Microsoft’s Windows 10 and 11 operating systems support several different account authentication options. There is the classic local user account and password option, the Microsoft account and password option, and options provided by Windows Hello. Use of a PIN is the most common one, as Microsoft is pushing it specifically.
Some Windows users might wonder which option is the most secure or most comfortable. The answer is not as straightforward as it may seem. Using a PIN to sign-in may look inferior on first glance, as it is a four-digit number by default; but is that really the case?
Let’s take a closer look at the different options and their characteristics.
- Local account with password — works on a single local computer only. No online restoration options, but also no online attacks, e.g., on Microsoft sites against the username. No online monitoring or recovery options.
- Microsoft account with password — works universally. One password for the account, regardless of number of devices. Options to restore and monitor access online. May be attacked online.
- Microsoft account with PIN — works only on the computer the PIN has been set on. Restore options provided via the Microsoft account. No online attacks, as it is local.
Protecting a Windows PC with a PIN looks like a mix between using the password of a local account with the benefits that a Microsoft account offers. The PIN is stored locally and that means that it is safe from many online attacks. Local attacks are limited as well, as Microsoft is preventing fast brute force attacks against user account PINs by limiting attempts artificially. It may still be possible to guess the PIN, especially if information about the user is available. Windows users may, and should, improve the security of the PIN access by using more than four alpha-numerical characters.
Successfully gaining access to a Windows user account that is protected by a PIN does not give automatic access to the Microsoft Account of the user. The Microsoft Account password, or the passwordless option, is still required to gain access to the account.
Access to a user account may open the can of worms, on the other hand. One example: email programs or email services may be accessed, and the linked email accounts may be used for verification requests. Therefore, it is essential to pick a secure PIN, if there is a chance that someone else may have access to the device.
Users who want to be even safer may want to explore options to fully encrypt the device; this adds another layer of security to the sign-in process, as the password to decrypt the entire PC needs to be supplied first before PIN or password prompts are even shown.
Now You: how do you secure your user accounts?