newsletter banner

ISSUE 20.46.F • 2023-11-13 • Text Alerts!Gift Certificates
You’re reading the FREE newsletter

Susan Bradley

You’ll immediately gain access to the longer, better version of the newsletter when you make a donation and become a Plus Member. You’ll receive all the articles shown in the table of contents below, plus access to all our premium content for the next 12 months. And you’ll have access to our complete newsletter archive!

Upgrade to Plus membership today and enjoy all the Plus benefits!

In this issue

PUBLIC DEFENDER: The Windows 10/11 Hello PIN works, but change is coming

Additional articles in the PLUS issue

SOFTWARE: Outlook mobile is an awful app for iPhone or Android

LEGAL BRIEF: Over to you, Congress

PATCH WATCH: Keeping your devices up to date

VideoProc Converter AI

VideoProc Converter AI – New Release Offer – Buy Once, Keep it Forever

VideoProc Converter AI offers a user-friendly, fast, and cost-effective solution to improve your video and image quality, whether it’s for editing, uploading, playing on larger screens, or reliving precious memories. You can enhance low-quality photos, recordings, DVDs, and any footage to 4K with seamless frame rate and intelligent stabilization. Plus, enjoy an all-in-one toolkit for downloading, converting, compressing, editing, & recording videos.

Shop VideoProc Converter AI with new-release discount, the budget-friendly consumer-grade AI video/image enhancer, now at its lowest price ever!


The Windows 10/11 Hello PIN works, but change is coming

Brian Livingston

By Brian Livingston Comment about this article

A new Microsoft sign-in method — designed to replace today’s relatively insecure usernames and passwords — was introduced to Windows 10 in July 2015.

The technology is called Windows Hello. It involves your entering a PIN, which can be up to 127 characters long including numbers, letters, and symbols. This PIN is associated with a device of yours: a smartphone, tablet, laptop, desktop computer, etc. Once you use your PIN with a Microsoft Account, an Active Directory, or other services that recognize the technique, you never have to enter a username or password on that connection again.

For additional security, Windows Hello supports a number of other ways to identify yourself. You can allow a device to digitize your face, analyze your fingerprints, or accept mouse gestures on a picture.

Hello PIN on Windows 10
Figure 1. According to the FIDO Alliance, a nonprofit security consortium, “89% of IT leaders expect passwords will represent less than a quarter of their organization’s logins in 5 years or less.” If a Win10 device like the one depicted is connected to a corporate network for the first time, you’re likely to see a screen requiring you to set up Windows Hello.Photograph by Somphop Krittayaworagul

The Windows Hello authentication data is encrypted in software on your device or on a hardware chip. The chip could be a USB security stick such as a YubiKey or — in newer machines — the TPM 2.0 chip that Windows 11 has nominally required since 2021.

Rather than sending a password across the Internet, Windows Hello’s information is never transmitted. Only a user’s encrypted identity is provided to a remote service. A compatible server returns a hash code or a cryptographic key pair. The two devices rely on the resulting identifier to recognize each other as genuine.

I often speak of Windows Hello in the past tense, although not because it no longer works. It does work. But Microsoft and other tech giants announced as recently as a few weeks ago their adoption of a new, industry-wide technology that is replacing Hello. I’ll describe both the old and the new tech in a two-part column:

  • Windows Hello, PINs, and facial/fingerprint/gesture recognition are the topics of today’s column.
  • Microsoft added industry-standard “passkeys” to Windows 11 on September 26, 2023. Amazon officially adopted the method on October 23. Passkeys will be the topic of my November 20 column.
Windows Hello PINs are indeed more secure than passwords

The numerous security problems with username/password combinations are well known:

  • People forget them and need help resetting them.
  • Users choose weak passwords or give them up to hackers who convincingly pose as bosses, business associates, or co-workers who are supposedly entitled to know.
  • A username/password combination is a “shared secret.” Every server you sign in to must maintain a database of all its users’ combinations. This data is supposed to be encrypted, but insiders and hackers still manage to grab millions of such credentials in password heists.

Unlike a password, a Windows Hello PIN or facial/fingerprint/gesture data is never sent over the wire. Only a request for a server to set up a security key is transmitted. This means there’s still a reason for you to use a Hello PIN if a website — or any other resource you sign in to — doesn’t yet support the newer passkey technology.

For individuals using Windows 10 or 11, setting up a PIN — or one of Windows Hello’s other authentication methods — is simple. However, if your device isn’t already protected by a password, you may see a message such as the one in Figure 2. In this case, you’ll need to establish a password for your device before you can proceed with Hello.

A password is required before you can enter a Hello PIN
Figure 2. Windows Hello may refuse to create a PIN or a facial, fingerprint, or gesture authentication unless your device already has an ordinary password.Source: Screen cap of Windows 10 by author

If your device already has a password — or you’ve just established one — take the following steps to set up Windows Hello (the process varies slightly on Win10 and Win11):

  • Step 1. Press and release the Windows key. On the Start menu, select Settings.
  • Step 2. In the Settings dialog, select Accounts > Sign-in options.
  • Step 3. Select PIN (Windows Hello) or select one of the other methods that are supported on your device. Not all gadgets can use every method. For example, a laptop’s camera must support infrared photography to perform facial recognition.
  • Step 4. Enter the existing password for your device.
  • Step 5. To establish a PIN, enter the string you wish to use. The PIN may be four to 127 characters in length. Numbers, letters, and symbols are allowed, but repetitive patterns such as “1234” are not accepted. Use a mixture of characters that you’ll remember, and please make your PIN longer than four characters.
  • Step 6. After you press OK, you can sign in to your device from now on using your PIN. The same PIN may also work for you on various remote services when you’re using a different device, such as a laptop or a tablet.

An individual’s Hello PIN, when used to sign in to a compatible account, will result in a cryptographic hash from the server. This eliminates the need for a username and password combination. Microsoft calls this individual method a Windows Hello convenience PIN.

Setting up Windows Hello in a corporate environment is more involved. The information-technology department must establish a group policy or a mobile device management (MDM) policy. The resulting authentication techniques always use public/private key encryption or employ digital certificates for identity confirmation. Microsoft calls this Windows Hello for Business.

For more information on both methods, see a Microsoft Learn article.

What’s actually going on underneath the covers?

You may wonder, “If Windows isn’t transmitting to a server my PIN, my fingerprint, or a picture of my face, what in the world is going back and forth that makes Windows Hello more secure than a password?”

Microsoft explains the transactional details as illustrated in Figure 3.

How a Hello PIN works
Figure 3. A Windows Hello authentication process involves four steps. None of the steps sends a user’s PIN, fingerprint, or facial features to a server.Source: Microsoft

The procedure works roughly as follows:

  • Step 1. A user creates a Hello account with a PIN and/or proves his or her identity using a biometric method, such as facial recognition or a fingerprint.
  • Step 2. The user’s device delivers a signed request to a server, such as a Microsoft Account or Azure Active Directory, asking for authentication to be created using a secure key.
  • Step 3. The server returns an “authentication token.” This token can be a cryptographic hash, a public/private key, or a reference to a valid digital certificate.
  • Step 4. The token automatically signs the user in to various resources. Several different resources may accept the same authentication token.

All that may sound pretty slick. But the Windows Hello method — which is mostly accepted by Microsoft accounts and other services associated with the Redmond software giant — is certain to be replaced eventually by an even slicker industry-wide standard: passkeys.

Besides the aforementioned Microsoft and Amazon, adopters of the FIDO Alliance’s passkey protocol include Google, Yahoo, Instacart, PayPal, Uber, and dozens more. One benefit of the new passkeys is that they’ll work with all these websites. Eventually, every other site that wants to ditch the headache of passwords will be on board.

For an up-to-date list of the players, see the Passkeys Directory that’s administered by the software firm 1Password.

And for details on how passkeys will affect every aspect of your digital life, watch for my second column in this series on November 20, 2023.

Talk Bubbles Do you know something that we all should know? Tell me about it!
Send your story in confidence to
Join the conversation! Your questions, comments, and feedback
about this article are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.


Pricing for teams & businesses | 1Password

Review our team pricing and sign up for a Free Trial to get access to password manager, digital vault, password generator, digital wallet, and more.

Here are the other stories in this week’s Plus Newsletter


Peter Deegan

Outlook mobile is an awful app for iPhone or Android

By Peter Deegan

Outlook mobile is pushed relentlessly by Microsoft, giving the impression that it’s the best or only way to link with email, calendar, and contacts on mobile devices such as phones.

I do not recommend Outlook mobile, mostly because of privacy concerns and the clumsy interface — especially when there are perfectly good apps already on your iPhone, iPad, or Android device.


Max Stul Oppenheimver

Over to you, Congress

By Max Stul Oppenheimer, Esq.

Section 230 of the Communications Decency Act of 1996 was a calculated political decision on the part of Congress.

The idea was to grant immunity to the then-fledgling Internet industry in order to enlist its help in fighting the specific problem of obscenity on the Internet. I wrote about this in Legal Brief over two years ago.

It’s time for an update.


Susan Bradley

Keeping your devices up to date

By Susan Bradley

Are you monitoring your devices?

Just the other day, I tried to update an app on my dad’s iPad. That didn’t work, instead messaging that the device itself needed to be upgraded first. Apparently, the iPad had not been left on continuously long enough for it to get the word from Apple that an update was needed.

A simple solution is to connect to power and leave it on for an extended period, such as 24 hours. That should be enough time for the device to be notified about updates. It’s not different from Windows PCs in this respect — keep them offline long enough, and they will miss the notification, too.

Of course, you can be proactive and check the device every so often to see whether the O/S is current. That’s my recommendation.

Know anyone who would benefit from this information? Please share!
Forward the email and encourage them to sign up via the online form — our public newsletter is free!

Enjoying the newsletter?

Become a PLUS member and get it all!

RoboForm box

Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice.

PLUS, these exclusive benefits:

  • Every article, delivered to your inbox
  • Four bonus issues per year, with original content
  • MS-DEFCON Alerts, delivered to your inbox
  • MS-DEFCON Alerts available via TEXT message
  • Special Plus Alerts, delivered to your inbox
  • Access to the complete archive of nearly two decades of newsletters
  • Identification as a Plus member in our popular forums
  • No ads

We’re supported by donations — choose any amount of $6 or more for a one-year membership.

Join Today buttonGift Certificate button

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.