New
#11
A hello pin code without tpm the computer is vulnerable to online attacks. It is tpm that makes physical access to the computer necessary to break it. Microsoft does not recommend hello without tpm.
Read or reread the article and watch the video:
"PIN is backed by hardware
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked "
"What if someone steals the laptop or the phone?
To compromise Windows Hello credentials protected by TPM, an attacker must have access to the physical device (...)"
Here another article from microsoft: https://docs.microsoft.com/en-us/win...ness/hello-faq
How are keys protected?
Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business do not require a TPM. Administrators can choose to allow key operations in software.
Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register). "
I don't know if asymmetric key pairs are related to enabling tpm and if not, if they are useful without tpm. If it is tmp that gives asymmetric key pairs, the use of hello is useless if the computer does not have tpm. If it's not tpm and the computer doesn't have tpm, then maybe using hello with a complex pin code is recommended. In the worst case the computer will be protected like a password.