locked
Enroll fingerprint without a PIN RRS feed

  • General discussion

  • Please remove the need to have a PIN to enroll a fingerprint, or make windows login option to only have password or fingerprint, PIN should only be used once already logged in to computer.  This is really poor security.

    • Changed type Roger LuModerator Thursday, July 30, 2015 9:43 AM by design but need to be discussed
    Wednesday, July 29, 2015 5:29 PM

All replies

  • Hi,

    Thanks for your feedback, since this is Windows 10 Design by default, it's hard to be changed, I changed this thread type to Discussion temporarily. Hope more people join our discussion with this topic, it would be helpful for Windows 10 improvement in the future.

    Thanks for your understanding.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, July 30, 2015 9:46 AM
    Moderator
  • Thanks Roger,

    I don't mind having to register the PIN if I can disable the actual use of it to unlock the computer or to login.  I realize it is handy for saving passwords on websites or apps, but not for unlocking windows, it seems insecure. 

    Thursday, July 30, 2015 2:54 PM
  • I also say that the use of a 4 Digit Nummeric Pin is Madness to activate the Fingerprint Logon.

    This is a big Security Regress. This also negates the Domain Passwort Policys itself.

    Please change this to Option and make it deactivateable thrue GPL or something.

    Thursday, July 30, 2015 3:36 PM
  • Couldn't agree more. Spent the last hour or so trying to figure out why my fingerprint won't log me on to Win 10 Pro, even though they are enrolled. Who needs a PIN unless it is two-factor authentication?
    Friday, July 31, 2015 12:04 AM
  • Same problema here, hope to have an upgrade soon that fix this,, it doesnt make sense to can unlock a Windows user with a PIN easier than a password while we try to secure it with biometric sensors. Above all in Enterprise environments.
    Wednesday, August 5, 2015 5:00 PM
  • Hello,

    I am using fingerpints since Windows 8.1. With Windows 10 there is this need to have an additional numerical password (PIN) first to have the print option? Windows 8.1 also worked with prints without the need of a PIN. As a workaround I just entered a 50 digit numerical PIN. Now prints are working. Also I see the point of the password policy in a domain environment as rendered absolete in some scenarios... 4 digits would habe sufficed for the PIN, whereas my regular password policy is compelx passwords with > 10 digits

    Sunday, August 9, 2015 1:38 PM
  • Hello again,

    I might have read some information that might change my mind. Is it true that the required PIN is for local login only? I am using a domain account to log into Windows and thus was worried that the additional PIN would weaken my account security (digits only, therefore I opted for a 50 digit PIN).

    By requiring that the fingerprint is "bound" to the PIN, is this maybe a feature that in case my fingerprints are duplicated and in turn my PIN is accessible my domain environment is still protected because the PIN is for local login only?

    Saturday, August 15, 2015 8:59 AM
  • I hate to resurrect an older thread, but I'm sitting here wondering why I bought a SP4 keyboard w/ fingerprint reader for my SP3 if I have to have a PIN now just to use it?

    I'm having a really hard time understanding why MS would do this? A pin is a lot easier to traditionally hack and way easier to shoulder surf than a password. I bought this new keyboard solely for the purpose of making my laptop more secure, not less.

    Thankfully I got it from the MS store so I can return it.

    Tuesday, December 8, 2015 9:15 PM
  • Hi, I thought I would post the reasoning behind requiring a PIN to use other Windows Hello features.  The linik is to the complete article.

    https://technet.microsoft.com/en-us/library/mt621546(v=vs.85).aspx

    Why do you need a PIN to use Windows Hello?

    Windows Hello is the biometric sign-in for Microsoft Passport in Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using Passport when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.

    If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Passport.

    Tuesday, March 1, 2016 3:42 PM
  • I don't understand the reasoning for the last paragraph.

    How is a pin more secure then a long password?

    Tuesday, March 1, 2016 4:31 PM
  • First, I agree with many of your comments about PINs.

    The password will work to login from any machine where the PIN will only work to log you in from your machine. So, it is more secure in that you need your machine and your pin.

    The PIN has been made a requirement before you can set up a biometric because you could get locked out of your account if you had an accident. ie. Windows Hello often fails for boxers. :) 

    Monday, March 21, 2016 6:28 PM
  • Brian,

    I guess I don't see how it's more secure than a password, even if that password is able to be used on any machine. If someone were to compromise my Microsoft account password, having a PIN requirement to use Windows Hello wouldn't do me any good. They'd just use the password to login. 

    The biometric sensor also can only be used locally, so the same security that is provided by that (preventing people with physical access from unlocking my device) is subsequently undermined by the requirement of a PIN. As you know, who you are is tremendously more secure than what you know, especially if what you know is a short numerical string. 

    Friday, March 25, 2016 6:16 PM
  • Paul - this makes absolutely no sense.

    I can think of something else that "enables you to sign in using Passport when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly" - your normal user name and password!

    At least a user name and password is secure! How can Microsoft argue that replacing that pair of data with a single numerical code is somehow superior?

    I just got a new machine with Win10 Enterprise, and I'm faced with this horrible solution. My old Win7 HP Elitebook had no trouble giving me the option of fingerprint/face recognition or user/password. No PINs involved.

    If the biometric device fails, then the backup credentials should be a user name and password entered on the machine, not some weak PIN code.

    Wednesday, April 20, 2016 6:53 PM
  • Hello everyone,

    maybe that PIN is more secure than password, maybe not. That's not the point.

    The problem is "why is this PIN related to fingerprint ?". Fingerprint identification without PIN is better than no fingerprint because I don't trust PIN. Don't we all agree ?

    Microsoft thinks PIN is better but only people using their fingerprints are bothered with it. Just why ?

    ( I read Microsoft explanation and I guess that when someone is injured so that he can't use his fingerprint or face, given that he can use PIN ... I tend to think that he can also use his usual password. And the fact that he is injured doesn't make it less secure than all the other day he used it. )

    Wednesday, June 1, 2016 2:02 PM
  • Hello,

    just for fun - some thoughts, which may be completely wrong (and sorry for my horrible english):

    1. Numerical PIN can't be more secure than any complex password - that's fact

    2. I understand the reason of PIN by Microsoft, to help you to login after some injury. That's OK. BUT: what I don't understand is, why can't it be done by localmachine full alphanumerical password?

    And the thing that irritates me is: even smart guys from Microsoft are trying to convince people, that the PIN is more secure. Why the hell they don't say the real reason which can be either - they designed it wrong by mistake (that can happen, that is normal, just repair it), or they designed it for some reason what they are not allowed to say, and they have to hide it behind some fairytale story about injuries and more secure numerical PIN.

    and now comes to the paranoia part:

    Your computer is secured by fingerprint and with Bitlocker. Login to your computer and access your encrypted data depends on PIN. Only thing what someone need to do to access your data is to bruteforce the numerical PIN. That's much more easier than bruteforce complex password, isn't it. And lets think about, who have most benefits of such situation.


    • Edited by MarianBartl Sunday, October 16, 2016 12:26 PM
    Sunday, October 16, 2016 12:25 PM
  • I get that the pin is only for the local machine, but the use case we are worried about is that a machine is lost, and whoever has it needs only brute force the local machine to get in. They can, at their leisure, try 9,999 pin combinations.

    A year later- and here we are still banging our heads against it.

    There are so many technical users and admins surprised and confounded by Microsoft's decision to use the Pin to locally protect a device, and lack of working management tools to control it (I've spent two weeks now trying to manage access control via Intune MDM of Windows 10 machines, and it just doesn't work.)

    Can someone read our collective posts and get rid of this PIN business? Or make it optional as a management tool? Please?

    Ugh.

    Monday, November 7, 2016 8:59 PM
  • 1. Nobody use Windows passport as it's not secure enough.

    2. We all use only local account if security is important.

    3. For a local account password+username is MUCH MORE secure than PIN!

    4. I bought a laptop with built-in fingerprint reader to INCREASE security.

    5. Now I can't use the fingerprint function because of the forced use of PIN which DECREASE security.

    6. I now have to format the laptop and reinstall Windows 10, and never use the fingerprint reader.

    7. Microsoft staff/leadership most be sever drug addicts to come up with a solution like this. Or how can an organization this big malfunction so severely????

    8. PLEASE REMOVE THE NEED FOR PIN!!!

    9. If the user is hurt and cannot use the fingerprint reader, the same user can still use the username+password login which you cannot disable anyway, can you?? So that argument is not relevant to force users to add a PIN login anyway.

    10. Anyone who knows if I can use UBUNTU on a Lenovo X1 Carbon and make use of the fingerprint reader without PIN this way?





    Tuesday, November 22, 2016 1:06 AM
  • It looks like we are still waiting on an answer for this from Microsoft? Glad I paid the extra money to get the fingerprint option that I can not use because it is actually less secure. Please fix this issue Microsoft.
    Tuesday, November 22, 2016 8:26 PM
  • I'd like an answer to this too. Being forced to use a pin for a finger print reader when a password auth works just fine? Pretty damn silly.

    -Sol

    Tuesday, December 20, 2016 1:39 AM
  • Microsoft, below is the main security threat with this solution:

    I'm working as a Program Developer at a telecom company. We are hundreds of Developers sitting in an open plan office where we can see each others displays/keyboards and where we hack each other constantly. Everywhere in this office there are also surveillance cameras through which less trustable security staff can see all displays and keyboards. That's why I want to use my fingerprint sensor instead. Sometimes my fingerprint sensor doesn't work and I have to use the Hello number PIN instead of my 18+ char password. This PIN is very easy to remember for someone who sees me entering it. The laptops are left at the office after work and staff who are still in the office can then easily login to the computer.

    Another argument against PIN is that most people don't want to keep track of too many PINs. So once you have found out what PIN they use for Windows Hello you can try using that PIN for every other security solution they use, like opening the door to enter the office/home, bank security device etc.

    PIN is not so smart as it sounds (I have read all arguments about MS Hello PIN on the Web).


    Wednesday, January 4, 2017 12:41 PM
  • It looks like we are still waiting on an answer for this from Microsoft? Glad I paid the extra money to get the fingerprint option that I can not use because it is actually less secure. Please fix this issue Microsoft.

    Come on Microsoft!  Let's get rid of this.  I just set up my new laptop and couldn't believe that I had to set up a PIN to use my new fingerprint reader - so I refused!  Now what I purchased is useless because I don't want my laptop to be used by someone if they can guess a PIN.  This is EXTREMELY absurd!  Fix this NOW!!!!  Set this up so we can use the fingerprint reader or a password.
    Monday, January 30, 2017 9:51 PM
  • It is such a pity.
    Sunday, March 12, 2017 9:48 PM
  • You can allow other character types for the PIN and then use your regular password for it.

    I think this requires Windows Pro.

    http://www.windowscentral.com/how-enable-pin-complexity-windows-10

    Thursday, March 16, 2017 10:49 AM
  • Are you f****** kidding me?

    Please enlighten me and a lot of others why a pin will be any help if I get injured, remember I already have made a complex password. How is the pin any different?

    I know Micro$haft thinks most people are idiots, and with that in mind it baffles me, that they think that the same people would make an effort to pick anything besides 1234 1111 2222 and so on for a pin, especially when the requirement are shoved down their throat.

    Can I sell you a Kensington lock, it will make it impossible to steal your laptop... I promise, even with a wirecutter.

    I would like some kind of proof, not just some bla bla bla someone pulled out of their rear.

    While you are at it, please explain why Micro$haft only made it possible to actually make pins useful for Pro versions.

    It kind of make any press release from Micro$haft about "we care about your security", just a load of manure.

    It should read "we only care for your safety if you pay us enough".

    We already have to accept your spying on us, tossing ads at us. Hell I got my first ad after about 30 secs after I turned my new laptop for the first time.

    Now we also have to accept you put security in jeopardy, to use a security feature?

    Saturday, May 20, 2017 7:45 PM
  • This thread underscores the fact that Windows 10 still isn't an enterprise quality product and how Microsoft continues to ignore customer feedback (consumers and enterprises) - especially like they did with SkyDrive / OneDrive for Business. They simply don't care and their change management is abyssal.

    In an enterprise environment, passwords are managed by help desks and IT departments. As others have pointed out, in such an environment requiring a PIN to set up fingerprint is not only NOT required or desired, but a huge security risk. I think Microsoft recognizes this security risk because I had to enable the GPO "Turn on PIN sign-in" to set up a fingerprint in Windows 10 1703.

    I liked the suggestion that another person had of configuring local group policy (Windows Hello for Business) to set complexity and length requirements. This is available as Computer and User configuration.

    Remember, Windows Hello for Business isn't business quality - as they explain in the GPO that PIN is still required. Lastly to add to their terrible, upon brief research it appears that you need at least one domain controller running Server 2016 even if you have Windows 10 ADMX files in your central store.

    tldr; Configure PIN complexity because Microsoft doesn't meet the needs of the enterprise environment
    • Edited by AvidWashyWashy Friday, June 2, 2017 9:18 PM GPO "Turn on PIN Sign in" to enable fingerprint
    Friday, June 2, 2017 9:11 PM
  • Hi, I'll speak for Windows 10 Pro 1607, it looks like we have to set up a PIN code (as long as we want) to be able to enable the fingerprint authentication, but we can still use the long password. So in order to, not use the PIN, keep my computer secured and still be able to use the fingerprint I generated a very long PIN code from a password generator, I kept it safe in my password manager and now I can either use my fingerprint reader or my microsoft account password. I just don't have to use the PIN but I can if I want. I hope I am clear, english isn't my first language. Have a good day!
    Tuesday, June 27, 2017 1:35 AM
  • This is the most reasonable solution thus far, as long as you have a password manager (however, expecting the average user to do this is unreasonable). Thank you, mamercier. I am in full agreement with everyone here that this decision by microsoft decreases security tremendously. Their lack of responsiveness to this thread is completely unacceptable.
    Wednesday, July 26, 2017 1:03 AM
  • I personally have worked in the computer field and I see this new feature as a waste of time. The fingerprint scanner is already registered to a pin therefore defeating the purpose of the fingerprint scanner we all paid money for. A fingerprint is distinct and no fingerprint is the same. I got my fingerprint scanner out of convenience and so i did not have to remember my pin all the time. This time they fixed something that wasn't broken and we have to suffer. 
    • Edited by c137 Friday, August 25, 2017 1:52 PM
    Friday, August 25, 2017 1:51 PM