Windows Hello - For personal use
Рет қаралды 7,885
Күн бұрынIf you're in a corporate environment, this would be a different story and in this video I'm NOT talking about in a business environment. I AM talking about for personal use.
Have you been wondering how is Windows Hello more secure? This video might help a little. The other video on saw on how it works doesn't answer all questions and leaves us hanging. So I decided to play with it and give you my personal opinion and experience on this on how it works in a personal / home environment.
To see the other video I reference in this video, go to: • Why is the PIN for Win...
Other than if you're in a corporate environment, which gives you much more security features, it seems the main purpose of Windows Hello for the home user is to allow an easier password to remember for your computer, while maintaining a complex password for your Microsoft account? Also to avoid man in the middle attacks while logging in.
CHAPTERS
0:00 Intro
1:30 Microsoft explanation
2:27 The problem
4:11 My opinion
5:36 Welcome all Trolls!
If you like our video please subscribe and click the bell icon to be notified of future videos released
www.youtube.co...
FOLLOW ME ONLINE:
Linked In / twinbytes-inc
Twitter / twinbytes
Facebook / twinbytesinc
Instagram / daniel.gauthier.2018
HIRE DANIEL GAUTHIER
If you'd like to hire me for managing your companies IT via our managed services, you can check out the variety of services we offer via www.twinbytes.ca
We do small computer repairs for local clients, but our main focus is preventive maintenance and managed services which are all done remotely.
DONATIONS
I invest alot of time and effort in my videos, incase you didn't know it takes usually 3-4 hours to create a 10 minute video by the time I plan it, shoot it, edit it, and then upload and add all the keywords, closed captioning, creating a thumbnail etc.
If you want to make a donation: paypal.me/Twin...
@carlosfigueira345 4 жыл бұрын
I understand what you say and agree with it, but for me the huge benefit is to have an easier access to my machine without having to put my windows account credentials every time I want to use the laptop. Being it the PIN, fingerprint or face recognition, all make my life easier. I need this minimalistic security at home and in the office where I don't expect to see professional hackers
@TwinBytesInc 4 жыл бұрын
Thanks for your comment and contribution here. Greatly appreciate it.
@IgnoreMyChan 3 жыл бұрын
Exactly, having easier, evenly secure security is better than having hard, annoying but very secure security because users are users. If it's hard, they'll try to find a way to make it easier (simpler passwords, for example) possibly breaking the security.
@drumminfool91 4 жыл бұрын
It seems like (in an enterprise situation) if you couple WindowsHello + EUBA/SOA + conditional MFA (e.g., using a service like RSA or Okta) could be helpful. Would love to enable this without a PIN. Only allow biometric or mobile push, or prox card or something along those lines. PINs tend to be much easier to hack. Windows Hello by itself = convenience. Windows Hello + MFA + EUBA/SOA = more secure. Just my two cents
@TwinBytesInc 4 жыл бұрын
That's some advanced level comments for most of our viewers, but yes, the easier you make it for yourself, such as a basic PIN, the easier it is for the hacker. A combination of security technologies and procedures is always better.
@IgnoreMyChan 3 жыл бұрын
Is MFA not a requirement for using Hello safely? I'm not even sure if you can use it without MFA. - Edit - Alright, I now have seen the video you refer to in the description, sorry. I totally agree to your skepticism! There is no way that a PIN is more secure than a real password for unlocking the device! Maybe in transit but I'm really not sure that is the main or only target we try to protect here...
@TwinBytesInc 3 жыл бұрын
Thanks for all your comments. They try to find a balance between security and ease of use. Like you said if it's too difficult for users, they will find away around it which spoils the entire point of the security.
@Xaranthos 3 жыл бұрын
Actually, windows hello is an MFA solution ;) to use Windows Hello, you actually need a TPM chip (Something you HAVE), and then you can set the PIN (Something you know), or other biometrics).
@yasintayebnaimi1552 3 жыл бұрын
Microsoft has provided passwordless account login option that works through authenticator. Your opinion?
@TwinBytesInc 3 жыл бұрын
From what I've seen so far, a password still exists which can still be hacked. It can't be removed. You just simply don't need to use that password to login as you can choose one of these other authenticator options. If you had to get a new computer however, you couldn't login with your authenticator alone as it grabs certain information saved on your computer, and so you'd have to use your password the first time on any other computer. I challenge anyone to try logging into their Microsoft account on another computer, and see if they can get in without the password. I will look into this further and hopefully doing a video with a rep from Microsoft on this topic.
@lauwe54 3 жыл бұрын
thanks very well explained i dont realy want hello
@TwinBytesInc 3 жыл бұрын
You're welcome and thank you.
@Xaranthos 3 жыл бұрын
Windows Hello is actually an MFA solution(FIDO 2 certified), you need a TPM chip to use it (Something you have), then you can set a PIN (something you know) or other biometrics (Something you are). Security is not always "just" for making it stronger, it's about balance, and working smarter. You set a complex password on the account (minimum 15+ chars, preferably 25+), and you just do not use it. This makes the password stronger (as you don't need to use it, and thus keeping it really long is easier without being an inconvenience), and you can login with a local signin. And when it comes to the loosing the computer(stolen), that is when you use a "remote lock" of the computer, and make it not possible to login from i.e. the microsoft account portal. If the computer is in a domain/hybrid joined, you can also do policies that prevent using normal passwords to login. Your proof is really just based on poor configuration ;)
@TwinBytesInc 3 жыл бұрын
Thanks for your detailed comment. I do my best to create simple videos for the average person, usually newbies to the topic. You're obviously a more advanced user and further ahead than most of my viewers who don't care that Fido certified this technology.
@Xaranthos 3 жыл бұрын
@@TwinBytesInc I might be a bit more advanced yes, but you also have an obligation to your viewers to provide correct information, and not lackluster information. It seems you haven't even tried to actually find out what "the deal" is with the system that you made a video about.
@TwinBytesInc 3 жыл бұрын
@@Xaranthos I had to watch this 1 year old video again to see what I said in it, and I didn't give wrong information. I just didn't give additional information you were looking for it seems, which is fine. Can't please everyone, but my information is correct. Thanks for the feedback and I'll try to dig deeper into videos like this in the future.
@corataylor2205 3 жыл бұрын
To answer your question: It doesn't. Microsoft has said this. It's just to add biometric alternatives to make logging in easier than a password. but you're forgetting you don't have to set a password at all, and solely rely on hello if you wish, because Ms accounts support FIDO
@TwinBytesInc 3 жыл бұрын
So it sounds like you're agreeing with me anyway. In your own words "It's just an alternative method to login". it's not more secure, you still have the same computer password and/or Microsoft password. You just have a PIN in addition to that as a fast alternative.
@corataylor2205 3 жыл бұрын
@@TwinBytesInc Yes, exactly. You're 100% right, ALMOST. But you're forgetting (or maybe just not aware) with microsoft's FIDO compliance, you can log into your online microsoft account directly with biometry rather than a password, and can the disable a password altogether. Which IS more secure inherently. In other words, how you and most everyone else uses it, yes, it's just an alternative and is no more secure. But if you ONLY use biometry and cut the option for a password out altogether, such as by using FIDO keys or by using microsoft autheticator, then it's quite significantly more secure than a standard password, although facial recognition can be spoofed, hello also supports iris scanning and fingerprinting, and physical security keys.
@TwinBytesInc 3 жыл бұрын
@@corataylor2205 Actually, I'll admit I didn't know you could delete your password and strictly use Windows Hello, which obviously would be much more secure. As I'm sure you're aware, in this industry there is far to much to keep up with and you can't be an expert in every area of computers. You either specialize or you are a general support and project manager like me who finds the information as needed. You're also correct that any of those things can be hacked too. Any authentication method can be hacked, just so much harder to do and hackers tend to go for the weakest accounts to get more results faster. Every little bit helps. I'm curious why your channel doesn't have any videos, especially IT related when you sound so knowledgeable.
@corataylor2205 3 жыл бұрын
@@TwinBytesInc I 100% agree, things change not daily, but hourly, really. Honestly? I've thought about it. But i get to tangential, ramble too long, and make things more complex than needed. Besides, I feel like there's a better video than I could make already available for most subjects. I do appreciate you saying that, though. Maybe I will make a video :)
@TwinBytesInc 3 жыл бұрын
@@corataylor2205 You can always edit your videos to shorten them. I used to ramble more too. :)
@Richard25000 4 жыл бұрын
For a stand alone windows 10 machine i do not want to use my Microsoft account for logging in to a personal private machine. My private laptop gets stolen: With a local account with a password it is stored in the local SAM database. I run Bitlocker with TPM to stop data access and to stop the SAM database being edited offline. My data is safe. Using a Microsoft account gives an option to an attacker to try and attack my device through a third party controlled authentication system outside the realms of my bitlocker protection. They can power on the device and see my username, they have a forgot password option, recovery questions or other ways to try and social engineer Microsoft into resetting my PIN or password. If they're successful the data is no longer secured. With a local account their only option is to defeat the drive encryption. Trusting third parties without detailed analysis is not automatically more secure.
@TwinBytesInc 4 жыл бұрын
This is true. Thanks for your detailed comment. It's one major reason I don't use my accounting software or contact management database online. It's all stored locally on my drive which is also with BitLocker and File encryption.
@theWolfyugo 4 жыл бұрын
#TwinBytesInc Hey. does windows face unlock works when your EYES are CLOSED? I want my laptop secured. When im Sleeping. 🌏
@TwinBytesInc 4 жыл бұрын
That's funny. Once unlocked it doesn't lock when you close your eyes or walk away from your computer even. there is another feature to auto lock your computer when you step away if you enable it. I made a video on this here: kzbin.info/www/bejne/h2GzmJaEi9OAgck
@edwardmacnab354 2 жыл бұрын
if your wifi goes down you will need that pin to locally get into your computer, otherwise you can't get in ! I am personally locked out of my microsoft account with outlook and cannot use it for email . It still works for logging in though. I will need to purchase a cell phone and get a phone provider contract to receive microsofts text messaged number that I need to verify myself, the only way to unlock it. Apparently Microsoft employees are not that bright or worse, they have some agenda behind why this is this way ! I will likely move on to Linux. I've really had enough of microsoft.
@TwinBytesInc 2 жыл бұрын
Actually, similar to a business computer on a domain controller, if the domain controller (Server) can't be contacted, it should still let you log in with that last known good password. Worst case, just go to a Tim Horton with your laptop, you can connect to a WiFi hotspot without logging in first.
@edwardmacnab354 2 жыл бұрын
@@TwinBytesInc without logging in to my computer , nothing works , I can't get past the login screen ! Wait , yeah, I get you now. No Tim Hortons for me thanks tho ! My trust in microsoft is zero now . I can't use their operating system for online banking , I'll have to use my iMac . I should have known better than to have used outlook for anything .
@TwinBytesInc 2 жыл бұрын
@@edwardmacnab354 Sorry to hear that. A bootable DVD can reset your password or at least create a new admin temporarily and get you in that way.
PuffPaw Arabic
Рет қаралды 17 МЛН