I work from a shared office and leave my machine on 24/7 (for a number of reasons). I have a lot of important things in my PC, which include access to a number of brokerage accounts with a lot of money in them. I already implement a BIOS password (in case someone physically takes the machine), as well as a Windows Lock screen password. However, if someone just sat down in my desk and used a hack to get through the lock screen (and I believe there are a number of them) they could get through that and get access to my machine.

Is there a way to implement an extra layer of security after the windows lock screen? The hard drive is encrypted with Bitlocker (which also has a password) and I have Windows 10

There's Microsoft Authenticator (2FA TOTP app). But it really only seems to protect your Microsoft account. Yubikey isn't set up for logging in to a PC either, it's just for your Microsoft/live account.

You can set up location services on your computer, and make sure that "Find My Device/Computer" is set up correctly in your Microsoft account, so that anyone who turns on the computer and connects it to the internet will have the location known to you. The cops aren't going to send in a squad of cars just to rescue your computer, though.

Alternatively, you can try to lock it down by having passwords to financial accounts memorized and never stored on your pc, if you're assuming your pc can be compromised.

Not sure that will work as all the person would have to do would be bypass the windows lock screen and install a keylogger. Then they could remotely monitor my keys and learn what my password is

The short version is that you can't fully trust a system that other people have physical access to. If you're worried about software keyloggers, you have to consider that they could plant a hardware keylogger in your keyboard without even having to crack your login.
Security needs to be set up for an appropriate threat model for the environment and the data being protected. A state level actor is going to own your box more or less at will, law enforcement likely will as well.

Part of the solution here depends on if the data you are trying to secure is directly part of the job you are doing from that shared office or if it is personal data kept there out of convenience.
Offloading the functions that you are currently keeping the PC on 24/7 for to a cloud server may be workable. Be sure to configure 2FA for access to your cloud environment. Set up the 24/7 functions on an Azure or AWS VM, shut down the PC any time you're not in the office, and now your data requires a BitLocker PIN or recovery key to access (you should have a secondary protector setup on you BitLocker config other than auto-unlock on this PC given your concerns).

I understood that Yubikey (on a PC that supports Windows Hello) added a 2FA to the login screen. My PCs don't support Hello, so I can't verify this independently, but it was certainly my understanding.

More info here: https://www.yubico.com/why-yubico/fo...windows-login/

Are you using a desktop or laptop? I assume laptop based on your wording?



You say you uses a bios password in case someone takes your machine.



So the bios password protects your laptop if someone has access to it right? Thus they can't check anything on it or install a virus whether a usb stick or anything like that? So is that the same or stronger or weaker than using bitlocker with a pin or password? I was told that if you use bitlocker and put in a bitlocker pin or password at startup, unless the person can guess what it is... they cannot access it. That is true right? I have bitlocker set up this way. They say bitlocker protects your laptop from getting accessed if it gets stolen or accessed.



But i was told they could take out your hard drive and clone your hard drive pretty quick by either taking it... or taking hard drive out and putting it back in your laptop. But the issue would be they have to brute force the password. Can someone confirm this is true that they can do this? So as long as your password for bitlocker pin or password is strong enough, that brute force won't work?



You say the windows lock screen... that there are hacks ppl can do to bypass this. I also read this as well. But does anyone know what are the ways? I was told or read that someone only need a few minutes and can bypass it quickly... is it true? Someone said its like temporary security if you are away for a bit. But if its a minute or longer, someone with access to it can do something to it? Could someone stick a usb with malware/keylogging into your usb drive while its on the locked screen and you are now screwed? I read this is not possible if say they are at the bitlocker screen and need to enter the pin.

The other thing is you say you use bitlocker and have password as well. What do you use? TPM unlock, TPM with pin, or password? I know there are 3 different options when you set this up with bitlocker. I assume you picked the 3rd option which is password?



I was told that if you use bitlocker with a password whether tpm unlock, with pin or password without tpm, its safe as long as someone cannot figure out your password. You say you also have a bios password. Someone tells me if you use bitlocker with a password and also bios password, that is very strong security. They said if you use just one of them... say bitlocker with pin or password, that is more often good enough.



But back to the OP question. How can you protect your laptop when its in windows locked? Like say you go outside for a few minutes or out for a few hours, do you have to shut down your computer to be completely safe? Obviously when you are out for a short while and come back, well you don't want to have to turn on your computer again, enter your password and have to open any documents that you already have opened etc as that is a pain. Obviously having it on the windows lock screen is better than nothing... but thoughts on this? I mean imagine being in a coffeeshop or somewhere, you go to do something and leave your computer unattended... could someone just connect usb virus to it and then take it out and you don't know? But they surely have to get through the windows lock screen first right?

Also you say you leave your computer on for a variety of reasons 24/7. Im somewhat confused here. If you leave it on, someone still needs to enter the bios password to get in right? They also need to enter the bitlocker password as well? And finally the windows password? So someone would need to enter 3 passwords in that order to get access to your laptop?


What confuses me a bit is if your laptop is on... wouldn't that mean its most likely in windows lock mode? Im confused how your laptop could be but when you click on it... you still need to enter the bios password? What about the windows password? So your computer is sleeping or hibernating? Im a bit confused with what you mean when you say your computer is on 24/7 as i dont expect it to be like on where the screen is on right?