When you try to log into a Windows PC, you may be missing the option to type in a password. See the screenshot above? Those three icons are for a fingerprint, PIN, or facial recognition. No password! There is a relatively new setting that is responsible. I’m going to tell you how to find that setting but most of you don’t need to change it. It’s fine.
I’m also going to explain what this is all about – an explanation full of Microsoft jargon and references to security and tedious stuff that I’ll try to make as short as possible. Think of the explanation as, say, a bowl of porridge set in front of you for breakfast. It’s not what you would have chosen but it’s good for you and it’s the way we’re starting 2022 and I want you to sit at the table until you’ve finished every last bit.
In the past the Windows sign-in screen has had the words “Sign-In Options” below the place where you type in a PIN or password.
Today if you are asked for a PIN, the words “Sign-In Options” might be missing. Or there will be options for fingerprint or facial recognition but no place for a password. There’s no way to log in if you only know the password.
Look in Settings / Accounts / Sign-In Options. There is a new toggle: “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device.” If you want the option to use a password if you choose, turn this setting off.
This is how you’re starting 2022? Sigh. Okay, what is Microsoft’s game?
We’re going to talk about Microsoft accounts and about different ways to log in to a Windows PC.
Stop it, you big baby, you can handle this.
The first way to log into a Windows PC: type in the password for the personal Microsoft account
Microsoft really really wants you to connect a new PC to a personal Microsoft account. If you buy a new PC with Windows 10 or 11 Home edition, Microsoft has made it almost impossible to avoid the requirement of a personal MS account. (Almost. It’s still possible to set up a local account that is not connected to Microsoft, but it’s hard and you have to be really geeky to bother. Google around if it’s important to you.)
A personal Microsoft account is a login name (looks like an email address) and a password. It connects you to uninteresting Microsoft services. It is not the same as your business email address and password, the “work or school” account called Office 365 or Microsoft 365.
Exceptions: there are other ways to set up Windows PCs with more or less effort – local accounts that are not connected to Microsoft, and connections with Windows 10 or 11 Professional to the business account. I think you’ll agree that it’s really important that I not use the words “Azure Active Directory,” so let’s not talk about those now.
The goal: get rid of the password
Everything that follows is driven by Microsoft’s new goal: leave the computer connected to the personal Microsoft account, but don’t ever require anyone to type in the password.
There are three reasons to remove the password.
(1) You choose crap passwords. Your passwords are too easy to guess or you use the same ones over and over. Or both. Probably both.
(2) All the other login methods are more secure because they’re limited to the individual computer. If somebody hacks your PIN, they might get into the computer but they don’t get into your Microsoft account. I’m repeating the corporate line here – I don’t know if I think it’s true, but that’s what they say.
(3) No one at Microsoft will admit this but they know that non-tech people are completely clueless about personal accounts and passwords. You have no idea what a Microsoft account is. You hate passwords. When you forget the password, you are furious and Microsoft is the most likely target for your rage.
So for pretty good reasons, Microsoft wants to give you a secure way to log into your computer without typing in a password.
The second way to log into a Windows PC: type in a PIN
A PIN is an easy-to-remember sequence that works instead of a password. You’ve had a PIN for your bank card for years. The PIN for the computer is usually four to six numbers. You can use the same PIN as your debit card but all the security people will tell you not to. You can also use letters and symbols so it looks like a password but that kind of misses the point.
You’ll probably be asked to set up a PIN automatically – Windows is pretty insistent about it these days. Look for all these settings in Settings / Accounts / Sign-In Options.
Exceptions: something makes the whole PIN experience get weird when you add a business account to the computer for your mail or the Office programs. If you get odd error messages about not being able to set up a PIN, call your IT person and hope that they’re smarter than I am, because I’ve never been able to figure it out.
The third way to log into a Windows PC: use a fingerprint or facial recognition
If your laptop has the right stuff, then you can tap a finger or be recognized by the camera and bang, you’re in. It’s fast and incredibly secure. Plus you can use the word “biometrics” and people will think you’re smart.
Microsoft chooses a name
Now comes the step where Microsoft is its most Microsofty.
Microsoft wanted a name to summarize the alternatives to a password – PIN, fingerprint, facial recognition. It chose this name:
The name Windows Hello is so perfectly Microsoft! It conveys exactly nothing about what it means. It sounds cute in a corporate way without being likable.
But now the toggle in Settings makes sense. Look again at what it says.
For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device.
Let’s paraphrase that with more words.
If this computer is linked to a personal Microsoft account – and it is, because we forced that – then remove the password option. Only allow logins with a PIN or fingerprint or facial recognition.
Voila! You’ve gone passwordless, and you’ve improved your security and Microsoft is proud of you. I believe that this is the default when you set up new Windows PCs but I can’t swear to it. Everything about Windows PCs and defaults is a moving target these days, constantly changing.
I had to reset a client’s PC when he couldn’t remember his PIN and there was no password option. And another client’s paralegal couldn’t get into her boss’s laptop when the boss was unavailable and we didn’t have the PIN. I don’t have any strong feelings about whether that toggle in Settings should be on or off. Just remember that it exists. And use the word “biometrics” in a sentence to sound smart.