←back to thread

Upcoming Windows 11 builds cannot install without internet and Microsoft Account

(infosec.exchange)
268 points tech234a | 7 comments | 29 Mar 25 04:13 UTC | HN request time: 0s | source | bottom
Show context
soraminazuki ◴[29 Mar 25 05:47 UTC] No.43513090[source]
It's such an absurd lie. If Microsoft's idea of security is to force its users to authenticate online for a local account, they should never be allowed in the software industry at all. They're needlessly and dramatically increasing the attack surface of one of the most security critical software running on user devices.
replies(5): >>43513349 #>>43513354 #>>43513571 #>>43513574 #>>43514238 #
1. charcircuit ◴[29 Mar 25 07:33 UTC] No.43513571[source]
Microsoft's idea of security is moving people away from local accounts protected by passwords and to Microsoft accounts protected Windows Hello.

The Windows Hello PIN is protected by the TPM. This means you can't brute force it like a password could be.

replies(2): >>43513581 #>>43513921 #
2. soraminazuki ◴[29 Mar 25 07:36 UTC] No.43513581[source]
That has nothing whatsoever to do with the topic, which is forcing online authentication. You can't possibly argue that needlessly forcing online authentication makes user safe.
replies(1): >>43513608 #
3. charcircuit ◴[29 Mar 25 07:45 UTC] No.43513608[source]
The topic isn't about forcing online authentication. It's about improving security from having users use a Microsoft account. The security improvement of using a Microsoft account comes from Windows Hello.
replies(2): >>43513680 #>>43520247 #
4. soraminazuki ◴[29 Mar 25 08:03 UTC] No.43513680{3}[source]
It is. You can check by reading the title.

Your's is a reiteration of Microsoft's preferred talking point that has no basis in reality. Tying local authentication to the cloud tremendously increases the attack surface for those who don't need it. TPMs do nothing to change this fact. The only connection between a TPM and a Microsoft account is that Microsoft chose to tie those two together for their own benefit.

5. GoblinSlayer ◴[29 Mar 25 08:55 UTC] No.43513921[source]
To brute force a password, attacker needs full access to the system, guessing the password won't give them more access.
replies(1): >>43517415 #
6. charcircuit ◴[29 Mar 25 18:18 UTC] No.43517415[source]
No, they don't. They can clone your hard disk and use a different computer. A TPM based pin makes that approach impossible and you must have access to the system itself.
7. beeflet ◴[30 Mar 25 01:07 UTC] No.43520247{3}[source]
They couldn't just implement whatever biometric thing that is without making it tied to an account?