In Windows Hello, when you enter a PIN (or use a fingerprint/face), is that secret sent to the website? What is its actual job?
No — the PIN/biometric only unlocks the local authenticator (the TPM); it never leaves the device or touches the internet. The real authentication is the TPM's cryptographic signature.
There's a crucial two-layer distinction:
- Unlocking element (usability layer): the PIN, fingerprint, or face. Its only purpose is to locally unlock the TPM chip (or YubiKey/smartcard). It stays on the device.
- Authenticating element (security layer): the TPM chip itself, which then performs the cryptographic operation (signing the challenge with the private key).
So the sequence is: user unlocks the hardware (PIN/biometric) → hardware signs the challenge → signature is what proves identity to the website. The website never receives the PIN — only a signature it can verify with the stored public key.
Tip: This is why a WebAuthn PIN can be short and simple (e.g. 4 digits) yet safe: it's rate-limited by local hardware and useless to a remote attacker, unlike a password that gets transmitted and stored on a server.