The PIN is not a password. Two very different concepts in what they're actually used for.

The password to decrypt your password database isn't your actual password to the logins contained within, its just a part of the process to get it.

The PIN to unlock a passkey isn't the credential itself. Its a part of the process to be able to use the credential.

Meanwhile, an account password is the credential.

In some scenarios that’s really a difference without distinction though.

If I have a key to my house attached to a chain so it can be used to open the door but not leave the property and then secure it in a lockbox. If someone steals the key to the lockbox they technically don’t have access to the house key but they can still rob my house

Your scenario makes it so the house key doesn't matter in the end though; if they're able to get to the lockbox to use the lockbox key they're already in the house and thus already able to rob it regardless of whether they got the lockbox key. In the end your door lock did nothing for you at all. I don't get how that relates to using a PIN stored in the TPM to protect your actual password, other than suggesting "well your account can be hacked without even touching your device" which I mean yeah sure.

But in the end that PIN is still different from that Windows/Microsoft password. The PIN only works on that one device and gets totally invalidated after only a few failures. This is untrue of passwords which usually never get fully invalidated and are then used across multiple devices.

If you manage to find out my PIN to log into device A with my Microsoft account is 1234, you don't have access to my Microsoft Account in general or on device B. If you see I log in to my device A with hunter42 (my Microsoft account password), you can now log in to my Microsoft account and every other device I'm using my Microsoft account.

Is that a difference without distinction? I'd say that's quite a bit of distinction! And that's only one of the many differences!

Which is why I was careful to say that it was a difference without distinction only in some scenarios. Namely offline attack to a physical device.

In this scenario, even with the attempt restrictions the attacker has a couple of chances of relatively easy guesses, before falling back to the password protection. If we consider shoulder surfing, it’s a lot easier to distinguish a four or six digit PIN than a password.

I aware the PIN doesn’t give actual access to credential and so doesn’t impact online attacks. But that isn’t the only scenario.

Incidentally how much work is “in general” doing when you talk about the access Io Microsoft services granted by the PIN + TPM? It isnt zero access is it.

> how much work is “in general” doing when you talk about the access Io Microsoft services granted by the PIN + TPM?

I mean you can't just go to microsoft.com and log in knowing only my pin on a single device. If you know my PIN for a device, but you don't have the device, you don't have access to my Microsoft account at all.

And if I do have the device? And I have guessed the PIN?

And if you have all my devices? And what if you have all my external security tokens? And what if you also have all my passwords? And what if you have a complete replica of every thought in my head? And what if what if what if what if...

Sure. Whatever buddy. Nothing is truly secure. If they guessed my password as well along with my device I'd be in an even worse situation. At least my PIN just disappears forever after a few failed attempts and requires that physical device.

Needing a physical device which wipes itself after a few failed attempts is more secure than having a password that could be used anywhere on any device however many times they want to guess.

> without distinction only in some scenarios. Namely offline attack to a physical device.

There is a distinction in this domain though, and it's pretty massive. Offline attacks at guessing passwords, if you fail the PIN a few times (three on most of my machines) the PIN gets cleared never to be used again. Meanwhile you can keep trying the password over and over. The account password on the device isn't getting cleared. So I can make the PIN pretty simple and easy to type in while making my regular password very long and complicated. It doesn't matter if its a pain to type in, because its not like I'm typing it in every time I walk away and come back to my computer.

They're secret sequences of characters that grant access. The rest is implementation details.

Except in this case it’s really important to learn how the implementation works because it has meaningful differences:

If you login to Google.com with a password, the remote server knows your password and if you are phished the attacker can use your password to access Google.

If you login to Google.com using a passkey secured by Windows Hello, your PIN or biometric check is between you and your computer, and the passkey is used for a public key exchange with Google’s servers. They do not know your PIN and you cannot be phished. That’s a transformative change.

A bicycle and a semi-truck are both machines with rubber tires to move people and things a faster speed than walking. The rest is implementation details.

X and Y are both Z. The rest is implementation details. Except sometimes "implementation details" makes the two pretty radically different in usage.

A semi truck can carry dozens of tons of cargo. A bicycle can carry dozens of pounds of cargo.

A PIN grants you access to the service. A credential grants you access to the service.

> A PIN grants you access to the service

Incorrect. The PIN does not grant access to the service.

If all you have is the PIN, you don't get access to the service. Therefore, its not the PIN that grants the access.

If you know my keepass database passphrase, but don't have the actual database file, do you have access to the services contained within?

And as acdha mentioned, the entire login workflow is radically different with security keys / passkeys. Its a radically different implementation of authentication with different guarantees.

Do you leave SSH open on port 22 with only password authentication? It's just the same as using SSH keys, just a difference in implementation.

> If all you have is the PIN, you don't get access to the service.

That depends what the service is. If the "service" is a session on my desktop PC, then it absolutely does grant access. You'll have to take my word that if I type my PIN into it, it will start an interactive session.

My kid wants to play minecraft, but he can't because he doesn't have the PIN. If he did have the PIN, he could play minecraft.

I am willing to believe that the implementation of the PIN is totally different from passwords, but in this use case, the user experience is identical. The "attacker" does NOT need the password.

It is still not the PIN in the same way the password to the password vault isn't the password to an account. If you had a physical TPM that got removed, your pin wouldn't do anything. If the TPM got reset in the BIOS, the PIN wouldn't work. It's a step in the authentication workflow, but the PIN itself is not the credential. If a person tried to RDP to that computer with the PIN, they wouldn't be able to access it.

If your kid fails the PIN too many times, the PIN gets disabled. No more PIN retries until the real password gets used. If they tried the password a bunch of times, they'd get a timeout but could come back in a few minutes and try again.

I think maybe I get it now.

I mean, I get what you're saying about from the user perspective the pin is the login, but the under the hood nuance makes things pretty different in the end when thinking more about what's happening.

Same thing with a fingerprint with a passkey to some service. The fingerprint itself isn't the login; you can't just go to any phone and press your finger and log in to the service. So the fingerprint isn't the login, its a part of the process on that particular device to unlock that particular saved credential that logs you in.

I think another, more technically correct, way to say it is this:

In some cases, a PIN can be used to achieve the same effect that the corresponding credential can.

I think normal people care about some of these cases sometimes.

And sometimes they don’t :)

Before iPhones had biometric authentication, a PIN was the only means to unlock the cryptographic key that protects your data on the phone. It still is; you can bypass Face ID and Touch ID at any time by entering your PIN.

So it's not like this is a new thing. It's the same concept, but applied to a PC as well.

The ulterior motive is compromised accounts and the support needed to deal with them is a tremendous waste of time and a liability.

Switching to hardware backed authentication reduces risk and support. Face/touch/PIN are an additional layer to protect against hardware theft.

If you’re going to speculate about ulterior motives, fill in the supporting details so people can tell you’re not just promulgating conspiracy theories.

Its a lot harder to share the passkey for e.g. your Netflix account among friends.

So you think that Netflix has gone to Microsoft to start a multi-year industry-wide standardization process to change how people login because that’s easier than looking at their own log files?

Netflix didn’t crack down on shared passwords when they were growing rapidly but that’s not because they couldn’t.

I don't, but yes; many seriously actually believe this is why the industry is moving to passkeys. It isn't logical, it isn't reasonable, but these are your customers.

I haven't tried--cant you share passkeys stored in your password manager?

Yes, if you're both using the same password manager. But, while you live in Silicon Valley bubbleland, most people don't. The world's most popular password manager is Excel; and sadly it does not support sharing passkeys (or, really, passkeys at all).

By now, wouldn’t the most popular password manager be the one builtin to Chrome, followed by Microsoft and Apple’s?

So that sounds like an argument for better education, not recirculating baseless conspiracy theories.

Baseless? Can you think of a reason why Netflix wouldn't support it for precisely this reason? Their campaign against account sharing is widely publicized. Do you think account sharing is easier or harder under passkeys? Just because it's a conspiracy theory doesn't mean it's false.

It’s baseless because it’s pure speculation without any evidence, or even a coherent argument for why they’d go to so much work for something they already do at much lower cost.

I think the argument is misunderstood here. I'm not saying this is the only reason that Netflix would be in favor of passkeys, just that it's one reason, not even the main one.

Here's the argument. I guess it's up to you whether you think it's coherent.

1. Netflix dislikes account sharing. They'd rather have two people pay for two subscriptions. They're a business, and are in favor of higher subscription numbers. 2. Passkeys make account sharing harder. Customer behavior modeling probably suggests that some fraction of account share-ers would create new subscriptions if they switched to passkeys. 3. Of all the reasons Netflix is in favor or against passkeys, this reason is in favor of them, via 1. and 2.

I think the argument was a flippant response by another user riffing off of a conspiracy theorist who misunderstood how passkeys work, and while I appreciate the effort you’ve made trying to salvage it I am skeptical that Netflix would be motivated enough to be part of their hypothetical Netflix/Google/Microsoft/Apple conspiracy but not enough to even implement passkey support.

You just hit the share button for the passkey in Apple/Google Passwords/your password manager

That only works if the share target is using the same password manager.

If you asked most people "what password manager do you use" they would give you a blank stare; but sadly, the answer is rarely "I'm not using one" the answer is usually Apple or Chrome or whatever is built in and most convenient.