Windows 10 Authentication Mechanisms

September 30, 2019 by

Greg Belding

Introduction

Windows 10 offers several authentication mechanisms for users. This article will detail Windows 10 authentication methods and explore how to configure password policy, and how to configure picture passwords and PINs. We’ll also look at how to use Credential Manager, Credential Guard and Microsoft Password.

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Start Learning

How to configure password policy in Windows 10

Windows 10 password policy is simple. To get there, type “run” into the Cortana search bar. When the run window pops up, type “secpol.msc” into the window and press enter. Click on “Account Policies” and then on “Password Policy.” At this point, you can configure Windows 10’s password policy.

You have several configurations available in Windows 10. They are:

• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Password must meet complexity requirements
• Store passwords using reverse encryption
• Account lockouts

Configure passwords in Windows 10 to be as tight as possible, especially for organizations, in order to maintain a secure system.

How to configure picture passwords and PINs in Windows 10

Password authentication is just the beginning in Windows 10. You can also authenticate users with picture passwords and PINs.

Picture passwords

Picture passwords were introduced in Windows 8 to provide a novel method of signing in. Creating a picture password starts with a user-chosen picture; then the user draws a combination of straight lines, circles and taps that become a part of your password. To configure your picture password:

• Enter sign-in options in your Cortana search bar
• Scroll down to picture password and click Add
• You will be presented with a Windows security screen. Enter your password and click OK
• You will be presented with a “welcome to picture password” window. Click “Choose Picture” and follow the prompts to configure your picture password

PIN

Windows 10 users can choose to use a PIN as an authentication method as well. To get to configure the PIN:

• Enter “Sign-in Options” into the Cortana search bar
• Scroll down to PIN and click Add
• You will be presented with a Windows security screen. Enter your password
• You will be presented with a setup a PIN window. Your PIN must be at least four digits in length

PINs in Windows 10 have no maximum length or complexity, so make sure to make your PIN a random number. PINs longer than four digits are more secure.

How to use Credential Manager

Windows 10 offers Credential Manager as a sort of digital locker to store passwords, usernames and addresses. These credentials can be used on the local computer, other network computers on the same network, servers and internet locations, like websites. Windows can also use these credentials to access apps and programs. 

Windows 10 has made minor changes to credential categorization with this version of Credential Manager. Now credentials are categorized in two main categories: Windows credentials and Web credentials. Windows 10 is the first OS to categorize certificate-based credentials and generic credentials as part of Windows credentials. Before, they were their own individual categories.

To get to Credential Manager in Windows 10:

• Type “credential manager” into the Cortana search bar
• Click on Credential Manager
• You will be presented with a window showing Windows credentials and Web credentials

Now that you are in Credential Manager, let’s add a Windows credential.

• Click on “Add a Windows Credential”
•  You will be presented with a window with fields for internet or network address, username and password
• Enter your information, click OK and you have just set a Windows credential

Editing and removing a credential is just as easy. Click on the credential within credential manager and click either edit or remove to perform these tasks.

How to use Credential Guard

Credential Guard is a new feature introduced in Windows 10 (available only in Enterprise and Education editions). With Credential Guard, a VM acts as the middleman, passing credentials to the privileged software via Virtualization Based Security (VSB) and thereby safeguarding against attacks that steal password hashes (such as pass-the-hash). To enable Credential Guard, you have three options:

1. Using group policy
2. Using Windows registry
3. Or using the Windows Defender Device Guard and Credential Guard tool here

As of Windows 10 version 1607, VSB is enabled by default.

How to use Microsoft Passport

Microsoft Passport is a useful authentication mechanism, especially for organizations. Passport uses two-factor authentication that combines a device and a gesture (PIN, biometrics, etc.) to authenticate. 

Key pair credentialing is used with Passport, where a gesture links to a certificate attested to by either a Trusted Platform Module (TPM) chip or software. Users can then authenticate with a gesture and, in a properly configured environment, will never have to enter credentials again.

Conclusion

Authentication has been a concern since the early days of computing, necessitating authentication mechanisms. Windows 10 has picked up the mantle by offering typical authentication methods, including passwords and PINs, and has added its own touch of virtualization with the Credential Guard feature. 

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Start Learning

Sources

1. Harden Windows Login Password Policy in Windows 10/8/7, TheWindowsClub
2. How to Add a PIN to Your Account in Windows 10, How-To Geek
3. Manage Windows Defender Credential Guard, Microsoft
4. Hyper-V for your passwords: Credential Guard, CheckYourLogs