-->![Password Password](https://s4.mzstatic.com/us/r30/Purple/v4/37/6d/e0/376de01e-268b-d64f-ef12-438cf94f79cb/screen800x500.jpeg)
Hi, I have set my PIN on my Windows 8.1 but it continues to prompt me on password when I sign in. I can only click the sign-in option and change to PIN in order to input PIN number. This approach is more secure than validating on the server because an attacker would have to gain access to the computer itself to steal the PIN. Similarly, the new chip credit cards that are now being broadly deployed in the U.S. Store the PIN locally so that there is no chance of a large-scale compromise at the server level. BugFix for iPAD Version: PIN or password blacked out in the detail view Version 2.10 - Enhanced Security: Clipboard is cleared automatically with a delay of 60 second after iPIN has been terminated if a PIN, username or password has been copied to the clipboard - iPIN is running in background (in preperation of synchronization).
![Password Password](https://s4.mzstatic.com/us/r30/Purple/v4/37/6d/e0/376de01e-268b-d64f-ef12-438cf94f79cb/screen800x500.jpeg)
Applies to
- Windows 10
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like t758A! could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
PIN is tied to the device
One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
PIN is local to the device
Ipin 1 13 – Secure Pin & Password Safe Download
A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
Note
For details on how Hello uses asymetric key pairs for authentication, see Windows Hello for Business.
PIN is backed by hardware
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
PIN can be complex
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
What if someone steals the laptop or phone?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammering protection locks the device.You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
Configure BitLocker without TPM
- Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup
- In the policy option, select Allow BitLocker without a compatible TPM, and then click OK.
- Go to Control Panel > System and Security > BitLocker Drive Encryption and select the operating system drive to protect.Set account lockout threshold
- Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold
- Set the number of invalid logon attempts to allow, and then click OK.
Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
Related topics
Ipin 1 13 – Secure Pin & Password Safety
The IRS has expanded the number of states by 10 for which residents can voluntarily apply for an Identity Protection Personal Identification Number (IP PIN). This expansion was announced by the IRS in its e-News to Tax Professionals email subscription sent out on October 4, 2019.[1]
The IP PIN program was created to combat tax-related identity theft. Originally the PINs were issued only at the IRS’s discretion to actual or suspected victims of tax-related theft. As Kay Bell notes on her website, in 2010 the IRS created a pilot program in 2010 to allow for taxpayers to voluntarily request IP PINs, limited to only the three areas that had the highest level of tax related identity theft.[2]
Last year the IRS had their first expansion of the program, offering the program to residents of 9 states and the District of Columbia.[3] During 2019 Congress mandated in the Taxpayer First Act that the program be expanded so that by July 1, 2024 all taxpayers could opt to participate in the program.[4]
For 2020 the program will be offered to those who filed a 2019 income tax return in the following states:
- Arizona,
- California, *
- Colorado,
- Connecticut,
- Delaware, *
- District of Columbia, *
- Florida, *
- Georgia, *
- Illinois, *
- Maryland, *
- Michigan, *
- Nevada, *
- New Jersey,
- New Mexico,
- New York,
- North Carolina,
- Pennsylvania,
- Rhode Island, *
- Texas and
- Washington.[5]
* States where residents were eligible to participate in the program in 2019.[6]
The IRS has been using the states with the largest number of ID thefts reported by the FTC to add to the list in the past.[7] Although the email does not indicate how the new states were selected, given the population sizes of the states being added it is likely the IRS is continuing to use the FTC list of absolute numbers of ID thefts reported to expand the program—so Wyoming residents may have a while to wait to get added to the list if for no other reason than are just far fewer people in Wyoming than most other states.
Note—as the IRS writes in its description of the program on IP PIN page, once a taxpayer opts into the program there’s no way to get out of the program. The program is described as follows:
An IP PIN is a six-digit number assigned to eligible taxpayers that helps prevent the misuse of their Social Security number on fraudulent federal income tax returns.
Requesting an IP PIN is strictly voluntary. If you choose not to participate in the program by not requesting an IP PIN, you can file your return as you would normally. If you are assigned or if you request an IP PIN, you must use it to confirm your identity on any tax returns filed electronically during the calendar year. A new IP PIN is generated for each filing season and can be retrieved starting in mid-January of each year by logging into the account you create. At this time, if you choose to receive an IP PIN, you must use your IP PIN for all future filings.[8]
The IRS web page for requesting an IP PIN had not been updated as of the morning of October 7, 2019 to provide for the new states for which an IP PIN can be requested and it’s not clear if taxpayers in the newly added states would be able to request an IP PIN right away.[9]
Taxpayers requesting an IP PIN will need to complete the IRS’s secure access identity verification process[10] in order to be admitted to the program.[11]
Should clients enter this program? There are advantages and disadvantages to the program that a taxpayer should understand before entering the program—but entering the program is something clients likely should consider.
The key advantage of entering the program is the taxpayer makes it much more difficult for a third party to use the taxpayer’s information to commit tax-related identity theft. As Kay notes in her post, acting before a problem occurs is much more effective than only taking such an action following a tax-related ID theft incident.[12] Taxpayers who have been through tax-related identity theft are aware of all of the problems triggered in such an incident, including delayed refunds and inability to get confirmation of tax numbers for lenders.
With the large number of data breaches that have been reported recently, getting an IP PIN may be the only effective way to protect the taxpayer from tax-related identity theft. Virtually all U.S. taxpayers have likely had most of their key information leaked by some organization by now.
But there are also issues with the program. First, remember that once a taxpayer enters this program there’s no way out. That makes sense—if there was a simple way out, fraudsters would simply attack that program to “free up” returns. Security concerns dictate that it should be very difficult, if not nearly impossible, to get out of the program. But since it will reduce convenience, a number of clients will likely find the program too much of a bother (after all, they haven’t had a problem yet, so…)
And that brings us to the second problem—the taxpayer must assure that they retrieve and secure the IP PIN each year. The taxpayer will be responsible for getting his/her IP PIN each year. As the IRS notes:
Getting Your IP PIN
To get your IP PIN, you must be eligible as determined in Step 1 below. Your IP PIN will be displayed to you online once we verify your identity. A new IP PIN is generated for each filing season and can be retrieved starting in mid-January of each year by logging into the account you create.[13]
If the taxpayer loses his/her IP PIN for the year and loses his/her credentials to log into the IRS website to obtain the current year IP PIN, the taxpayer must go through the process to get the IP PIN reissued.
The IRS describes that process as follows:
How to get your IP PIN reissued
If you’re unable to retrieve your IP PIN online, you may call us at 800-908-4490 for specialized assistance, Monday - Friday, 7 a.m. - 7 p.m. your local time (Alaska & Hawaii follow Pacific Time), to have your IP PIN reissued. An assistor will verify your identity and mail your IP PIN to your address of record within 21 days.
Exceptions:
- If you’ve moved since January 1 of this year, or
- It’s after October 14 and you haven’t filed your current or prior year Forms 1040 or 1040 PR/SS,
you’ll need to complete and mail a paper tax return without your IP PIN. We’ll review your return to confirm it’s yours but this may delay any refund you’re due.[14]
As was noted, if the taxpayer can’t get the new IP PIN issued, the only option is to paper the tax return as any electronically filed return submitted without the proper IP PIN will be rejected. As well, the paper return is going to be subjected to additional verification, delaying any refund that might be due as well as likely delaying any access by a lender to verification information for the return.[15]
Advisers with clients in the 20 states that now have the option (which cover most of the U.S. population) should consider providing information on the program to clients once it is clear that the program will now accept applicants from all affected states. Advisers should emphasize that the program is the best option to stop tax related ID theft but it will require the taxpayer to obtain and secure that IP PIN each year and if the taxpayer is not able to manage dealing with the program there’s no easy way out of the program.
Based on this adviser’s experience, taxpayers who find many online systems challenging in generally will almost certainly run into issues with this program—it can’t be “easy” in the sense of not requiring the taxpayer to be responsible for doing things like retaining passwords and keeping two factor authentication information up to date. That cautions against giving the blanket advice that all clients should enroll in the system.
[1] “IRS Makes Identity Protection PINs Available to More Taxpayers,” e-News for Tax Professionals, Issue 2019-36, October 4, 2019
[2] Kay Bell, “Taxpayers in 19 states & D.C. now can get special IRS IP PIN to fight tax identity theft,” Don’t Mess With Taxes, October 6, 2019 (retrieved October 7, 2019)
[3] Kay Bell, “Taxpayers in 19 states & D.C. now can get special IRS IP PIN to fight tax identity theft,” Don’t Mess With Taxes, October 6, 2019 (retrieved October 7, 2019)
[4] Taxpayer First Act of 2019, Act Section 2005
[5] “IRS Makes Identity Protection PINs Available to More Taxpayers,” e-News for Tax Professionals, Issue 2019-36, October 4, 2019
[6] “Get An Identity Protection PIN (IP PIN),” IRS Website, September 20, 2019 version, https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, retrieved October 7, 2019
[7] Kay Bell, “Taxpayers in 19 states & D.C. now can get special IRS IP PIN to fight tax identity theft,” Don’t Mess With Taxes, October 6, 2019 (retrieved October 7, 2019)
[8] “Get An Identity Protection PIN (IP PIN),” IRS Website, September 20, 2019 version, https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, retrieved October 7, 2019
[9] “Get An Identity Protection PIN (IP PIN),” IRS Website, September 20, 2019 version, https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, retrieved October 7, 2019
[10] “Secure Access: How to Register for Certain Online Self-Help Tools,” IRS website, https://www.irs.gov/individuals/secure-access-how-to-register-for-certain-online-self-help-tools, retrieved October 7, 2019
[11] “Get An Identity Protection PIN (IP PIN),” IRS Website, September 20, 2019 version, https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, retrieved October 7, 2019
[12] Kay Bell, “Taxpayers in 19 states & D.C. now can get special IRS IP PIN to fight tax identity theft,” Don’t Mess With Taxes, October 6, 2019 (retrieved October 7, 2019)
[13] “Get An Identity Protection PIN (IP PIN),” IRS Website, September 20, 2019 version, https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, retrieved October 7, 2019
[14] “Retrieve Your Identity Protection PIN (IP PIN),” IRS website, https://www.irs.gov/identity-theft-fraud-scams/retrieve-your-ip-pin, retrieved October 7, 2019
[15] “Retrieve Your Identity Protection PIN (IP PIN),” IRS website, https://www.irs.gov/identity-theft-fraud-scams/retrieve-your-ip-pin, retrieved October 7, 2019