locked
Is Pin without TPM useful? RRS feed

  • Question

  • Hello,

    I don't have TPM module in my motherboard.

    Is Pin without specific hardware(TPM) equal to password?

    Thanks


    • Edited by Arash_89 Monday, September 2, 2019 3:43 AM
    Sunday, September 1, 2019 7:52 PM

Answers

  • PIN is tied to the device and local to the device:

    One important difference between a password and a PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too.

    >>my account can be access from network connection

    Yes.

    >>but with PIN that is not possible

    No, PIN is used for protect device rather than account.

    >>PIN can provide encryption but in software level.

    You can think so, some computer do not have the TPM module but have the firmware-based TPM (fTPM) can still run Windows Hello/configure PIN fine.

    Firmware TPM(fTPM) is implemented in protected software. The code runs on the main CPU, so a separate chip is not required. While running like any other program, the code is in a protected execution environment called a trusted execution environment (TEE) that is separated from the rest of the programs that are running on the CPU. By doing this, secrets like private keys that might be needed by the TPM but should not be accessed by others can be kept in the TEE creating a more difficult path for hackers. In addition to the lack of tamper resistance, the downside to the TEE or firmware TPM is that now the TPM is dependent on many additional aspects to keep it secure, including the TEE operating system, bugs in the application code running in the TEE, etc.

    Regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, September 3, 2019 7:01 AM

All replies

  •  TPM is a security chip that is soldered to the motherboard on most new PCs. It provides a hardware-based approach to store cryptographic keys and ensure it is tamper-free.

    So in your case the PIN  will provide encryption, but not the added security of locking keys with the TPM.


    S.Sengupta,Microsoft MVP Windows and Devices for IT, Windows Insider MVP

    Sunday, September 1, 2019 11:35 PM
  • No, without TPM chip, PIN is still different with password.

    TPM is a secure crypto-processor that is designed to carry out cryptographic operations, without it, PIN can also be configured.  

    PIN is tied to the device and local to the device, password is based on account usually.

    Regards

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 2, 2019 6:11 AM
  • No, without TPM chip, PIN is still different with password.

    TPM is a secure crypto-processor that is designed to carry out cryptographic operations, without it, PIN can also be configured.  

    PIN is tied to the device and local to the device, password is based on account usually.

    Regards

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thank you for your answer,

    You wrote: PIN is tied to the device and local to the device, password is based on account usually.

    It means my account can be access from network connection but with PIN that is not possible?

    and 

    You wrote:PIN can also be configured

    It means PIN can provide encryption but in software level?( instread Hardware level with TPM)

    Tuesday, September 3, 2019 4:04 AM
  • PIN is tied to the device and local to the device:

    One important difference between a password and a PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too.

    >>my account can be access from network connection

    Yes.

    >>but with PIN that is not possible

    No, PIN is used for protect device rather than account.

    >>PIN can provide encryption but in software level.

    You can think so, some computer do not have the TPM module but have the firmware-based TPM (fTPM) can still run Windows Hello/configure PIN fine.

    Firmware TPM(fTPM) is implemented in protected software. The code runs on the main CPU, so a separate chip is not required. While running like any other program, the code is in a protected execution environment called a trusted execution environment (TEE) that is separated from the rest of the programs that are running on the CPU. By doing this, secrets like private keys that might be needed by the TPM but should not be accessed by others can be kept in the TEE creating a more difficult path for hackers. In addition to the lack of tamper resistance, the downside to the TEE or firmware TPM is that now the TPM is dependent on many additional aspects to keep it secure, including the TEE operating system, bugs in the application code running in the TEE, etc.

    Regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, September 3, 2019 7:01 AM
  • We have not heard from you in a couple of days. Please post back at your convenience if we can assist further.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 27, 2019 9:41 AM
  • PIN is tied to the device and local to the device:

    One important difference between a password and a PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too.

    >>my account can be access from network connection

    Yes.

    >>but with PIN that is not possible

    No, PIN is used for protect device rather than account.

    >>PIN can provide encryption but in software level.

    You can think so, some computer do not have the TPM module but have the firmware-based TPM (fTPM) can still run Windows Hello/configure PIN fine.

    Firmware TPM(fTPM) is implemented in protected software. The code runs on the main CPU, so a separate chip is not required. While running like any other program, the code is in a protected execution environment called a trusted execution environment (TEE) that is separated from the rest of the programs that are running on the CPU. By doing this, secrets like private keys that might be needed by the TPM but should not be accessed by others can be kept in the TEE creating a more difficult path for hackers. In addition to the lack of tamper resistance, the downside to the TEE or firmware TPM is that now the TPM is dependent on many additional aspects to keep it secure, including the TEE operating system, bugs in the application code running in the TEE, etc.

    Regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thank you for your answer,

    You wrote:

    That PIN is useless to anyone without that specific hardware.

    Which hardware do you mean? HDD? CPU? or Motherboard? 

    PIN tied with which hardware in our computer?


    Friday, September 27, 2019 10:15 AM