Windows 10 added a new “PIN” login method, which is an optional login method instead of an Internet based password through Microsoft or a Domain password through Active Directory. Here is a web page explaining some of the technology (don’t watch the YouTube video) [1]. There are three issues here, whether a PIN is any good in concept, whether the specifics of how it works are any good, and whether we can copy any useful ideas for Linux.
Is a PIN Any Good?
A PIN in concept is a shorter password. I think that less secure methods of screen unlocking (fingerprint, face unlock, and a PIN) can be reasonably used in less hostile environments. For example if you go to the bathroom or to get a drink in a relatively secure environment like a typical home or office you don’t need to enter a long password afterwards. Having a short password that works for short time periods of screen locking and a long password for longer times could be a viable option.
It could also be an option to allow short passwords when the device is in a certain area (determined by GPS or Wifi connection). Android devices have in the past had options to disable passwords when at home.
Is the Windows 10 PIN Any Good?
The Windows 10 PIN is based on TPM security which can provide real benefits, but this is more of a failure of Windows local passwords in not using the TPM than a benefit for the PIN. When you login to a Windows 10 system you will be given a choice of PIN or the configured password (local password or AD password).
As a general rule providing a user a choice of ways to login is bad for security as an attacker can use whichever option is least secure.
The configuration options for Windows 10 allow either group policy in AD or the registry to determine whether PIN login is allowed but doesn’t have any control over when the PIN can be used which seems like a major limitation to me.
The claim that the PIN is more secure than a password would only make sense if it was a viable option to disable the local password or AD domain password and only use the PIN. That’s unreasonably difficult for home users and usually impossible for people on machines with corporate management.
Ideas For Linux
I think it would be good to have separate options for short term and long term screen locks. This could be implemented by having a screen locking program use two different PAM configurations for unlocking after short term and long term lock periods.
Having local passwords based on the TPM might be useful. But if you have the root filesystem encrypted via the TPM using systemd-cryptoenroll it probably doesn’t gain you a lot. One benefit of the TPM is limiting the number of incorrect attempts at guessing the password in hardware, the default is allowing 32 wrong attempts and then one every 10 minutes. Trying to do that in software would allow 32 guesses and then a hardware reset which could average at something like 32 guesses per minute instead of 32 guesses per 320 minutes. Maybe something like fail2ban could help with this (a similar algorithm but for password authentication guesses instead of network access).
Having a local login method to use when there is no Internet access and network authentication can’t work could be useful. But if the local login method is easier then an attacker could disrupt Internet access to force a less secure login method.
Is there a good federated authentication system for Linux? Something to provide comparable functionality to AD but with distributed operation as a possibility?
The PIN only uses TPM when used together with “Hello for Business” (which is the newfangled Azure AD so it uses PKI and “device certificates” and so on).
With local accounts or traditional on-premises AD, however, the PIN is really just for show. In fact with traditional AD, PINs are disabled by default and the GPO to allow them outright warns you that setting up a PIN will cause the host to store a copy of your password on disk (since it still needs that to authenticate against the KDC – it unfortunately isn’t using the fancy certificate-based PKINIT here). And for local accounts there isn’t much that the TPM could help with in the first place…
While typing a PIN is easier than a password, having to remember both a PIN and a password requires one to remember more. Make sure to allow a password when a PIN is asked.
I do like the idea of different PAM configurations for short- and long-time absence, this could be linked to face/fingerprint-recognition too.