LOGBOOK

HELP

Quiz Entry - updated: 2026.05.26

In Windows Hello, when you enter a PIN (or use a fingerprint/face), is that secret sent to the website? What is its actual job?

No — the PIN/biometric only unlocks the local authenticator (the TPM); it never leaves the device or touches the internet. The real authentication is the TPM's cryptographic signature.

There's a crucial two-layer distinction:

  1. Unlocking element (usability layer): the PIN, fingerprint, or face. Its only purpose is to locally unlock the TPM chip (or YubiKey/smartcard). It stays on the device.
  2. Authenticating element (security layer): the TPM chip itself, which then performs the cryptographic operation (signing the challenge with the private key).

So the sequence is: user unlocks the hardware (PIN/biometric) → hardware signs the challenge → signature is what proves identity to the website. The website never receives the PIN — only a signature it can verify with the stored public key.

Tip: This is why a WebAuthn PIN can be short and simple (e.g. 4 digits) yet safe: it's rate-limited by local hardware and useless to a remote attacker, unlike a password that gets transmitted and stored on a server.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: May 26, 2026