Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Security Software Technology

Windows 10's Biometric Security Layer Introduced 138

jones_supa writes: One of the major concepts of Windows 10 are new security ideas, and though Microsoft has touched on this topic before, it's only now giving us a more comprehensive look in the form of "Windows Hello." This is an authentication system that uses a variety of biometric signatures and combines hardware and software to allow for seamless and secure user recognition and sign-in. According to Microsoft, the ideal scenario here would be for you to simply look at or touch a new device running Windows 10 and to be immediately signed in. The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password. But the point of Windows Hello isn't only convenience, as the company's blog post notes, but also security. We've heard time and time again how insecure passwords are, and Microsoft is aiming to offer a widely-deployed replacement while still delivering enterprise grade security and privacy.
This discussion has been archived. No new comments can be posted.

Windows 10's Biometric Security Layer Introduced

Comments Filter:
  • No thanks... (Score:5, Insightful)

    by Anonymous Coward on Tuesday March 17, 2015 @09:16PM (#49280375)

    Considering I have heard tales of biometric scanners being bypassed by pressing a warm hot dog against them, I think I'll pass.

    I'm sure they've improved, but I don't know that they've improved enough. Plus, I'm not sure I'd want to be auto-logged in by just picking up the device.

    • Re:No thanks... (Score:5, Insightful)

      by gronofer ( 838299 ) on Tuesday March 17, 2015 @09:54PM (#49280545)
      I'd say you should also wear gloves everywhere in case your fingerprint is compromised. It's not like you can change it easily.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        That's why you use a toeprint instead. Sure, your computer will start smelling of feet, but them's the tradeoff.

    • by Anonymous Coward

      I have heard tales of biometric scanners being bypassed by pressing a warm hot dog against them

      Yeah, but you've gotta get 'em drunk first, otherwise you end up in the back of a police cruiser with a black eye and swollen testicles.

    • Re:No thanks... (Score:5, Insightful)

      by Bing Tsher E ( 943915 ) on Tuesday March 17, 2015 @10:11PM (#49280599) Journal

      The deal with Windows 8 is, you get a 'Microsoft Account' that you use to log onto all your Windows 8 devices and computers. Microsoft has the password. You can't have a password on your machine that is local that Microsoft doesn't have. You can't change your password to anything you've used recently. All the usual 'LAN' password requirements, mandated, and your Windows machine won't work without them.

      So with Biometrics tied into this, you'll have your Microsoft Account, you'll have to use it to authenticate on Windows products, and you won't be able to become de-linked from it, ever. You'll not be able to be anonymous on any Windows computer or device ever again.

      Facebook and their 'Real Name' policy should be so lucky.

      • Re:No thanks... (Score:5, Informative)

        by Anonymous Coward on Tuesday March 17, 2015 @10:18PM (#49280635)

        The Microsoft account is optional. I don't use it. Please update your FUD accordingly.

        • Re:No thanks... (Score:5, Insightful)

          by gl4ss ( 559668 ) on Tuesday March 17, 2015 @10:28PM (#49280671) Homepage Journal

          The Microsoft account is optional. I don't use it. Please update your FUD accordingly.

          it is indeed optional. however, with windows 8.1 they made it less obvious that it is optional. basically, yo have to go to something that looks like a failure state before you can create a local account. fucking ridiculous.

          • That wasn't my experience a few months ago when I bought a new laptop with windows 8.1

            • Re:No thanks... (Score:4, Informative)

              by Vlado ( 817879 ) on Wednesday March 18, 2015 @06:30AM (#49282021) Homepage
              Maybe the experience there was customized. But if you want to create your local account on Windows 8.1 you are pretty much forced to go to the selection, which you would look at if you were about to create a Microsoft account and THEN there is a way to create it locally.
              Here is instruction list from MS site on how to create a local account from within the Windows itself (not easy).

              Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you're using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)
              Tap or click Accounts, and then tap or click Other accounts.
              Tap or click Add an account, and then tap or click Sign in without a Microsoft account (not recommended).
              Tap or click Local account.
              Enter a user name for the new account.
              If you want this person to sign in with a password, enter and verify the password, add a password hint, and then tap or click Next.
              If your PC is on a domain, depending on the domain's security settings, you might be able to skip this step and tap or click Next, if you prefer.
              Tap or click Finish.
            • Re:No thanks... (Score:4, Informative)

              by LordLimecat ( 1103839 ) on Wednesday March 18, 2015 @07:20AM (#49282185)

              He is in fact correct. They make it somewhat difficult to avoid being sucked into a Microsoft account, though there are ways to force it to desist. SkyDrive (or whatever its called now) also tries pretty hard to pull you in, though again you CAN force it to back off somewhat.

          • Re:No thanks... (Score:5, Informative)

            by vux984 ( 928602 ) on Tuesday March 17, 2015 @10:52PM (#49280773)

            yo have to go to something that looks like a failure state before you can create a local account. fucking ridiculous.

            Not quite. It prompts you to sign in with your existing Microsoft account. At the bottom of that screen, it says "Don't have one? And a link to "create a new account".

            Contextually that, for a lot of people is interpreted to mean "Create a new Microsoft account" however, if you click it you are presented with an account creation page for a Microsoft account but at the bottom it offers another link "Sign in without a Microsoft account" and you can create a local account from there.

            The fail state you refer to is the -other- way of reaching the same page -- where you enter dummy microsoft credentials in; force it to fail to login; and that lands you on a page where you can create a local account as well.

            However, the "proper" way to reach the local account option is the first:

            Create new Account
            Sign in without a Microsoft account

            So its not as bad you suggest, I agree it's just obscure enough to be misleading.

            For what its worth a lot of OEMs are shipping with a local user account pre-configured or are otherwise customizing it to create a local account by default.

            • The "optional" Microsoft account is probably the main reason why I'll be staying with my Windows 7 PCs as long as possible. I've been testing Windows 10, and there are far too many areas of the OS that require a login to Microsoft in order to become functional.

              .
              With Windows 10, it's like I'm getting a half-functional OS if I choose to have a local account and not to log in to Microsoft.

          • by Anonymous Coward
            It is pretty easy to bypass, BUT it takes some knowledge as by default it does try to force you down the MS account route (which to be fair, most people will want to use). On test builds of Windows 10 it is even harder to bypass - the easiest way to bypass it on the build I am running now is to either not have a network driver for the device installed yet, disconnect the LAN cable (if using wired), or don't connect to wireless when prompted. Then it will "fail" into the local account setup and you can conne
          • There is an easy way which I discovered recently. Make sure you install without an internet connection, then creating a local account is the default instead of a hidden option.
          • Why would it be obvious?

            MS has sunk itself numerous time by trying to please every little fuck up on earth. The result has been a crap load of legacy garbage to maintain over the course of many OSs. For the first time MS looks like it's putting it's pants on and telling you how it's going to be. In case you didn't notice, Apple and Google have already been forcing customers into "their way" so no harm done here.

      • you do know that it is optional right? I saw it on windows 8 when i first got a copy and went out and found out how to not use it http://www.howtogeek.com/12197... [howtogeek.com]
        • In practice, it's not very optional if you have to go to howtogeek, which I would imagine is not heavily used by average computer users.

      • apple. google.
      • by Anonymous Coward

        The deal with Windows 8 is, you get a 'Microsoft Account' that you use to log onto all your Windows 8 devices and computers. Microsoft has the password.

        No, they don't, they have an anonymous one-way hash of the password.

        You can't have a password on your machine that is local that Microsoft doesn't have.

        Yes you can. You can have a fully local account on Windows 8, not using the Microsoft Account at all.

        You can't change your password to anything you've used recently. All the usual 'LAN' password requirements, mandated, and your Windows machine won't work without them.

        Yes it will, there is no password policy requirements on local accounts. Your password can be anything you want it to be, including no password at all.

        So with Biometrics tied into this, you'll have your Microsoft Account, you'll have to use it to authenticate on Windows products, and you won't be able to become de-linked from it, ever.

        Yes you can, you can de-link your Microsoft Account whenever you like.

        You'll not be able to be anonymous on any Windows computer or device ever again.

        Yes you will. See above about all your assumptions being wrong.

    • by Anonymous Coward

      So your comment is "I'm ignorant and afraid, so I'm not going to use it"?

      I know, I know, that's really snarky, but working in the biometrics industry that kind of attitude just rubs me the wrong way.

    • by PopeRatzo ( 965947 ) on Tuesday March 17, 2015 @10:22PM (#49280643) Journal

      Considering I have heard tales of biometric scanners being bypassed by pressing a warm hot dog against them, I think I'll pass.

      That wasn't a hot dog.

    • Re:No thanks... (Score:5, Interesting)

      by ganjadude ( 952775 ) on Tuesday March 17, 2015 @10:48PM (#49280755) Homepage
      not only this, but after the courts saying they can force you to submit biometric data to cops but not passwords, why would i want to "secure" my device with something that they can get into easily either with me held captive, or in some cases just a photo of ones face???
    • This is extra security. You must swipe your dachshund against the phone to unlock it. The dachshund has teeth therefore is unlikely to be stolen along with the phone.

    • by arglebargle_xiv ( 2212710 ) on Wednesday March 18, 2015 @02:21AM (#49281367)

      So the last sentence in the summary should have read "We've heard time and time again how insecure passwords are, and Microsoft is aiming to replace them with a password-equivalent where you can never change your password when it's compromised, you leave copies of it on everything you touch (or look at), and which can be defeated with a bit of gelatin or a printout of a photo".

      Yay, Microsoft!

    • So criminals only need your body, not your co-operation to access your computer....

  • Will you have to retrain the mechanism to recognize you every time you switch from Brand A biometric sensor to Brand B? If so, it might not recognize you across devices anyway. It seems attractive in theory but I wonder how practical it will be in practice, since a typical user will have access to a variety of Windows devices at home and work.
    • by gl4ss ( 559668 )

      I'd rather them not try do that.

      Imagine logging in with just a picture of the fingerprint from a cup. no access to the machine even - all you start with is that cup. or a picture of the dude.

      like, if it would log in just by the way you look.. just run a video to the computer of the guy. and what if you don't want to open the computer, for whatever reason?

      • If you have no direct physical access to the machine, all you have to authenticate by is the picture or processed picture of your fingerprint or selected other body part.

  • by Anonymous Coward

    We've heard time and time again how insecure users are.

    FTFY. And I don't see how fancy biometric wizardry will fix the users.

  • Windows secure
    Better than Zen
    Will it scandal-free insure
    Her Majesty, then?
    Burma Shave
  • by martok ( 7123 ) on Tuesday March 17, 2015 @09:29PM (#49280441)

    I've seen cases recently where people crossing the border from one nation to another have been asked to enter their phone or laptop password for inspection. They are at this point free to refuse to divulge this information though there may be the obvious consequences. Using biometrics, would it not be possible for an attacker to simply force one to provide biometrics to unlock a device? What about other attacks such as a spouse unlocking a device using his/her partner's fingerprint while (s)he is asleep? I would think this would open up new security holes for the ones it fixes.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      http://xkcd.com/538/

    • by Anonymous Coward

      Not if it needs both biometric AND a regular password. Something you are, something you have, something you know.

      Now all we need is a USB crypto key standard, and have all three required to be present to log in. Plug in USB key, scan finger, provide password, and if they ALL match, you get access.

      Bonus points if the computer itself doesn't have any actual crypto algorithms on it, instead using the USB hardware to provide all keygen services. That way, you can verify your USB key is clean, and the rest of th

    • Keep in mind you always have the option of NOT using this feature if you're that paranoid, or are legitimately in danger of some goon [xkcd.com] cutting off your finger and using it to unlock your phone or computer. Also, if you're worried about your spouse secretly unlocking your phone while you're asleep and snooping on you, then you both have some bigger issues to work out.

      In the case of AppleID, all you have to do is reset the device or leave it unlocked for 48 hours, and you'll be required to use a password inst

      • by Anonymous Coward

        It is not about being paranoid. It's about being sensible with all we know today. Valuing your right to privacy is the cornerstone of free speech and democracy.

    • by adolf ( 21054 )

      It's easier than you think.

      Just print out one (or more) of these images [google.com] and use that as your "biometric" "faceprint."

      And, done! You shouldn't divulge such an image to those pinks, anyway, so you're covered on the religious morality front if push comes to shove.

  • by HalAtWork ( 926717 ) on Tuesday March 17, 2015 @09:32PM (#49280459)
    ...in case you're in an accident and your hand is cut off, or your face needs to be reconstructed, or whatever else that could happen. That mechanism better be secure as well, and what will it rely on, another password?
    • Heh, I think a more common scenario would be "the touch sensor isn't working because it's very cold out, or my hands are too dry to get a reading". No need for such dramatic examples. Search for "touchID cold weather" to see what I mean. Systems (like TouchID) generally let you try a few times with biometrics, and if that doesn't work, then you need to enter your passcode as a fallback.

    • Not knowing much about fingerprint scanners, how much of a cut would it take to cause the recognition to fail? (I'd also rather not take off an adhesive bandage every time I needed to log on.)

  • You can expect the "I got locked out of my machine" help calls to go through the roof. Great.
  • Evidently they did not consult Firefox on the name.

    My laptop way back in 2007 running XP had a finger scanner for logins and the like. I guess it's nice if there's a UI/Authentication API standardized for which vendors only need to plugin in a hardware implementation.

  • by thisisauniqueid ( 825395 ) on Tuesday March 17, 2015 @09:50PM (#49280527)
    Could they have picked a worse name? "Windows Hello" reminds me of all the awkward conversations I had with nontechnical Windows users about their "My Documents" folder. "Open My Documents." "Your documents?" "No, your My Documents." "My your documents?" "NO!..."
    • Could they have picked a worse name? "Windows Hello" reminds me of all the awkward conversations I had with nontechnical Windows users about their "My Documents" folder. "Open My Documents." "Your documents?" "No, your My Documents." "My your documents?" "NO!..."

      That's fine. Windows Hello is for the same users.

    • The reason it's called hello is because it has facial recognition to recognize you as soon as you look at it. Then it will tell you hello, and your name. Really.
  • If I can log in by singing Total Eclipse of the Heart, that'd be pretty cool. Other than that, giving people two ways to log in instead of one is ridiculous and a horrible idea. It's always biometrics + password backup.
  • by dirk ( 87083 ) <dirk@one.net> on Tuesday March 17, 2015 @09:56PM (#49280553) Homepage

    Passwords are not a perfect solution, no one denies that. But overall, they are a good solution, especially when combined with something like and RSA key or Google authentication. Biometrics seems easier and more secure, and on the face it is. The issue with biometrics is that once there is a way around it, there is no way to change it. So you fingerprint is secure today. But tomorrow someone comes up with a way to fake your fingerprint. You are now stuck because you can't change you fingerprint. With a password, if it is hacked you can change it. With biometrics, if they are hacked you are entirely screwed because it can't be changed (which is the point of biometrics). Sorry, I'll stick with passwords for now.

    • by Jeremi ( 14640 )

      One presumes that eventually we will all be using multi-factor authentication [youtube.com] to log in.

      • One would presume NOT since the summary states:

        the ideal scenario here would be for you to simply look at or touch a new device running Windows 10 and to be immediately signed in

    • also biometrics don't really lend themselves to encryption, since they slightly change each time so your encryption key changes each time.

      You could possibly hash that key an in a way that it doesn't change but then storing the encryption key on the device kind of defeats the purpose of encryption.

      Also if any body scanned your fingerprint/DNA whatever all you encryption is now compromised.

      Would you really be willing to log into a web site with your fingerprint, even your bank, if doing so would immediately g

    • The other problem is that it's much easier to have multiple copies of a password than a finger. If you injure your finger, or do a lot of bricklaying or something, how do you log in?

  • by msobkow ( 48369 ) on Tuesday March 17, 2015 @10:11PM (#49280601) Homepage Journal

    I've been reading about biometric scanners for over a decade now, starting with the fingerprint reader bar that was on old IBM Thinkpads.

    Every single attempt at cheap biometric security has been demonstrated to be insecure or unreliable. When I got my Lenovo laptop, the first thing I uninstalled was their camera-using face scanner software, because I'd read about how easy it was to hack with a photo of the person to be identified.

    Sure, there are real biometric devices out there such as government iris scanners and such, but those are not cheap enough for mass deployment. Until such high reliability security devices are available to the consumer at a sane price, I'm going to stick with good old fashioned passwords.

    Besides, getting into the machine is only the first step. All that would gain you access to is some personal photographs and documents. Everything else would require access to the keystore and the key passwords for accessing remote servers, so I'm still relatively comfortable that someone hacking my password isn't that great a risk.

    I'm also perfectly comfortable with "da goobernmint" scanning my system (with a warrant), because all my "secure" data resides elsewhere, and they won't find so much as a PDF of a bank account statement on the box itself.

  • The W10 preview is all one big browser which connects to MS and requires an MS id to be of any use unless you download third party software. Mail needs an MS id. Calendar need an MS id and so on and so on. Their privacy policy basically states that you have none and they and their affiliates can do as they please. So why even bother pretending that the information is locked when it will already be stored on their servers and can be accessed without your knowledge.

    On another note what good is biometrics if t

  • ...and for the uber-security concious, the bio-readers will contain a small blowdart laced with Anthrax/SARS/poop/whatever. If the wrong person tries to log into your device, PFFT! Poop in the eye!
  • How will I log into computers that customers bring to my store. How will I admin the hundreds of computers that see at customer locations?

  • by l3v1 ( 787564 ) on Wednesday March 18, 2015 @12:22AM (#49281017)
    "delivering enterprise grade security and privacy"

    Somewhat offtopic: I'd so wish people would stop flinging this phrase around, like it would actually exist... That enterprise grade security has failed millions of people over the years, sometimes quite spectacularly. Adding a heuristic set of mixed-up unreliable biometrics won't change that, but it will make your life hell, when it fails (as it inevitably will). All that incorporated into an OS that likes to call home more often than an average person calls their Mom :)) So, good luck with all that :))
  • "The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password.

    Fabulous. So in the Brave New World of Windows Hello, a "hacker" is a guy with an axe and a microwave.

    And I'm the one they call "Lefty".

  • It sounds like a piece of shit.

  • People are sometimes being compelled to give up their passwords for devices when they cross borders. This could potentially require a person to provide his fingerprint (already required to cross some borders, for some people) and his/her face/voice.

    I think this could make it easier for governments to get in your knickers.

  • Microsoft always does this... There are always new versions coming up without actually introducing meaningful changes that really matter.
  • by QuietLagoon ( 813062 ) on Wednesday March 18, 2015 @07:47AM (#49282355)
    Windows is a dying breed. Most of its usage is just old PCs in businesses trying to do what they have been doing for years. Is anyone really going to care about innovation that is based upon the Windows platform?
    • "Trying to do what they have been doing for years" also means "running some software without needing or wanting anything from the OS rather than a window manager, device drivers, a filesystem, and a networking stack". Just because the "platform" isn't "innovating" doesn't mean that people don't run nifty software on it.

      Most of the frustration with Windows comes from trying to get the Microsoft marketing bullshit to fuck off so we can use computers for what computers are for: running software.

      • ... Just because the "platform" isn't "innovating" doesn't mean that people don't run nifty software on it....

        I agree. When I asked if innovation in Windows was relevant, I was referring to innovation in the Windows OS itself, not the apps that run on it.

    • Most of the "innovations" are actually detrimental to corporate users who simply are trying to keep everything running and they don't want to climb a learning curve just to get back to their former level of productivity. But that is what MS is pushing. Tinkering under the hood to improve performance is one thing. Arguably Windows 8 is a good OS under a god-awful and painful GUI. Messing with GUIs is probably Microsoft's biggest error. They should provide different GUIs for different installations, but prov
  • This is just the beginning of a long push, to get us ALL hooked into the NWO technocracy. https://www.youtube.com/watch?... [youtube.com]

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...