The Windows 10/11 Hello PIN works, but change is coming

Topic

New Reply

ISSUE 20.46 • 2023-11-13 PUBLIC DEFENDER By Brian Livingston A new Microsoft sign-in method — designed to replace today’s relatively insecure username
[See the full post at: The Windows 10/11 Hello PIN works, but change is coming]

7 users thanked author for this post.

ibe98765, lmacri, fisher75, NetDef, DLivesInTexas, abbodi86, oldfry

Reply | Quote

Replies

Microsoft added industry-standard “passkeys” to Windows 11 on September 26, 2023. Amazon officially adopted the method on October 23

Apple was the first to develop and implement Passkeys in iOS 16… last year, Sep. 2022

Reply | Quote

Alex5723 wrote:

Apple was the first to develop and implement Passkeys in iOS 16… last year, Sep. 2022

You can use Windows Hello today to sign in to any site that supports passkeys,

[May 05 2022]

Replacing passwords with passkeys

Microsoft currently supports passkeys on the web using Windows Hello

[Aug 5, 2022]

Reminder: passkeys are not just from Apple

Reply | Quote

There’s a caveat here that I don’t think you mentioned…

Windows Hello PINs are indeed more secure than passwords

This is only true if Windows Hello is being used on a device with a working TPM. If it is not, the PIN is very easily cracked.

https://blog.elcomsoft.com/2022/08/windows-hello-no-tpm-no-security/

Reply | Quote

That’s a serious caveat that absolutely needs to be mentioned !

Reply | Quote

I disagree with Oleg Afonin’s article, which the previous comment links to. His method requires that someone possesses your PC and boots it using software that Afonin sells. The software uses brute force to break full-disk encryption, never mind an encrypted Hello PIN.

As you know, if a malicious person has his hands on your PC, the game is over and you have lost. Lock it up.

Also, Afonin says his method doesn’t work if a numeric Hello PIN is longer than 6 digits, or it includes even a single alphabetical character or symbol. In those cases, the attack must be performed offline on a dedicated machine, which can require hours.

By the way, I don’t recommend Windows Hello, which is Microsoft-specific. I recommend W3C-compliant passkeys, which Microsoft began to support in Win11 with a September 2023 update. That’s the subject of my second column in the series, which will be published on Nov. 20, 2023.

2 users thanked author for this post.

ibe98765, WSraysig

Reply | Quote

So what happens if I try to log onto my PC when I have an internet outage? Or if there is a power cut and I try to use my laptop, which does not have mobile connectivity? Am I locked out for the duration?

Chris
Win 10 Pro x64 Group A

1 user thanked author for this post.

Average-Jane

Reply | Quote

No. A PIN is only stored locally: Internet not required for Windows login.

1 user thanked author for this post.

Chris B

Reply | Quote

When I got my new phone, I was excited to see that it had fingerprint recognition as a means of access

After a few weeks I stopped trying to log in using fingerprint recognition, because the stoopid thing stopped recognising my fingerprints

When I got my new phone, I was also excited to see that it had face recognition as a means of access

After a few weeks I stopped trying to log in using face recognition, because the stoopid thing stopped recognising my face

I now log in with the time-honoured fashion of using a password. It has never stopped recognising THAT

So, yeah, there’s always something new and sexy around the corner, trying to persuade us that the old ways are insecure and out of date, and we must UPGRADE NOW! OR ELSE! (Which is pretty much always the bottom line)

 

4 users thanked author for this post.

wavy, WSraysig, LH, Average-Jane

Reply | Quote

As a general rule we only use local user accounts when using Win 10.  We never use a Microsoft account.  Does that limit the use of a PIN code?

And we often need to turn on the Remote Desktop feature of our Win 10 Pro PCs.  We found out the hard way that RDP does not work with PIN codes when we tried to implement a work from home solution using a VPN to connect to the office from the home, and then RDP to the user’s desktop computer.

 

Reply | Quote

I only use local accounts on my Windows devices. So I have the same question : is a PIN better than a password in that case ?

Reply | Quote

A Hello PIN can be used locally to sign into a laptop or other device. Alternatively, instead of a PIN, one can use a fingerprint, voice command, facial recognition, and other methods.

But Windows Hello is Microsoft-oriented and is designed to sign in to an Active Directory, Azure, and so forth.

As I’ve stated elsewhere, I do not recommend Windows Hello. I recommend W3C-compliant passkeys. See the second part of my column, which AskWoody will publish on Nov. 20, 2023.

Reply | Quote

B. Livingston wrote:

A Hello PIN can be used locally to sign into a laptop or other device. Alternatively, instead of a PIN, one can use a fingerprint, voice command, facial recognition, and other methods.

I don’t think a voice command can be used to sign in. Can you confirm?

Reply | Quote

Both Windows 10 and 11 have voice recognition, which can be used to say a PIN verbally (to avoid typing on a small keyboard, for example).

https://support.microsoft.com/en-us/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571#WindowsVersion=Windows_11

Reply | Quote

B. Livingston wrote:

Both Windows 10 and 11 have voice recognition, which can be used to say a PIN verbally

I believe that’s incorrect. Windows Copilot says:

No, you cannot use voice recognition to enter a Windows PIN. A PIN is a numeric password that you can use to sign in to your device instead of a password. You need to type your PIN on the keyboard or the screen. Voice recognition is a feature that allows you to control your PC by voice after you sign in.

Reply | Quote

Passcape Software is an expert site that sells tools to recover Windows passwords. It stated regarding the initial release of Windows Hello:

“Windows Hello is a brand-new biometrics technology that enables users to authenticate to their Windows 10 devices with just a fingerprint, iris scan, facial or voice recognition.”

Let me reiterate that I do not recommend Windows Hello. I recommend W3C-compliant passkeys, which Microsoft added support for in Windows 11 via a September 2023 update.

Reply | Quote

B. Livingston wrote:

Passcape Software is an expert site that sells tools to recover Windows passwords. It stated regarding the initial release of Windows Hello:

“Windows Hello is a brand-new biometrics technology that enables users to authenticate to their Windows 10 devices with just a fingerprint, iris scan, facial or voice recognition.”

They don’t mention voice recognition in their much more recent documentation [02.09.2022]:

What is Windows Hello biometrics?

Unlike a common password authentication, Windows Hello biometrics is a new, easy and supposedly safer way to sign into Windows using your unique physical characteristics. The Windows Hello was first introduced in Windows 10 and included fingerprint and face recognition technology.

The Windows Hello allows users to securely log into devices that have the necessary hardware components without having to type a password. You will have to work hard to forget or alter your biometric data, because it’s an integral part of your personal identity. Moreover, the biometric authentication, either facial recognition or fingerprint scanning, is more convenient and faster compared to the process of typing a password.

https://www.passcape.com/index.php?section=blog&cmd=details&id=43#:~:text=Azure%20AD%20ones.-,What%20is%20Windows%20Hello%20biometrics%3F,convenient%20and%20faster%20compared%20to%20the%20process%20of%20typing%20a%20password.,-What%20is%20DPAPI

Nor does Microsoft [02/21/2023]:

Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device.

How does Windows Hello work?

 

B. Livingston wrote:

Let me reiterate that I do not recommend Windows Hello.

Please give us a clue why.

Reply | Quote

Being a sometimes thick old dude, I can’t visualize the steps or screens involved in the new PIN sign-in process. My laptops’ current bootup screens show my name under the (empty) picture circle and below that a white box to enter my password and then my desktop screen appears.

My desktop PC boots straight to the desktop screen every morning when I start my news browsing, no password request involved. I live way out in the country with only one nearby neighbour so I’m not worried about someone directly accessing my computers. The password-less  bootup saves me time and brain cells, and one of my minor worries is that an update may suddenly require a daily password entry and I have no idea of how to return to the current no-sign-in process. I assume I’ve configured the appropriate bypass settings but I’ve long since forgotten where to find them. And I’m reluctant to look for them and possibly complicate stuff . . .

The laptop my wife uses requires a password but mine does not and obviously has the same non-sign-in settings as my PC. Again, I have no idea why or how.

My Win 10 PC (and probably the two laptops, all updated faithfully on Susan’s monthly OK) does have the Hello PIN option available so I could go for it, but I’d like a picture sequence showing the steps in the coming newsletter. Figure 3 is no doubt clear enough to the more technically minded and experienced readers but “Intranet Resource” and “authentication token” go way over my head, WAY over!

Reply | Quote

OK, what did I do to end up waiting for moderation for so long? Did I earn my way on to a watch list? There’s no swearing or inappropriate references in this entry as far as I know, so what’s up?

Reply | Quote

You hadn’t posted for more than six months.

1 user thanked author for this post.

Wayne

Reply | Quote

I’m assuming you are on Win 10 but this may be the same in Win 11:

If you are using a Local account rather than a Microsoft account and you want to remove the password requirement from your desktop PC, go to Settings>Accounts>Sign-in options. Then Click on the “Password” selection with the “Key” icon. Then click on the “Change” button. You will get a window where you must put in your current password and click “Next”. You will then get a window for entering a new password and a hint. Leave all of this blank and click “Next”. Next time you restart your PC it should sign you in without entering any password. (If you are using a Microsoft account, then I’m not the one to help as I don’t have any of my machines set up that way…)

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

1 user thanked author for this post.

Wayne

Reply | Quote

Wayne wrote:

My desktop PC boots straight to the desktop screen every morning when I start my news browsing, no password request involved.

Sysinternals autologon is what I use which if I am understanding it correctly secures your computer but still allows autologon for a local user.
Please some one correct me if this is wrong as it seems to be an important point.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Hi Brian – thanks for the article.

I’m a little confused; if I begin to use the Hello (PIN code) method to login to my laptop, and want to use it for other sites (Paypal, etc.), I’m assuming that I will have to set up a separate (different) PIN code for each of those services. That is, instead of having to remember lots of username/password combinations, I’ll have to remember all of my PIN codes, right? Or does the one being used by Windows get used with those other services?

Thank you for your expertise and guidance.

Reply | Quote

See Part 2 of my series on Nov. 20, 2023, which will answer this and other questions. In short, with W3C/FIDO-compliant passkeys (which Microsoft in September added to Windows 11) you only need to set up one authorization method. It can be a PIN up to 127 characters in length or a biometric method. You do not need to set up a different method for each different website or resource you sign in to.

1 user thanked author for this post.

tcc089

Reply | Quote

Add me to the list of those wondering if this would even work if I don’t use a Microsoft account.  Sorry, but as far as trust with my personal information goes I have Microsoft on the same shelf as Google and Facebook!

I notice someone mentioned having trouble with biometric identification, which leads nicely into my next point.  I’d like to see an article sometime — if it’s been written somewhere and somebody can point me to it that’s fine — about how reliable biometrics are.  When I was being fingerprinted for my security clearance 45 years ago, the technician observed that I must work with paper a lot since I had so many minuscule cuts.  That can only have increased over time; will that affect fingerprint recognition?  I have both a cataract and a tumor in one eye.  Will they affect a retinal scan?  Even a DNA test wouldn’t be 100% foolproof (one’s DNA can change over time — granted, only a tiny-beyond-tiny bit, but what if it’s the bit that happens to get tested?).

2 users thanked author for this post.

wavy, Average-Jane

Reply | Quote

It may be more secure, but… yeah, not digging it.

To beat a dead horse, authentication methods are something you either are, know, or have.  Passkeys cleverly combine all three in a way – your phone, your fingerprint or face, your PIN, all on your side of the Internet.

Problem is almost that it’s too secure.  Passwords are device-agnostic and as a concept cannot ever be tied to one proprietary set of hardware.  Since the authentication information (theoretically) never leaves the device, passkeys enforce trusted devices – you HAVE to have a device on you at all times to access anything.  So if you’re homeless, or your house burned down, or someone stole everything including your shirt and shoes, you are absolutely screwed now, not just almost-definitely screwed.  And that’s catastrophes.  Phones break all the time.  If your one trusted device starts acting up and needs to be repaired for a few days, you are still SOL.  It’s pretty classist to assume that someone can afford multiple devices when most Americans can’t cover a $500 emergency, of which this is one!

Ah, but in case of emergency, use a backup code, you say?  How ingenious.  Something that is basically a glorified password, only even worse because it’s usually just numeric, and you never use it so you are less likely to remember it than a password, and you probably kept it on your device, or on a slip of paper in your house which you are now locked out of because the phone that unlocks the house was stolen.  Or it burned down.  Or your safe was robbed.  Why didn’t I think of that.

So yes, passkeys may be more secure.  I also see them as a way to tie people to proprietary software and hardware systems, destroy truly “anonymous” accounts, and push all security responsibility onto the end-user in an era where the phrase “customer service” is its own punchline.

6 users thanked author for this post.

wavy, ibe98765, Lars220, NaNoNyMouse, WSraysig, Steve S.

Reply | Quote

I used a pin a few years ago on win10. I forget why I stopped. When I installed win11 23H2 a few weeks ago it asked me to set a pin which I did.

- Thinkpad P15s Gen1 20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 500GB M.2.
others...
- Win 11 Pro 23H2 WU. HP laserjets M254dw & P1606dn, Epson 2480 scanner. External monitor Dell s3221QS for old games.

Reply | Quote

I have many of the same concerns as Average-Jane and others. I certainly see the value in passwordless authentication especially for corporate enterprise situations where security is tantamount. For the use case as an individual, there seem to be other difficulties trying to go passwordless:

Hardware requirements like TPM or a Yubikey. I want portability to sign in from other devices than just my own. I looked at Yubikey and similar USB devices. They were expensive. They can break or get lost, so at least one duplicate is almost a necessity – increasing the cost substantially. Some while ago I checked a listing of which sites support sign-in via a FIDO key and found only a very limited number of sites that I actually use, so the uptake of this technology isn’t as widespread as I’d like. I’d still have to use username/password sign-ins at most sites. I looked at the link of sites that support the “passkey” technology and only found 8 sites that I use – again leaving the great majority of my sign-ins not supported. Is there a site somewhere listing all the sites that will accept Windows Hello authenication?

I certainly have much more to learn about efforts at passwordless authentication technologies. I hope a universal standard emerges that has near universal uptake. I do understand the insecurities of using passwords but I’m not especially keen on relying on a centralized third-party ‘overlord’ deciding if I’m a trusted user before allowing me to sign in to my accounts. At least until I fully understand how it all works and how much of my agency I’m turning over to them. One ring to rule them all? 😉

At present, I’m comfortable with my self-hosted, encrypted password manager, using extremely long random passwords unique to each site, disallowing any saving of sign-ins in browsers, routinely checking all passwords against the ‘Have I Been Pwned’ database, enabling 2-factor notifications for sign-ins wherever possible and practicing good internet hygiene.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

3 users thanked author for this post.

Average-Jane, Lars220, NaNoNyMouse

Reply | Quote

I disagree. This is a half-baked, substandard implementation designed to placate those users that are less technically inclined. There is nothing inherently wrong with a strong password. Saying there is because you have a newer method does not make it so.

In most countries one cannot be compelled to provide their password without a court order. In some cases where you’re asked or compelled to provide and you refuse they simply cannot gain access if the password is strong enough. If you have it set to use biometrics they simply have to pass the device in front of your face or have you touch it and there you go. Criminal or Court or Law Enforcement has 100% FULL access. Now tell me that’s more secure and I have a bridge to sell you I got cheap from San Francisco.

 

5 users thanked author for this post.

wavy, oldfry, ibe98765, Average-Jane, NaNoNyMouse

Reply | Quote

packeterrors wrote:

There is nothing inherently wrong with a strong password. Saying there is because you have a newer method does not make it so.

Passwords are transmitted via internet and stored on servers (unlike passkeys).

1 user thanked author for this post.

Alex5723

Reply | Quote

With HTTPS Everywhere enabled in one’s browser, internet traffic both ways is encrypted, including userid and password, using TLS/SSL public/private keys.  One must specifically bypass HTTPS Everywhere in order to visit any plain HTTP site.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

KevSpa wrote:

We never use a Microsoft account. Does that limit the use of a PIN code?

Like the others in this thread who’ve asked this question (which has not yet been answered) does Windows Hello work when you only have a local account?

Reply | Quote

n0ads wrote:

Like the others in this thread who’ve asked this question (which has not yet been answered) does Windows Hello work when you only have a local account?

Yes.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

wavy

Reply | Quote

Brian,

I used to be able to use Windows Hello (fingerprint biometric method) on my ThinkPad while using a local account. However, I found that updating from Windows 11 Pro 22H2 to Windows 11 Pro 23H2 broke this; I’m now having to use my password for the account again, as it somehow removed the PIN and my fingerprint data during the upgrade and I haven’t been able to set it up again.

Has this been your experience? I’m reluctant to upgrade any more systems than this one (which I used for test) until I’ve heard more, and I haven’t seen anyone else discuss this via searches. I don’t mind using a Microsoft account to sign into a few services, but I definitely don’t want it on my system; be it my Microsoft 365 tenant Azure account, or an Outlook.com account, I’ve found it breaks things for me (the Azure method in particular breaks connection to my local Synology NAS’s SMB shares for some reason, and I found this is actually a Microsoft issue that has never been fixed).

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

Reply | Quote

As I’ve stated above, I do not recommend Windows Hello. I recommend W3C-compliant passkeys. Be sure to read Part 2 of my column, which AskWoody will publish on Nov. 20, 2023. The topic had to be split into two parts, one week apart. I understand that the wait is inconvenient.

Reply | Quote

B. Livingston wrote:

I do not recommend Windows Hello

You’ve said that three times now in this topic, but your article explained detailed steps for creating a Windows Hello PIN under the heading, “Windows Hello PINs are indeed more secure than passwords” without any hint that you didn’t recommend it.

Clearly passkeys provide more flexibility, but they’re still protected by Windows Hello:

With passkeys, you can use Windows Hello to sign in with a PIN, facial recognition, or fingerprint, making the authentication process faster and more convenient than ever before.
…
By default, Windows offers to save the passkey locally if you’re using Windows Hello.
…
the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
…
If a passkey is stored locally and protected by Windows Hello, you’re prompted to use Windows Hello to sign in.

Passkeys in Windows (Windows 11)

Please explain why you now say, “I do not recommend Windows Hello” (with or without passkeys).

Reply | Quote

I have four Windows 11 Pro installations (dual boot, laptop and NAS).  I’ve never had a Microsoft account on any of these.  I use a different PIN for each of them.  I use RDP for my NAS, and that requires that I use my password.  If I’m on my NAS directly, I can use the PIN.

My Android phone uses my fingerprint, with a PIN fallback if I have 5 unsuccessful tries, or if I haven’t unlocked it for several hours (I haven’t timed that).  My passwords are a personal code, easy for me to remember but rated as very strong.

No one gets easy direct access to any of my devices, with the possible exception of my cell phone (pickpocket), and that requires one of my fingers to access, or the PIN, and good luck with that one.

I simply don’t feel the need for anything more elaborate than my current regimen, nor do I consider it less secure than passkeys, etc.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

bbearren wrote:

nor do I consider it less secure that passkeys

Passkeys cannot be inadvertently entered at malicious phishing sites and aren’t stored on servers where passwords are vulnerable to data breach:

Should You Use Passkeys Instead of Passwords?

Passkey vs. Password: Which Is Right for You?

1 user thanked author for this post.

wavy

Reply | Quote

b wrote:

Passkeys cannot be inadvertently entered at malicious phishing sites and aren’t stored on servers where passwords are vulnerable to data breach:

Passwords cannot be inadvertently entered at malicious phishing sites one does not visit, either.  My Outlook settings will not allow any site to be visited by clicking on a link in an email.  Phishing is not a concern for me.

b wrote:

Should You Use Passkeys Instead of Passwords?

“Passkeys—developed by Apple, Google, Microsoft, and others—are an alternative to passwords, and they provide robust protection against phishing attacks and website breaches.”

I don’t use Apple, Google, or Microsoft (other than Windows Updates and OneDrive), and I’m already sufficiently  protected against phishing attacks and website breaches.

b wrote:

Passkey vs. Password: Which Is Right for You?

“Passkeys validate you based on you proving that you own the authorized device rather than you knowing the correct password.”

I am not concerned about passwords being vulnerable to data breach, as the financial sites with which I do business on a regular basis also incorporate my device identity into the login procedure.  If I restore a drive image and later visit such a site, my device is not recognized, 2FA is automatically initiated, and I must confirm my identity and device via a randomly generated PIN/code sent to my cell phone.

I simply don’t feel the need for anything more elaborate than my current regimen, nor do I consider it less secure than passkeys, etc.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

I very much agree with you. Using the newer passkey FIDO that allows multi tenet login is sort of like SSO single sign on for corporate world. It is not “stronger” it simply allows those less inclined to good security practices to be able to login to multiple systems with it. If or when that device is ever compromised the attacker will now have 100% access to everything you have access to as well. If you’re in charge and using a password and MFA/2FA that is different on every site is more secure. If one is compromised it’s only that one and not all as it would be with passkey.

You can see my reply above about using bio-metrics as well which is even worse and lowers the security.

https://www.w3.org/2022/09/TPAC/demos/passkeys.html

 

Reply | Quote

Passkeys are different for each site (as explained at your link).

Reply | Quote

The article says it can be shared with multiple sites. That does not sound like separate to me. The image even shows the same token being provided to other sites.

It might be possible to have a single passkey for each site but many people won’t do that.

It’s still sending a token. Who really cares if it’s a token or a password. There is no method that is 100% safe. If the token is compromised then the account can be compromised.

Reply | Quote

With passkeys, the authentication token is different every time you sign in to a different server. The device you’re using — and the server you’re visiting — exchange a pair of public/private keys. The server then sends your device a challenge, and your device replies with the correct cryptographic response. The server recognizes that only your device (which has the proper key) could have responded correctly to the challenge. You are therefore signed in without revealing a password or a passkey.

If you lose a device that stores a passkey, you can cancel the device’s service and establish a new passkey. That’s much more secure than a server that can be hacked to reveal the usernames and passwords it retains. More than 24 billion username/password combinations are currently for sale on the Dark Web (according to Digital Shadows). If a hacker buys a password of yours that signs into an ecommerce site, you wouldn’t even know about it until you received your credit-card bill weeks later.

1 user thanked author for this post.

Alex5723

Reply | Quote

B. Livingston wrote:

The server recognizes that only your device (which has the proper key) could have responded correctly to the challenge.

I have a couple of credit cards with major banks.  If I restore a drive image and then try to sign in at the bank site, their cookie from my last transaction is not present; it’s an old cookie.  That invokes 2FA and I get a passcode sent to my cell phone.  If someone has bought my user id and password from a dark web entrepreneur, the buyer is going to need to know my cell phone number and possess my cell phone in order to get any further, because he/she is not going to have that cookie.  And those banks haven’t been hacked, so it’s unlikely that my sign in info is for sale, anyway.

I use a credit union for paying bills, and the policy there is the same—old cookie invokes 2FA, and needs my cell phone.  In other words, a Bad Actor is not going to have my cookie, will get hit with 2FA and needs to know my cell phone number and possess my cellphone in order to pass 2FA.  Three bad guesses locks my account.  Then I have to call the credit union and provide pertinent information in order to unlock my account.  And again, my credit union hasn’t been hacked—no credentials for sale.

In my experience, I have no need for changing to passkeys; the site’s cookie stored on my device is my “proper key”.  As far as e-commerce sites, I am registered with Amazon, but that’s it.  For any other e-commerce purchases, I always use “Continue as guest” to make a purchase, and “Do not store my credit card for future purchases”.  Amazon is going to send me a confirmation email for any and all purchases within minutes after the purchase, so it would be pretty easy to simply cancel that purchase, and kill that credit card.  If a Bad Actor is able to successfully change my email address so that I don’t get a notification from Amazon, the pending charge is still going to show up on my credit card history—cancel the purchase, kill the card.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

It still does not bypass the fact that in many countries one cannot be compelled to provide your password without a court of law order. However by using bio metrics such as your finger print or facial recognition then neither law enforcement or criminals need your permission. They simply pass the device in front of your face or touch your finger to the device and then they have access. I’m sorry but I find that extremely insecure. Journalists traveling with an iPhone and having facial recognition enabled have had their phones compromised. If they had that feature disabled their phone would have been safe.

Losing the device if anything like a Yubi key is not easy or straight forward especially for many home users that already find computing difficult.

1 user thanked author for this post.

wavy

Reply | Quote

bbearren wrote:

My Outlook settings will not allow any site to be visited by clicking on a link in an email.
…
I don’t use Apple, Google, or Microsoft
…
I am not concerned about passwords being vulnerable to data breach,

Passkeys must be for the 99.999% of the population who will/do/are.

Reply | Quote

b wrote:

Passkeys must be for the 99.999% of the population who will/do/are.

Apparently there must have been a massive sea change since April of this year.

Fragmentation, Lack of Adoption Impede Uptake of PasswordLess Logins

“Most of your users today already have the tech on their systems to use passkeys, now it’s just a question of when do we start to roll out,” he said.

Essentially, Apple, Google, and Microsoft have laid out the infrastructure to support passkeys across Chrome, Android, iOS, macOS, and Windows. But there’s a lack of adoption in the industry, in addition to fragmentation over how each operating system implements them.

“Ideally, all your devices—whether they run Android, iOS or Windows—would be able to use and share the same collection of passkeys to authenticate the logins for all your websites and apps. But in reality, you can’t share the passkeys between software ecosystems,” Brand said. That means Apple and Google devices need to store and maintain their own separate set of passkeys.

Still, explaining all the nuances of passkeys to the average tech user is a challenge. For example, the fragmentation issue brings up the need for a centralized way to make it easy for a user to see all the passkeys for their various accounts.

“I haven’t really seen good examples of passkey management out there yet in the field,” he added. “A lot of this stuff is still early days. This is kind of part of the ugly. We haven’t quite got this figured out as an industry.”

“It’s expected that passkeys will eventually replace passwords entirely, though it’s going to take some time.” — (Updated Nov 15, 2023, 1:01 PM EST)

And there’s this:

Perhaps “99.999%” is a bit optimistic?  I remain (along with some other AskWoody members it appears) unimpressed with and unconcerned for the necessity of passkeys.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

bbearren wrote:

Apparently there must have been a massive sea change since April of this year.

Yes, a lot has changed in the last couple of months; like the Microsoft, Amazon and Google changes in this week’s part two.

bbearren wrote:

“It’s expected that passkeys will eventually replace passwords entirely, though it’s going to take some time.” — (Updated Nov 15, 2023, 1:01 PM EST)

Entirely? Yes, that will take a long time. But from the same link:

Google announced in a developer blog post last week that Credential Manager, a new Android-specific API for storing credentials like username and password combinations and passkeys, is going public on November 1st.

Amazon’s rolling out passkey support for its online site and mobile shopping apps [October 23]. Customers can log in to Amazon using just their devices’ biometrics and start shopping without the need to enter a password or follow through with two-factor authentication (2FA) through email or text. …
If you’re interested in enabling passkey support with Amazon, you can enroll by going to Amazon.com, visiting your account settings, clicking “Login & Security,” and using the “Set up” button next to “passkey.”

Starting today [October 10], Google account users will be prompted to create a passkey for their account by default, sparing them from manually hunting through account settings for the setup process.

Reply | Quote

b wrote:

Yes, a lot has changed in the last couple of months; like the Microsoft, Amazon and Google changes in this week’s part two.

Right.  From part two: Displaying 85 results.  Not one site that I visit (even occasionally) is on that list, including my banks (credit cards) and my credit union (checking, savings and credit card).  AskWoody is not listed.

There Are 1.13 Billion Websites on the Internet. That approximate total puts the percentage of passkey-ready sites at 7.52212389380531e-10 (0.00000000007.52). Big change in the last couple of months.

I’ll wait.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

bbearren wrote:

There Are 1.13 Billion Websites on the Internet.

1. There Are 1.13 Billion Websites on the Internet

Unfortunately, 82% of these websites are inactive. This means that roughly 926,600,000 websites have not been maintained or updated for a long period of time. These websites may have limited user interaction, broken links, or irrelevant or outdated content.

In some cases, the domain registration may have expired (most web hosts only offer one year of free domain registration), or the website owner may have abandoned the website altogether. A fraction of inactive websites could be parked domains as well. All in all, while the total number of websites on the web is staggering, the active website count is what matters.

2. Only 18% Of All Websites Are Active

Only 18%, or approximately 203,400,000, of all websites are actively visited and maintained. The number of active websites on the internet is a more significant statistic than the total number of websites, as it provides a better representation of the present state of the web and its dynamic landscape.

Active websites are regularly maintained and updated by their owners. They frequently engage users and rank higher in Google search results due to their regular activity, better SEO practices, and updated content. These websites include digital news outlets, blogs, eCommerce stores, and social media platforms, among many others.

And many active sites, like that one, don’t use public passwords as no login is available to visitors.

Reply | Quote

b wrote:

Only 18%, or approximately 203,400,000, of all websites are actively visited and maintained.

Well now, that is a Big Change.  Instead of 0.00000000007.52% of websites ready for passkeys, it’s closer to 0.00000004.18% of websites ready for passkeys.  We’ve moved the decimal three places closer!

Also, I must correct myself.  I do have a OneDrive account, so I use Microsoft out of that Sea Change list of 85 sites.  But that login is handled in the background when I sign into my daily driver, and it does not use a passkey.  I also have an Outlook email account, but again, that login is handled by Outlook at launch, in the background, also does not use a passkey, and I use Amazon from that list.

Other than those two exceptions, none of the sites I visit regularly, nor my financial institutions use passkeys.  HTTPS meets my personal level of security requirement for these transactions.  At this point in time, the passkey hype is just that—hype.  I’m unimpressed.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

NaNoNyMouse

Reply | Quote

It turns out I was able to remove my PIN (which wasn’t usable after my Windows 11 23H2 upgrade), re-create it, and then I could set up fingerprint authentication for Windows Hello on my ThinkPad again, under my local user account. It’s a bit disconcerting that the upgrade is all it took to break the feature, but at least it’s working again.

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

Reply | Quote

bbearren wrote:

That approximate total puts the percentage of passkey-ready sites at 7.52212389380531e-10 (0.00000000007.52). Big change in the last couple of months.

I’ll wait.

The number of sites doesn’t count. What counts is the number of visitors. Amazon, PayPal, Microsoft, Apple, Google… have billions of visitors to those 0.00000000007.52 sites.

Reply | Quote

Alex5723 wrote:

The number of sites doesn’t count.

The number of sites counts as far as determining “death to passwords!”  That number is going to have to climb exponentially before Brian or anyone else can say passwords are dead.  And as I mentioned, none of the financial institutions with whom I have dealings are in that list of 85, yet I am more than satisfied with the level of security they provide for my transactions.

A Bad Actor will need direct access to my daily driver and know the password/PIN for both signing into my PC and opening my protected list of sites/passwords; a very remote likelihood.  Remembering complicated passwords is not an issue for me.  Passing userid and password through the end-to-end encryption of HTTPS is not an issue for me.

Until the sites I need to use require passkeys and no longer honor user id and password, all the rest of this is just so much FUD.  I’m unimpressed.  Passwords are not dead.  I use different passwords for every site, and manage them with ease.  I’ll not be setting up passkeys any time soon.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

NaNoNyMouse

Reply | Quote

bbearren wrote:

The number of sites counts as far as determining “death to passwords!”

No, They don’t. Number of visitors/users to sites count as they are passkeys potential users.
Hundred of millions will shop online this coming black Friday on Amazon, eBay, PayPal, Apple store…

Reply | Quote

Alex5723 wrote:

Hundred of millions will shop online this coming black Friday on Amazon, eBay, PayPal, Apple store…

And just how does that equate into “And all these hundreds of millions will  be using passkeys!!!”  Every site that has adopted passkeys (all 85 of them) still accepts user ID’s and passwords.

Are you trying to tell me that those same folks who will literally run over people in the stores are going to stop and setup passkeys before they start trying to scarf up bargains?

Are you trying to tell me that Amazon is going to say, “You must first setup your passkey before we will take your money”?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

bbearren wrote:

Are you trying to tell me that those same folks who will literally run over people in the stores are going to stop and setup passkeys before they start trying to scarf up bargains?

Shopping online.

Reply | Quote

Alex5723 wrote:

Amazon officially adopted the method on October 23

Just bought some stuff off Amazon late yesterday, Nov 21, and they accepted my existing login combo for the purchase with no prompt indicating I  had to change my login combo to a passkey!

1 user thanked author for this post.

bbearren

Reply | Quote

Alex5723 wrote:

Shopping online.

bbearren wrote:

Are you trying to tell me that Amazon is going to say, “You must first setup your passkey before we will take your money”?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

n0ads wrote:

Just bought some stuff off Amazon late yesterday, Nov 21, and they accepted my existing login combo for the purchase with no prompt indicating I had to change my login combo to a passkey!

And I foresee that to be the case for years, if not decades to come.  In my experience Amazon is highly unlikely to refuse to take anyone’s money for any reason.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

Average-Jane

Reply | Quote

I still see Passkeys as one point of failure. It still uses a 3rd party to verify but I see no info on how that happens. Still needs com between 3rd party and needed site.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

1 user thanked author for this post.

Average-Jane

Reply | Quote

The only third-party involvement is if passkeys are synced to other devices using the same Apple, Google or Microsoft account. Creating a passkey and signing in with it is direct between your device and the required site as it’s saved locally.

Reply | Quote