I've had a SP4 since they were released. It's got some faults, but Windows Hello has worked flawlessly for me. It sounded like such a gimmick before I used it but it's actually pretty neat.
The main thing that worries me about it is that "what your face looks like" is superbly easy to copy.
I mean, fingerprints aren't that much more secure in a technical sense, but at least a lot of people don't actively post images of their fingerprints to all their social media accounts.
If I'm not mistaken Windows Hello will only do facial recognition on a depth-sensing camera, so you would need to create a 3D model of my face to fool it.
Twins are easily distinguishable if you know them -- I went to high school with three pairs and they were easy to tell apart. Almost everyone has some pockmark etc. on their face, and Identical twins often have these in mirror image.
Sure it does, they have unique distinguishing features; they only look identical if you don't look too hard. Computers are good at seeing all the details.
No, it doesn't, I have no idea what wizardry is involved. All I'm saying is that if you assume some magic that can distinguish Bob from Steve, then those same techniques, whatever they are, can be used to distinguish Bob from his twin Todd.
The infrared might help: the capillaries transporting (hot) blood under the skin probably grow somewhat randomly per individual, giving everyone a slightly different pattern of heat running through their face.
Windows Hello only works with newer cameras that support depth/3d sensing. Only a handful of laptops and a couple external cameras have this functionality. Windows Hello doesn't work with standard cameras as it would be easier to bypass.
SP4 user here too, Windows Hello failed exactly once for me: when I was setting it up. Ever since then it's worked flawlessly. It's so insanely good it's almost hard to believe Microsoft built it.
When Android first came up with face recognition it was a gimmick; half of the time it didn't work, it took too long, you needed the right amount of light, etc etc. But I can confidently say that Microsoft's implementation is nothing like it, they've actually made it work.
> The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account
What pin is this talking about? The only pin I see related to my account is a 6-digit one that the Google authenticator app generates.
As someone who has accidentally locked himself out of his own Windows device before, there is definitely an attempt limiter on PINs in Windows. You have to resign in with your full password and must reset the PIN.
I have Windows Hello enabled on my phone (a 950) and it scans my iris with an infra-red camera/light. This means it still works in the dark and cant be fooled by a photo (or a 3d model I guess!)
Free advice: Do not use biometrics to unlock devices. Face/fingerprint recognition is subject to different, lesser, protections than memorized passwords.
Criminal defense 101: Don't talk to the police. Don't admit anything, including any sort admission of owning a phone. If they can use your face/finger to unlock a phone, that proves it is your phone. Even if you one day want to admit owning that phone, do not allow them to unlock it without your permission. The unlocking of any device should only happen after negotiations with the assistance of counsel, not at 2am in a parking lot. Use some sort of memorized password/pattern.
The clickbait 'title' makes some claim to vulnerability, except that's the wrong word entirely. The described "vulnerability" is logically equivalent to briefly removing one's face from the frame, because that's what this is. The article actually suggests that as the usual alternative!
There's nothing else going on here beyond "think about Windows Hello, please". Is this really what we want HN to be about?
Given it's from Old New Thing, I'm willing to bet clickbaiting was indeed the intention of the poster (Mr. Chen), as this title and the article itself seem to follow his sense of humor.
41 comments
[ 2.8 ms ] story [ 62.9 ms ] threadI mean, fingerprints aren't that much more secure in a technical sense, but at least a lot of people don't actively post images of their fingerprints to all their social media accounts.
This is designed for home users who don't have security requirements that make them carry around OTP devices just to see their desktop.
I mean, you can argue that passwords are pretty easy to copy as well -- you just need a video camera facing at the keyboard for a day or three.
That last item is the most interesting and perplexing to me.
When Android first came up with face recognition it was a gimmick; half of the time it didn't work, it took too long, you needed the right amount of light, etc etc. But I can confidently say that Microsoft's implementation is nothing like it, they've actually made it work.
https://www.cnil.fr/en/windows-10-cnil-publicly-serves-forma...
What pin is this talking about? The only pin I see related to my account is a 6-digit one that the Google authenticator app generates.
Is this some kind of enterprise feature?
Windows: "Are you sure? [Yes] [No] [Cancel] [Upgrade to Windows 10] [Debug]"
Retry, abort, or fail
He probably just thought it was a neat side effect.
Criminal defense 101: Don't talk to the police. Don't admit anything, including any sort admission of owning a phone. If they can use your face/finger to unlock a phone, that proves it is your phone. Even if you one day want to admit owning that phone, do not allow them to unlock it without your permission. The unlocking of any device should only happen after negotiations with the assistance of counsel, not at 2am in a parking lot. Use some sort of memorized password/pattern.
There's nothing else going on here beyond "think about Windows Hello, please". Is this really what we want HN to be about?
I guess it is an appropriate submission for Hac-- er I mean "Left-Facebook-Logged-In"-er News