock%20the%20device%20%E2%80%93%20the%20PIN%20in%20either%20case%20scenario%20cannot%20be%20set%20to%20expire.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20are%20Microsoft%20looking%20to%20remove%20the%20requirement%20for%20a%20PIN%20from%20Windows%20Hello%20for%20Business%20at%20any%20time%20in%20future%20because%20%E2%80%93%20if%20not%20%E2%80%93%20I%20don%E2%80%99t%20feel%20comfortable%20using%20it%20if%20access%20to%20devices%20can%20be%20achieved%20in%20such%20a%20simple%20way.%20I%20was%20hoping%20that%20being%20able%20to%20accommodate%20(and%2C%20if%20anything%2C%20mandate)%20non-numerical%20characters%20in%20Bitlocker%20PINs%20%E2%80%93%20as%20is%20the%20case%20with%20devices%20that%20are%20registered%20with%20a%20local%20Domain%20Controller%2C%20but%20for%20some%20reason%20not%20in%20Azure%20%E2%80%93%20may%20help%20compensate%20for%20this%2C%20but%20I%20am%20told%20this%20is%20not%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20not%20even%20possible%20to%20block%20the%20PIN%20as%20an%20option%20on%20first%20login%20after%20a%20cold%20boot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1421086%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Hello%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426648%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20and%20Bitlocker%20-%20By-design%20Security%2FFactor%20Authentication%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F482847%22%20target%3D%22_blank%22%3E%40markrwdn%3C%2FA%3E%26nbsp%3BI%20understand%20your%20gutfeeling.%20Let%20me%20try%20to%20take%20some%20of%20that%20away%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Originally%2C%20BitLocker%20allowed%20from%204%20to%2020%20characters%20for%20a%20PIN.%20Windows%20Hello%20has%20its%20own%20PIN%20for%20logon%2C%20which%20can%20be%204%20to%20127%20characters.%20Both%20BitLocker%20and%20Windows%20Hello%20use%20the%20TPM%20to%20prevent%20PIN%20brute-force%20attacks.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JanBakker330_0-1590759656387.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195357i15BC178D0B9388C5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22JanBakker330_0-1590759656387.png%22%20alt%3D%22JanBakker330_0-1590759656387.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Keep%20in%20mind%3A%20%3CSTRONG%3Ephysical%20access%3C%2FSTRONG%3E%20to%20the%20device%20is%20already%20a%20breach.%20You%20should%20have%20other%20methods%20in%20place%20in%20case%20a%20device%20is%20stolen%20or%20lost%20(remote%20wipe)%20When%20I%20lose%20my%20MasterCard%2C%20an%20honest%20finder%20%22just%22%20has%20to%20guess%20my%20PIN%20to%20steal%20all%20my%20money.%20Same%20thing...%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Using%20a%20PIN%20in%20WHfB%20is%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20multi-factor%20authentication.%20It's%20to%20replace%20your%20password.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-why-pin-is-better-than-password%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-why-pin-is-better-than-password%3C%2FA%3E%3C%2FP%3E%3CP%3E4.%20Bitlocker%20and%20WHfB%20rely%20on%20TPM%26nbsp%3B%20and%20have%20anti-hammering%20to%20lock%20the%20device%20when%20somone%20tries%20to%20spoof%20the%20PIN.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

To clarify my scenario, I'm looking to distribute 100 Laptops to users in a few months. I like Windows Hello for Business's biometrics functionality with TPM chips; I'm sure users would love its ability to unlock a screen in less than a second with a fingerprint. But I have issues with the PIN(s).

 

Here's the use case: a user is sent a Laptop, which is enrolled in Azure through InTune and Autopilot.

 

As part of the initial sign-in procedure the user is prompted to enter a PIN for their Windows account. This can only be numbers. This, I’m told, is unavoidable, if we want to take advantage of the other benefit of Windows Hello, such as the Biometrics (unlocking a PC with a fingerprint). I am aware that this PIN can ONLY be used on this device.

 

Once the user is signed in, the Bitlocker automated encryption process is automatically triggered on their device. The user is then requested to create ANOTHER PIN that will allow the hard drive to be unlocked on startup, which – again – can only be numbers. Similarly, I am aware that this PIN can also only be used on this device. We want Bitlocker configured; I can see hacking attempts once Windows is booted fully becoming more frequent.

 

My problem is that I find it hard to believe with any degree of likelihood that a user is not expected to use the same combination of numbers for both of these PINs and – as a result – this nullifies any two-factor authentication benefits to having a Bitlocker PIN on the device. Worse, it allows people local access to desktop and files just by knowing one PIN, even when booting the machine from cold. This is, if anything, less secure than having a Password on its own to unlock the device – the PIN in either case scenario cannot be set to expire.

 

My question is, are Microsoft looking to remove the requirement for a PIN from Windows Hello for Business at any time in future because – if not – I don’t feel comfortable using it if access to devices can be achieved in such a simple way. I was hoping that being able to accommodate (and, if anything, mandate) non-numerical characters in Bitlocker PINs – as is the case with devices that are registered with a local Domain Controller, but for some reason not in Azure – may help compensate for this, but I am told this is not the case.

 

It's not even possible to block the PIN as an option on first login after a cold boot.

 

Mark

1 Reply
Highlighted

@markrwdn I understand your gutfeeling. Let me try to take some of that away:

 

1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.

JanBakker330_0-1590759656387.png

 

2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing... 

3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-p...

4. Bitlocker and WHfB rely on TPM  and have anti-hammering to lock the device when somone tries to spoof the PIN.