Hi,
I have a security requirement whereby we need to ensure that only authorized users can logon to Windows 8.1 devices. Looking at virtual smart cards, I can see that the virtual smart card is stored on the laptop (i.e.) device using its TPM module, but what strikes me about this is that using a virtual smart card to login to a laptop with a PIN is less secure than a password: if a thief steals a laptop, he's already got the machine and it's easier to look over someone's shoulder and catch a 4 digit pin than an 8 character alphanumeric password - am I missing something here?
Am I right in thinking that there's a maximum of 10 virtual smart cards that can be attached to a PC at a time and therefore, only up to 10 users will be able to login a Windows 8.1 PC using virtual smart cards?
Can the virtual smart card pin be used in conjunction with a traditional AD username and password login?
What I'm really after is an out of the box Microsoft solution which could do the following:
- Allow a user to login to a Windows 8.1 laptop if the user does both 1 & 2:
1. Has a valid AD username and password
2. Inserts a hardware device, such as USB key and then enters their own PIN associated with their account and the USB key
I've got a situation where multiple users share devices and we want to ensure that valid users are logging in. My initial thoughts were to use Bitlocker USB start up keys and pins, but user A can start a laptop with their key and pin, then pass the device over to user B for login, so that's a no-no.
Thanks in advance