B
Bull30290
I'm running Win10 Pro 1909 and have been trying out the PIN logon feature of Windows Hello. In doing so I've found a [minor?] security issue with the logon method and wish to change the behavior of the PIN logon process. Unfortunately I haven't found any information on how to change it nor if its even configurable in the help articles, via web searches, and elsewhere in this forum.
The issue is that upon entering a PIN at the logon screen, Windows automatically accepts the input and processes the typed data as soon as the correct number of characters has been entered, and then either logs in to Windows or returns an error as appropriate. The concern is that it does not require the use of the "Enter" key nor other submission method by the user to indicate to the system that they are finished with typing their PIN; the system does this automatically based solely on the number of entered characters. This is a security vulnerability because it allows anyone with physical access to the machine to determine the length of the user's PIN simply by pressing any key and counting the keypresses until the system attempts a login. This is a security vulnerability because PIN / password length information provides data which can be useful to an attacker for assessing attack methods as well as part of a social engineering attack. Requiring the user to press "Enter" or otherwise manually submit the entered PIN data would mitigate this exposure of PIN length.
So my question is this: Is there a Group Policy Object or other configuration point where I can tell Windows Hello to require manual submission of PIN entries (versus the automatic submission based on the number of characters)? If so, where is it please? Thanks.
Continue reading...
The issue is that upon entering a PIN at the logon screen, Windows automatically accepts the input and processes the typed data as soon as the correct number of characters has been entered, and then either logs in to Windows or returns an error as appropriate. The concern is that it does not require the use of the "Enter" key nor other submission method by the user to indicate to the system that they are finished with typing their PIN; the system does this automatically based solely on the number of entered characters. This is a security vulnerability because it allows anyone with physical access to the machine to determine the length of the user's PIN simply by pressing any key and counting the keypresses until the system attempts a login. This is a security vulnerability because PIN / password length information provides data which can be useful to an attacker for assessing attack methods as well as part of a social engineering attack. Requiring the user to press "Enter" or otherwise manually submit the entered PIN data would mitigate this exposure of PIN length.
So my question is this: Is there a Group Policy Object or other configuration point where I can tell Windows Hello to require manual submission of PIN entries (versus the automatic submission based on the number of characters)? If so, where is it please? Thanks.
Continue reading...