Passports please! What you need to know about the Windows 10 PIN
Passport is a single sign-on web service developed and provided by Microsoft that allows users to log into websites (like Outlook.com), and devices (e.g. Windows 10 computers and tablets, or Windows Phones). It has been around for some time, acting as a single entry point to all of the Microsoft product range. In Windows 10, Microsoft Passport is still working away, replacing user passwords with strong two-factor authentication. Authentication requires an enrolled device and a PIN code, both of which are needed for access.
Take the next step towards advanced SaaS management with our Office 365 management software.
Microsoft lists various benefits associated with this configuration, users should find it faster and more convenient, and any mobile devices that run Windows 10 can also be used as a remote credential for the user’s Windows 10 PC. The main benefit to the PIN appears to be security: as it is local to the device and associated with the specific equipment on which it is set up – without the corresponding hardware, the PIN is useless. By removing passwords, Microsoft claim that it also helps ‘circumvent phishing and brute force attacks’, increasing security beyond previous capabilities.
Implementing Microsoft Passport Group Policy
If you are running Windows 10 within your organization, you can create a Group Policy or mobile device management policy that implements Microsoft Passport on all Windows 10 devices.
Here are Microsoft’s Group Policy settings, which should enable you to configure the implementation.
Implementing Mobile Device Management Settings
These MDM policy settings use the PassportForWork configuration service provider (CSP), and will enable you to configure Passport use across your organisation.
Spread the word
After you have implemented Windows Passport as a requirement through Group Policy, you will need to inform your users on how to set up and use the PIN. They should be aware that while they may be required to change their Active Directory or Azure Directory (AD) account password regularly, any password changes have no effect on Passport.
Setting the Windows 10 PIN
The user will be prompted to choose who owns the device. This allows for BYOD policies to be included in PIN protection. Select as necessary.
Following this, there is choice on how your user should connect. For users in your organisation, this will be ‘Join to Azure AD’.
You will then arrive at this screen – as you would imagine, click the ‘Create PIN’ button.
Create and confirm your chosen PIN.
Microsoft will explain the ways in which they will make my PC more secure. If you agree with these policies (they seem pretty sensible to us), click the ‘Enforce these policies’ button.
As part of the two-factor authentication, you will need to enter your phone number. Microsoft will text you a verification code. Once you receive it, enter it below.
Once you’re all set up, your welcome screen will look something like this.
The PIN is a new feature for Windows 10 only, and it remains to be seen whether it delivers on the security benefits that Microsoft claims. After you’ve given it a go, if you’re not a fan, or remain to be convinced on its power to protect, keep an eye on our blog for an upcoming post on how to disable it.