Cyber Essentials
DashboardSign Out

Lesson 5.7 — Device unlocking: PINs, passwords, biometrics and lockout controls

This lesson helps the learner understand the Cyber Essentials device unlocking requirement.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify which in-scope devices require unlocking controls
  • confirm that a PIN
  • password or biometric is required before access
  • check minimum credential quality
  • confirm lockout or throttling protections
  • record evidence without collecting user credentials.

Why This Matters

It explains when device unlocking credentials are required, the difference between unlocking a device and authenticating to wider services, how PINs, passwords and biometrics should be protected against brute-force attacks, and how to collect evidence for laptops, desktops, mobile phones, tablets, shared devices and remote-worker devices.

The most common problems are:

  • treating device unlocking as the same thing as cloud MFA;
  • assuming a device lock exists without evidence;
  • using four-digit PINs where a six-character minimum is required and configurable;
  • forgetting brute-force protection;

The Core Rule

Cyber Essentials expects devices that require physical presence to access their services to have an unlocking credential, such as a PIN, password or biometric.

That credential must be protected against brute-force attempts.

What the CE Assessor Looks For

A strong position shows:

  • all in-scope laptops, desktops, phones and tablets require a credential before access;
  • unlock credentials are at least 6 characters where used only for device unlocking;
  • credentials used for wider authentication meet the fuller password requirements;
  • devices are protected against brute-force attempts through throttling or lockout;
  • vendor defaults are documented where settings cannot be configured;
  • technical controls enforce credential quality;

Common Mistakes

  • treating device unlocking as the same thing as cloud MFA;
  • assuming a device lock exists without evidence;
  • using four-digit PINs where a six-character minimum is required and configurable;
  • forgetting brute-force protection;
  • forgetting failed-attempt lockout or throttling;
  • forgetting mobile phones and tablets;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the basic device unlocking requirement?
  • [ ] Why does device unlocking matter?
  • [ ] What is the minimum password or PIN length if the credential is only used to unlock the device?
  • [ ] What if the same credential is also used to authenticate to organisational services?
  • [ ] What are two accepted ways to protect device unlocking against brute-force attempts where configurable?

Your Action

Do this now — it takes 10–20 minutes.

Record your device unlock requirements for each device type: minimum PIN or password length and the lockout or brute-force protection policy. Add to Section SC.

Key Takeaway

Collect policy, configuration or provider evidence that the controls are in place.

Your Workbook Activity

Complete: Device unlocking control record

Next Lesson

In the next lesson: Secure configuration evidence, common failures and final review

Up next

Secure configuration evidence, common failures and final review

Compile secure configuration evidence and perform final review checks before submission.