4

With my Windows 10 computer, I have the option to set up a PIN with Windows Hello (I believe it's with that program). My normal Outlook password is 15+ characters mixed with upper case and lower case and numbers and symbols, but my PIN is only a few digits. Let's say I had an eight digit password, that's only 10⁸ possibilities. With something like the Hak5 Rubber Ducky, I figure that's probably trivial to crack, especially with some light social engineering/research.

I haven't personally tried inputting a bunch of wrong PINS, but I'm wondering if someone has an official source/literature explaining the security process.

Axel Munoz
  • 41
  • 2

2 Answers2

5

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.

User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.

The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

(emphasis mine)

Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
Filipe dos Santos
  • 1,090
  • 4
  • 15
3

Even without a TPM, the brute force attack on Windows Hello PIN will be interrupted in several ways:

  • You are prompted to type additional 1A2B3C between the attempts (as it's fixed it's easy to circumvent).
  • Lockouts for 30 seconds (possibly increasing).
  • You are required to reboot the machine. Using BitLocker that's dead end (without TMP there's password).

Because the PIN is only used for unlocking a physical device, those alone makes automated solutions like the Rubber Ducky even less efficient than just typing the PINs manually.

Just don't use the same PIN elsewhere! If you e.g. had the same PIN for your access code on the front door with exactly four different digits, it's easy to look at the fingerprints or wearing to delimit the possibilities to 24, find the correct one at the front door and use the same PIN to unlock your laptop.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55