Windows Hello is a feature of Windows that allows users to configure PIN on each of their workstations that can be used to sign into Windows instead of the password, although signing in with a password is still possible on that same workstation. In addition to a PIN, users can also use other passwordless methods to sign into Windows, such as a fingerprint scan or facial recognition (biometrics).
Windows Hello is not available on computers that do not have Trusted Platform Module (TPM) and computers that have shared PC mode enabled, such as classroom or lab computers or shared office computers.
The introduction of new passwordless authentication methods as of May 1st, 2023 is a security measure aiming to keep your data and that of the University’s more secure. This is a first step on the road to eliminate passwords in not-so-distant future to make our IT environment immune to attacks involving compromised accounts. With the introduction of passwordless sign-in methods, University applications and data remain secure, while users enjoy a more seamless and secure experience when signing in on their devices.
Set Up Your PIN
The first step to enable Windows Hello on your administered workstation is to set up a numeric PIN on it. You can initiate this process by going to Windows Settings and selecting Accounts then Sign-in Options and clicking on Windows Hello PIN.
After May 1st, 2023, you may be prompted after signing into Windows with a message that says Your organization requires you to set up your work or school account with Windows Hello Face, Fingerprint, or PIN. You will not be able to dismiss or bypass this message.
On the next screen, you will need to complete the MFA challenge to verify your identity.
Finally, you will be asked to select your PIN by entering it twice.
Keep these in mind while selecting your PIN:
- Has to be at least 6 digits long and no more that 12 digits long.
- Cannot contain any letters or other characters. Only digits are allowed.
- Will work only on that device. If you have other devices where you want to use Windows Hello, you will need to repeat this procedure to set up a PIN on them, which does not have to be the same as the PIN on this device but it can be the same if you want to (i.e. there is no security risk in having the same PIN on all of your devices).
- Changing your PIN on one device does not affect your PIN on other devices because PINs are stored inside a TPM chip on each device and do not synchronize with each other.
- Unlike your UWin Account password, your PIN will never expire.
Why create a Windows PIN in the first place when you already have a password? There are several reasons.
- A PIN is required as a prerequisite and a backup authentication method, if you try to enable any of the other Windows Hello authentication methods, such as fingerprint scan or facial recognition.
- A PIN is easier to remember than a password because a PIN is inherently more secure than a password, therefore, it does not have to be as complex and long as a password. Passwords are transmitted to and stored on a server, so they're exposed beyond your device. A PIN is saved on and is local to your computer or device and cannot be used elsewhere. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they would have to steal your computer, too, in order to use your PIN. Since your Windows Hello PIN is stored within the Trusted Platform Module (TPM) on your device, it is protected against brute-force attacks and other hacking methods.
NOTE: The option to configure PIN may not be available on some computers that were upgraded from an older version of Windows 10. This is due to the fact that in older versions of Windows 10 Windows Hello feature was disabled by default. When you go to Windows Settings and click on Accounts then Sign-in Option, you may see that a button to add a PIN under Windows Hello PIN may be grayed out and a message "This setting is managed by your organization. Contact your admin for more info" is displayed.
If this is affecting your computer, please open a ticket.
Use Sign-in Options
Once you use your PIN to sign into Windows for the first time, your Windows login page will remember your choice and will start defaulting to PIN sign-in option although signing in with a password is still possible for the time being. In order to sign in with a password, you will first need to click on the Sign-in Options link and then click on the icon with a key on it.
Additional Reference