Windows 8 and Windows 10 allow you to set a user account PIN for use in place of passwords. PIN makes it easier to sign in to Windows, apps and services. Setting up a PIN provides many advantages over Password-based login.
A PIN can be short — it can be a four-digit numerical value. A PIN input field does not require the user to press ENTER (unlike the password box) after typing the code.
A PIN is tied to the specific device on which it was set up — which means if someone steals your PIN and have physical access to that particular system, they can sign in to that device but can’t have access your Microsoft Account credentials. Roughly put, PIN is more like a local user account (non-Microsoft account) password, but technically local user account password and PIN aren’t the same.
Whereas Microsoft Account credentials are universal — they can be used to sign in to any Windows 8 or Windows 10 device.
When you sign in with Microsoft Account credentials on a device connected to the Internet, the password is transmitted via a secure connection to Microsoft’s authentication servers for validation. It can be intercepted during transmission. Whereas a PIN is local to the device and is not transmitted anywhere.
If your device comes with a TPM module, it protects the device against PIN brute-force attacks. After too many incorrect guesses, the device gets locked. Moreover, brute-forcing PIN is a difficult task as the person needs to be physically present and type in the PIN, interactively.
Note that PIN doesn’t work when you start Windows in Safe Mode. And, you’re prompted to type in your user account password for verification when setting up a PIN for your device.
Adding a PIN to Your User Account in Windows 10
Open Settings (Winkey + i), click Accounts and click Sign-in Options.
Under PIN, click the Add button. Type the user account password when prompted for verification.
Type the PIN and complete the process.
Regardless of whether you set up a PIN or not, you must secure your Microsoft Account with a long, complex password as the account can be brute-forced, and signed in from anywhere.