[MS] Mitigating attacks based on knowing the length of a Windows Hello PIN - devamazonaws.blogspot.com

When you set up a numeric PIN with Windows Hello, the system will immediately sign you in with that PIN once you enter the correct number of digits, saving you the trouble of having to press Enter. For example, if you set up an 8-digit PIN, then once you enter the eighth digit, the PIN validation process begins.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like "all ones" and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

Well, the length of the PIN isn't really a tightly-guarded secret, because anybody who watches the screen while you sign in can count the dots that appear, or (if they have sharp ears) listen to the number of clacks of the keyboard.

The security team have done their own cost-benefit analysis of this behavior and and have tuned the system so that the convenience does not come at a significant loss of security: Through a combination of increasing the minimum PIN length, rejecting PINs that follow certain patterns, and decreasing the TPM's anti-hammering threshold, the value of knowing the number of digits in the PIN is significantly reduced. Even with the shortest allowable PIN length, you won't be able to make many guesses before the TPM temporarily locks out any further attempts to validate the PIN. Furthermore, the PIN length is not revealed to remote logons; anybody trying to steal this data must have physical access.

If you feel strongly about it, you can set your organization's PIN policy to force alphanumeric PINs. For alphanumeric PINs, Windows requires that the user press Enter; it does not provide the convenience of accepting a PIN once the character count is reached.

Armed with this information, you may be able to address this security issue that was submitted:

Windows allows me to sign in with the wrong PIN.

To reproduce, set the user's PIN to 122222. At the sign-screen, enter a 1, followed by any number of 2's. All of them are accepted and sign the user in, even though the seven-digit and longer PINs are incorrect.

Bonus chatter: In the days before cell phones, companies would take advantage of a similar behavior of telephone switching hardware: Once the number you dialed formed a complete telephone number, the telephone system began connecting the call. Any numbers you dialed after that point were ignored. A company could advertise its telephone number with an eight-digit mnemonic ("Call 555-FABRIKAM to order!"), even though the last digit was ignored.


Post Updated on February 27, 2024 at 03:00PM
Thanks for reading
from devamazonaws.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Scenarios capability now generally available for Amazon Q in QuickSight - devamazonaws.blogspot.com

Today, AWS announces the general availability of the scenarios capability of Amazon Q in QuickSight. Amazon Q guides you through data analysis by uncovering hidden trends, making recommendations for your business, and intelligently suggesting next steps for deeper exploration—all in response to natural language interactions. Now anyone can explore past trends, forecast future scenarios, and model solutions without needing specialized skill, analyst support, or manual manipulation of data in spreadsheets. With its intuitive interface and step-by-step guidance, the scenarios capability of Amazon Q in QuickSight helps users perform complex data analysis up to 10x faster than spreadsheets. Whether you're optimizing marketing budgets, streamlining supply chains, or analyzing investments, Amazon Q makes advanced data analysis accessible so you can make data-driven decisions across your organization. This capability is accessible from any Amazon QuickSight dashboard, so you can move seam...
Read more

Research and Engineering Studio on AWS Version 2024.08 now available - devamazonaws.blogspot.com

Today we’re excited to announce Research and Engineering Studio (RES) on AWS Version 2024.08. This release adds new features such as Amazon S3 bucket mountpoints for Linux, allows creation of custom user roles and permission profiles, and offers the ability to adjust the list of Amazon EC2 instances available to launch as virtual desktops. Amazon S3 mountpoints allow Linux desktops to access S3 buckets as a file system. Amazon S3 buckets are created using the AWS Console or AWS CLI and onboarded to RES by administrators using the S3 Buckets page in the web portal. You can mount buckets in either Read Only or Read/Write mode. Read/Write buckets have an optional setting to restrict data access by project, or both project and user. RES can also mount S3 buckets from other AWS accounts with the proper permissions. Custom permission profiles allow administrators to create unique permissions and assign them to users or groups. Start by modifying the default Project Member and Project Ow...
Read more

Amazon EC2 C6id instances are now available in AWS Europe (Paris) region - devamazonaws.blogspot.com

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) C6id instances are available in Europe (Paris) Region. These instances are powered by 3rd generation Intel Xeon Scalable Ice Lake processors with an all-core turbo frequency of 3.5 GHz and up to 7.6 TB of local NVMe-based SSD block-level storage. C6id instances are built on AWS Nitro System , a combination of dedicated hardware and lightweight hypervisor, which delivers practically all of the compute and memory resources of the host hardware to your instances for better overall performance and security. Customers can take advantage of access to high-speed, low-latency local storage to scale performance of applications such data logging, distributed web-scale in-memory caches, in-memory databases, and real-time big data analytics. These instances are generally available today in the US West (Oregon), US East (Ohio, N. Virginia), Canada (Central), Canada West (Calgary), AWS GovCloud (US-West), Mexico (Central), South America (...
Read more