This content is part of the Essential Guide: Windows 10 security guide to fortify your defenses

Windows 10 authentication options leave passwords behind

Passwords have long ruled the authentication world, but they're not infallible. Microsoft added authentication options in Windows 10, including more Windows Hello and effective PINs.

Passwords have been the primary tool for controlling access to information systems for longer than many IT professionals...

have had their jobs. Even so, this tried-and-true security measure isn't perfect.

Good, secure passwords are long, difficult to remember, tedious to type -- especially on touch screen keyboards -- and should change frequently. Malware, shoulder surfing and other hacking techniques compromise passwords on a regular basis.

One of Microsoft's priorities with Windows 10 authentication was to make it possible to secure devices without passwords. Users can still have Windows 10 passwords, but they also have other access methods at their disposal.

Welcome Windows Hello

Windows Hello could best be summed up as biometric authentication. In fact, Windows Hello uses three different forms of biometric authentication -- fingerprint, face or iris -- to grant Windows 10 access.

Obviously fingerprint authentication requires a fingerprint reader, but users need special hardware for other authentication types too. For example, facial recognition requires a particular type of camera similar to the camera on the Xbox Kinect. Intel created a RealSense 3D camera that works with Windows Hello-based authentication. Iris-based authentication also requires special hardware that is not available yet. As of this writing, fingerprint authentication is the most practical way to use Windows Hello because the Surface Pro 4, the Surface Book and numerous third-party PCs are equipped with built-in fingerprint readers.

One of Microsoft's priorities with Windows 10 was to make it possible to secure Windows devices without relying on passwords.

The Windows Hello enrollment process associates the user's biometric features, such as a fingerprint, with his or her digital identity -- user account. The enrollment process captures the user's defining characteristics rather than capturing an image. In the case of facial recognition, Windows does not capture a picture of the user's face. Instead it collects numerical data that Microsoft says is similar to a graph.

The data the Windows Hello enrollment process captures is device-specific, so it remains secure because it never leaves the device. But users who work with multiple devices must complete a separate enrollment for each device. Users may also have to periodically re-enroll as a result of biometric changes such as shaving a beard or getting glasses.

PINs can be more secure than passwords

Windows 10 authentication can also come in the form of a PIN instead of a password. A PIN must be at least four digits long.

A PIN might seem far less secure than a complex, alphanumeric password, but Microsoft took measures to make PINs more secure. First, PINs are guarded against brute-force attacks. If a user enters a PIN incorrectly four times in a row, he is required to respond to a challenge question.

PIN codes also live on the device. Like biometric authentication data, the PIN is never transmitted, which reduces the chances of the PIN being compromised.

Picture this

Microsoft introduced picture passwords in Windows 8, and they are also an option for Windows 10 authentication. The operating system prompts users who opt to use picture passwords to draw on one of the pictures saved on their devices and confirm the drawing. Picture passwords require three gestures. Users can use any combination of lines, circles and taps. For instance, a user who chooses to use a picture of a car might draw circles around the tires and then tap the door handle. The picture password feature works with either a mouse or a touch screen, but picture password users commonly report the authentication process is far more reliable and less stressful with a touch screen.

One problem with picture passwords is that some people use their touch screens for authentication, but they use a traditional keyboard and mouse for everything else. In these situations, fingerprints on the screen may clearly reveal the key to unlocking the PC using a picture password. Fortunately, picture passwords require users to repeat gestures in a specific order and they must draw lines and circles in the same direction each time.

Although passwords are still viable in the new OS, Microsoft provides a number of Windows 10 password alternatives. Users and admins can access the alternatives by opening the Windows 10 Start menu and clicking Settings, followed by Accounts and Sign In Options.

Next Steps

In-depth look at Windows 10 security

Passport and Windows Hello bolster security

A look at Windows 10 patch security problems

Dig Deeper on Windows 10