back to article Quantum goes open and passwords must die in a week of Microsoft fun

Microsoft was cock-a-hoop over its new London retail presence last week while its resellers were less than impressed with the company's prancing around licensing. However, a whole bunch of other things happened at the company while we were looking at the big stuff. Phone screen goes wide (if Surface is your thing) A fresh …

  1. Dan 55 Silver badge
    WTF?

    "Go passwordless - switch to PIN"

    Bugs aside, one intriguing feature in the latest 20H1 build is the account option to "Make your device passwordless" meaning the system will switch all Microsoft accounts on the device to use Windows Hello Face, Fingerprint or PIN authentication.

    We all know the problems with biometrics, but how on Earth is a PIN an improvement on a password?

    1. Steve Davies 3 Silver badge

      Re: "Go passwordless - switch to PIN"

      It isn't more secure than a password IF the password is at least 10 characters and not a word in the OED.

      Then their is the thrust towards biometrics. The majority of current devices that use W10 won't be able to do this without some extra hardware (camera or fingerprint reader) to that is a dead duck before it get going HOWEVER, I would not think it very far fetched for MS to demand that Laptop/Tablet/AllinOne's include some form of biometric device and that systems without it won't be supported beyond say 2022 or not able to run Pro/Busness versions of W10 and also lose access to new functionality all on the interests of Security.

      MS has lost the plot big time if they think that PINS are a step forward. I look forward to NOT using them.

      1. JohnFen Silver badge

        Re: "Go passwordless - switch to PIN"

        "I look forward to NOT using them."

        Indeed. I equally look forward to NOT using biometrics for this sort of thing, too.

      2. J27 Bronze badge

        Re: "Go passwordless - switch to PIN"

        Microsoft's PINs are just device-specific passwords. They're a fallback method if biometrics fails.

        1. Dan 55 Silver badge
          Facepalm

          Re: "Go passwordless - switch to PIN"

          So in other words they invented the ssh certificate passphrase.

    2. 404

      the PIN is a password..

      The PIN in this case is alphanumeric - I tripped over that too but it's just a password in practice on Win10.

    3. Carpet Deal 'em Bronze badge
      Big Brother

      Re: "Go passwordless - switch to PIN"

      how on Earth is a PIN an improvement on a password?

      It makes it easier to break in without making the proles feel unsafe.

  2. Pascal Monett Silver badge

    "Also borked for a few users is the display driver"

    How is it possible that this continues to happen ? Display is a thing that has been worked on for almost 50 years now, one would think that it is the most complete part of any code ever written. Why did they have to touch that and how on Earth did the error not get caught before going live with an update ?

    Oh, sorry, right, this is Microsoft, so no quality control and absolutely no checking that everything is all right because that's what they have users for.

    1. Andy E
      FAIL

      Re: "Also borked for a few users is the display driver"

      Another good example of "no quality control and absolutely no checking that everything is all right" is Microsoft Teams

      Its hard to imagine how they could release something so spectacularly poor.

      1. JohnFen Silver badge

        Re: "Also borked for a few users is the display driver"

        We've recently been forced to start using Teams (and O365) where I work, and I agree 100%. This stuff is terrible.

  3. oiseau Silver badge
    WTF?

    Brave?

    Admins brave [ ________ ]* enough to use the preview feature can allow users to skip the whole pesky password thing and sign in using a FIDO2 security key, the Microsoft Authenticator app, or Windows Hello (biometric or PIN.)

    Brave?

    Skip the PW thing?

    I fixed it for you ...

    But you have to choose from one of these three options:

    1. reckless

    2. foolish

    3. dumb

    O.

  4. SVV Silver badge

    Very very preview, soon, still a while away.......

    Where do you weant to go today?

  5. Cooker

    Why pins might actually be better than passwords

    I see a lot of comments asking how a pin is better than a password. Well, it is quite different to a password. The pin is tied to the hardware and so cannot be stolen from a compromised server or read from an untrusted network connection since it is never transmitted.

    They are a bit like a passphrase on a key file you can then use to log on to a server with. This pin is tied to that specific hardware so is useless to a remote attacker. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

    For a local attacker who has the hardware, they need to crack into the TPM, Yubikey etc. I think it is probably easier to try and read and crack a password hash from the disk then break into the TPM.

    Personally I don't like the way they handle FIDO2 keys - as soon as you plug the key in everything is open. Users will just walk away to the loo leaving the key in so anyone can just log in. Again this is only an issue for people in the same room but its still a big one IMO.

    1. FrancisKing
      FAIL

      Re: Why pins might actually be better than passwords

      My mother went down the PIN route, and it works. Except Chrome didn't allow her to check he saved passwords, because it didn't do/doesn't do PINs.

    2. JohnFen Silver badge

      Re: Why pins might actually be better than passwords

      "Well, it is quite different to a password."

      A PIN is a password, just one that's tied to specific hardware. I really wish they wouldn't call this a PIN, as that is unnecessarily confusing considering its more common meaning.

      1. Cooker

        Re: Why pins might actually be better than passwords

        Yes, I agree. Calling it a pin is confusing as most people think of a 4 digit number used on debit and credit cards.

        I am not sure what they should haved called it though? Passpin?

        1. Michael Wojcik Silver badge

          Re: Why pins might actually be better than passwords

          I am not sure what they should haved called it though?

          A device password. That's what it is. Abusing existing terminology does no one any favors.

          Also, there's no reason why a conventional account password has to be "stored on a server" or otherwise exposed off-device. We've had ZKP protocols that avoid that problem, such as SRP and PAK-RY, for over two decades.

          Microsoft's turn to biometrics is just another attempt to copy Apple's bad ideas; but in the case of Win10, there's really no point in doing that, because the only market they're still fighting with Apple over is tablet (Surface vs IPad). And very few consumers there will make a decision based on how they sign on to the machine.

  6. el kabong Silver badge

    Lots of products getting the chop but don't worry

    M$ has plenty more, lots of new products ready to fill their places, no shortage of good candidates to get the chop next.

    Take QDK for instance, there's a good candidate, it sure holds a lot of promise. The chop is waiting. And ready!

  7. Baldrickk Silver badge

    The VR headsets have pretty much already been given the chop.

    You can't buy them on the MS store any more, you can't buy them on Amazon, or in pretty much any retailer.

    I think my local John Lewis has a single HP one sat in a box on a shelf - but it's had that since last year without shifting it...

    MS failed to support their VR ecosystem, therefore it failed. It was always on the cheap side anyway - clearly a budget option. Not bad but you got what you paid for. The only WMR headsets you can still get are the Odyssey+ (but not in Europe, because reasons I guess) and the HP Reverb (which I think you can buy again since their recall right after release?)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020