It can be as secure – perhaps even more secure – because it’s actually used in a slightly different way.
You can also choose to increase its security by using some of the same techniques we use for passwords in general.
Scope: the big difference
The single biggest difference between using a PIN and a Microsoft account password to sign in to your machine is that the PIN only works on the specific machine for which you set it up.
What that means is that even if someone knows your PIN, the only thing they’ll have access to immediately is your machine. Not that that isn’t a problem – it could be – and it could lead to bigger problems, depending on how securely you treat your machine and the information on it.
But ultimately it falls into the same bucket I call “physical security”. If your machine isn’t physically secure, it’s not secure. With or without your PIN to sign in, anyone who has access to your machine can use any number of techniques to get at its contents.
The only time having an “easy” or automatic sign-in puts you at additional risk is if you have saved log-ins, saved passwords, or if you use BitLocker to encrypt your data. In those cases, the ability to log in could allow access …
… but it all still requires physical access to the machine.
Usage: the unexpected side effect
One of the concerns many people have is a fear of keyloggers.
Keyloggers are a form of malware that, when installed on your machine, secretly record your keystrokes and send the recording to hackers elsewhere on the internet. Sign in to a website, for example, and the keystroke logger records both your username and password. Only something like multi-factor authentication can save your account from being hacked in a case like that.
They can record a PIN sign-in all they like, and it won’t get them anything. The PIN only works on your machine. Even if you use it to log in to your Microsoft account on your machine, that PIN is completely useless everywhere else.
There’s an argument that using a PIN is actually more secure, since you never actually type your Microsoft account password into your machine. Keyloggers can’t log what you never enter.
Strength: treat it like a password
If a PIN still makes you uncomfortable, consider treating it like a password.
The best way to make a password more secure? Make it longer.
There’s nothing that says you have to use your 4-digit ATM PIN as your Windows sign-in PIN. Use something longer … much longer, if you like. Just as adding a character to your regular password makes it exponentially stronger, the same applies to your PIN. Just add digits.
You may find that even lengthy digit-only “passwords” are significantly easier to type than an equivalent password.
Local accounts: PINs are convenient
Using a PIN is, I believe, intended as a way to make signing in with your Microsoft account more convenient, and, as we’ve seen, perhaps even a little more secure (by not having to type in your actual account password).
Signing in with a local account is similar to signing in using a PIN in one regard: that local account password is valid only on that machine – it’s local. It doesn’t represent any additional vulnerability beyond actually accessing your actual computer.
The downside, of course, is that signing in with a local account doesn’t get you any of the benefits of signing in with a Microsoft account, like synchronized settings across machines, integration with the Microsoft Store, and several Microsoft apps and applications. Nonetheless, it’s a choice some people make for a variety of reasons.
And, yes, you can sign in to a local account using a PIN as well, though the benefit is primarily about convenience.