Ask HN: Why doesnt windows require password for biometric auth?
Apple (and I believe Samsung) devices require atleast one password auth before allowing finger/face auth. In Apple devices, if you fail bio auth a certain amount of times, they will strictly require password auth.
On windows this is not so, in my experience. I can instantly use my face or password on system boot, and failing bio auth multiple times just requires me to click a couple buttons till I can try again. Do they believe in their auth so far? Or is it just a feature of Fastboot?(as in the fact that the password was verified once upon a time is flagged in fast boot)
5 comments
[ 4.1 ms ] story [ 19.4 ms ] threadObviously, one could argue one is safer than the other, and they both have their pros and cons.
I think being able to quickly disable biometric auth is a feature. If I hold down the volume and side buttons on the iPhone for a few seconds, or just mash the side button a lot, it brings up the shutdown/emergency option, but also disables biometric auth until the passcode is entered again. While I don’t ever plan on having run ins with the police, a hope I don’t have other cause, I like that I have a means to discreetly and quickly disable biometric auth, so someone can’t take my phone, hold it up to my face, and have access to all my stuff… other passwords, bank info, you name it.
Remembering a password is only a problem if you don't trust your biometric auth: otherwise, your biometric data is pretty much your password.
If you don't trust it, a solution is simple: do not use it (on either Apple or any other device).
Apple approach could be somewhat more secure if done properly, but it only covers limited usecases (eg somebody getting your device before you had a chance to disable biometric auth) with increased complexity.
Why Windows doesn't require this generally, I don't know. One reason might be that the underlying hardware (equivalent to Apple's Secure Enclave) isn't on every device Windows runs on. Another might be that MS is just that much less concerned with security or the appearance of being secure.