Both passwords and PINs are secret words (or numbers) that only you know. And, you have to enter text for both. A PIN is shorter and uses fewer types of characters. So at first glance PIN tends to be considered "weak", but Microsoft and others say that "PIN is more secure than password". I'm sure you've seen this during the initial setup of Windows (10, 11), but why?
The big difference between a password and a PIN is how the characters you type are handled.
The password is used for authentication, but the PIN is "not used for authentication".
Writing it might lead to misunderstandings, so I'm going to give you an example and explain it in a little more detail.
We will proceed with the discussion assuming access to a WEB service that supports login by password and login by PIN(*1) on a PC.
(*1) From a technical point of view, we assume a WEB service that supports login using "WebAuthn".
Password
When you log in by entering your ID and password, the entered character information is sent to the WEB service server as is. The server receives the ID and password, checks whether the password matches or not, and allows logging in if there is no problem.
PIN
If you log in by entering your ID and PIN, first your PIN is used to access the security chip called "TPM" (*2) in your computer. A TPM creates a credential that only the TPM can create. The ID and the credential created by the TPM are sent to the server, and if the server determines that there is no problem, login is permitted.
(*2) A precise explanation of the TPM will be lengthy, so I will omit it, but please think of it here as a chip that can create much stronger encryption than a password.
Earlier, I wrote that the PIN is "not used for authentication", but to be precise, it is "used for TPM authentication". However, since the TPM is in the PC at hand, the PIN itself will not flow over the network.
With the content so far, I think that the characteristics of the PIN have become a little clearer. There are two major differences from the password:
・PIN does not low over the network.
・PIN authentication cannot be performed without a PC and a PIN.
From these features, I think you can see that it is strong against attacks such as eavesdropping on the network, and has two-factor authentication of knowledge (PIN) and possession (PC), which is much stronger than a password.
Finally
This time, I used a PC as an example, but in fact, not only PCs but also smartphones and tablets have similar mechanisms. In addition, the FIDO2 security keys that we sell are used in combination with PCs and smartphones, but they can play the role of the TPM that came out in this story. It's like an external TPM.
We are also developing solutions using security keys, so if you are interested, please take a look at our solutions and blogs. If you are looking for an authentication device, you can buy it from the link below.
YubiKeyShop Authorized Reseller
Amazon
Thanks for reading until the end.