The biggest issue I have with Windows insisting that I use a Microsoft Account to log in is that I have a long and complex password set up for the account which is stored in a password manager. I don't want to dumb down that password, I don't want to use biometrics, I don't want to use a passcode or pin to log in as that is arguably less secure. I just want a local account which I can set up a convenient password for.
I'm fine with using online services, I just don't want my online services account being the thing that controls access to my local computers. Especially when it can be locked or deleted by Microsoft for whatever reason.
I’ll be honest I really don’t understand the desperation to avoid it. It works fine, you barely ever have to interact with it or use it, you use a pin to log in, it’s not like you can’t log in if you’re offline or something, it’s just to tie your settings to an online account like anything else. I use windows, Linux and Macos on different machines - until I read this thread I had no idea people cared at all about the Microsoft account thing. Using it is fine. It’s not lovely, but it’s just… fine. Not a big deal at all.
I was the same as you, believing that using a passcode/pin as Microsoft is pushing is less secure.
So I digged into it, and changed my opinion - Microsoft is right, for the Microsoft Account, using a password locally instead of a PIN is LESS secure.
TL;DR: if you want to allow offline login, you need to keep the hash/token to the Microsoft Account locally, and this is dangerous, some malware could steal that, and impersonate you to login to your Microsoft Account. Using a TPM PIN removes this threat - the hash/token is never kept locally, so there is nothing to steal, and Microsoft could still ask for the account password from time to time when they need to refresh the token, and you can't brute force the short PIN (yes, this requires trusting the TPM)
> I just don't want my online services account being the thing that controls access to my local computers. Especially when it can be locked or deleted by Microsoft for whatever reason.
That never happens. You can boot from an Windows install ISO and reset the credentials if you really need to get in. True, might be difficult for your average user.
Or you know, just use a local account for logging into your local machines which are physically present in your home. No need to require an active Internet connection, no danger of your online account being unavailable and thus preventing access to your own computer.
I'm fine with using online services, I just don't want my online services account being the thing that controls access to my local computers. Especially when it can be locked or deleted by Microsoft for whatever reason.