
Windows Hello – Biometric authentication to Windows 10 devices - asyncwords
http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/
======
andrewfong
I hope that PINs and such always remain alternatives to biometrics. My usual
concern -- if the locally stored biometric data is compromised (malware, poor
crypto, etc.), I need a way to "change my password", which isn't really
possible for something like facial recognition. Likewise, I'm curious if
there's a fallback authentication method for people who lose a finger, get
their faces deformed, etc.

That said, the whole device-based authentication piece seems useful. A Windows
10 computer is now one factor in a 2FA scheme and the OS (and at least one of
its browsers) gets to be directly integrated into Microsoft's SSO scheme.

~~~
CaveTech
You don't need to only worry about your device being compromised, your
biometric credentials are being leaked by your mere _existence_.

Before long, I can imagine someone being able to build facial models capable
of fooling recognition systems using only a few source images. Your finger
prints are _everywhere_. Iris would be a bit harder, for now, but potentially
possible with an image of high enough resolution.

~~~
thomasz
Fingerprint and iris scanners have been compromised with nothing more than a
high resolution image
[https://www.youtube.com/watch?v=vVivA0eoNGM](https://www.youtube.com/watch?v=vVivA0eoNGM)

------
therobot24
As someone who actively researches biometric authentication, when I hear/read
someone saying that biometrics are "usernames" and not "passwords", I
automatically think they fundamentally misunderstand what a biometric is.

A biometric is both a 'username' and a 'password' \- for instance, when you
access your computer/device/whatnot you type in your username and your
password to identify to the system that _you_ are requesting access (on mobile
the account is implied). When using a biometric, the system will have a stored
template (similar to a password) that it associates to the system user
account, and in ideal situations you (the user) do not need to do anything
other than be present to access the system resources. It's a difference
between identification and verification. Do you go to your friends each time
they ask you something and say "are you so and so?", or have you already
identified who they are? Based on the video it seems that MS is starting to
understand this difference. Check out the video at ~2:35. He sits down at the
login screen, and it just opens the desktop. For consumer applications this is
really the goal of any biometric system.

Now spoofing and biometric template data being stolen are still real problems.
Unfortunately, spoofing is not a very hot topic in the biometric field
(usually conferences only have a relatively small percentage of papers on the
subject), but given more consumer applications I'm hoping more funding will
start to head that way. Concerning biometric template data, no you can't
change it in it's most raw format, your fingerprint is static..that's what so
great about it. However, there are methods such as key-binding where the
template is itself encrypted with a private key. This however leads to more
passwords... In any case, it's unfortunately up to companies like MS to start
paving the way to successful implementations - if the data breaches we hear
about almost monthly (Uber, Target, etc) are any indication, your password is
just as at risk as your fingerprint.

~~~
mejari
"A biometric is both a 'username' and a 'password' "

This is true, but usually people don't go around showing their passwords to
any camera they walk by or surface they touch. That is why people say that it
is more appropriate for biometrics to identify someone than it is to provide
their authentication.

"our password is just as at risk as your fingerprint."

Also true, but what do you do when these breaches happen if the data is
biometric? You can't send out an e-mail asking people to change their
fingerprints or face. With existing password infrastructures after a breach
the infrastructure can be upgraded to prevent that breach, then the users can
be told to change their passwords, then that vulnerability is closed. Once a
person's biometric data is stolen (or just taken from the hundreds of sources
of our biometric data we leave around daily in the form of pictures and
fingerprints) that's it, you can't close whatever breach they used to get in
and then move on, because the user can't change their "password" to one that
has not been compromised. That account is forever breached.

Biometrics violate several of the requirements for something that can be used
as authentication, which is why they are great as identifiers, but terrible as
authenticators.

~~~
therobot24
> usually people don't go around showing their passwords to any camera they
> walk by or surface they touch. That is why people say that it is more
> appropriate for biometrics to identify someone than it is to provide their
> authentication.

Yea i see the point, but there will always need to be an asterisk after the
statement, "a biometric is a username, not a password", because it's only
valid in the sense there are concerns about the security of the biometric
template. Down the line maybe we'll figure out this spoofing/liveness test
thing, but we won't find out while many instantly write off the merit of the
system to begin with.

> what do you do when these breaches happen if the data is biometric? You
> can't send out an e-mail asking people to change their fingerprints or face.

I did mention this somewhat in the original post. Saving a raw biometric
template (minutiae points or whatnot) is synonymous to keeping a database of
plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.)
are proof that in 2015, we still have this problem. I would never trust a
start-up or large corporation with consumer grade biometric authentication.
However, on my laptop a different story...i've been using the Thinkpad
fingerprint reader for years and love it.

~~~
fweespeech
> Yea I see the point, but there will always need to be an asterisk after the
> statement, "a biometric is a username, not a password", because it's only
> valid in the sense there are concerns about the security of the biometric
> template. Down the line maybe we'll figure out this spoofing/liveness test
> thing, but we won't find out while many instantly write off the merit of the
> system to begin with.

Any sensor accurate enough to perform biometrics is simultaneously accurate
enough to create a spoof capable of fooling the authentication sensor. The
only way to avoid this requires an active activity, at which case you've just
duplicated the password [e.g. the act of typing is identical to the act of
sufficient action to make it virtually impossible to duplicate] which has
better known security characteristics.

> I did mention this somewhat in the original post. Saving a raw biometric
> template (minutiae points or whatnot) is synonymous to keeping a database of
> plain text passwords. It's just wrong. The data breaches (Uber, Target,
> etc.) are proof that in 2015, we still have this problem. I would never
> trust a start-up or large corporation with consumer grade biometric
> authentication. However, on my laptop a different story...i've been using
> the Thinkpad fingerprint reader for years and love it.

A single breach and you cannot rely on biometric data for life is the reason
this is only safe to use as a "username" and not a password. You won't be able
to significantly change your biometrics w/o breaking other identification
issues.

Biometrics are only valid as a username or secondary authentication factor.

~~~
therobot24
>The only way to avoid this requires an active activity, at which case you've
just duplicated the password [e.g. the act of typing is identical to the act
of sufficient action to make it virtually impossible to duplicate] which has
better known security characteristics.

Only way is active activity? Or just the only way you can think of?

>A single breach and you cannot rely on biometric data for life is the reason
this is only safe to use as a "username" and not a password. You won't be able
to significantly change your biometrics w/o breaking other identification
issues.

You're assuming all recognition algorithms of the same biometric produce the
same raw template. That if I get one I can gain access on another.

>Biometrics are only valid as a username or secondary authentication factor

It's often frustrating to discuss things with those who clearly know little
about the topic and yet declare their opinion as fact.

~~~
mejari
>You're assuming all recognition algorithms of the same biometric produce the
same raw template. That if I get one I can gain access on another.

Well, is that an unreasonable assumption? With passwords knowing what one
person's password used to be or even knowing one hash of their current
password tells you nothing about a different hash of their current password.
With biometric data points presumably if they get accurate and detailed enough
(which you already admit they would have to do to be a valid authentication
mechanism) you can extrapolate. Faces are known quantities. Knowing how 999
points of your face are arranged _does_ give you data about how other points
on your face are likely to be arranged. We already have modelling software
capable of this, so it doesn't seem unreasonable that such methods may be
improved if facial recognition gains traction. At the very least it brings
down the solution space to a much smaller size the more data points are used,
which is the opposite of what happens when more data points (characters) are
used in alpha-numeric passwords.

>It's often frustrating to discuss things with those who clearly know little
about the topic and yet declare their opinion as fact.

I would agree. Especially opinions like how others "clearly know little about
the topic".

But is it as frustrating as someone explaining their reasoning for their
statement and then you ignoring that reasoning to discuss their closing
statement as the entire argument?

~~~
therobot24
> Well, is that an unreasonable assumption? With passwords knowing what one
> person's password used to be or even knowing one hash of their current
> password tells you nothing about a different hash of their current password.

Yea it is, this is very different from a password, even though it's being used
in a similar way. Lets take fingerprints as an example - algorithm A uses
minutiae points, and algorithm B does a simple normalized cross correlation
between the two images. While this is a toy example, you can see there is a
clear difference in what is being stored or even hashed.

> At the very least it brings down the solution space to a much smaller size
> the more data points are used, which is the opposite of what happens when
> more data points (characters) are used in alpha-numeric passwords.

No, it doesn't. You'd have better luck using a facebook profile picture
printed on an old inkjet than you would trying to use a specific template as
the 'solution space' of what other templates may be.

> But is it as frustrating as someone explaining their reasoning for their
> statement and then you ignoring that reasoning to discuss their closing
> statement as the entire argument?

I admit that it wasn't the classiest way to respond, and i apologize for it
(i'm not going to delete it though, i wrote it and i won't run from it), but
the same arguments keep coming up over and over again, and it's very clear
that the users making these statements not reading any previous replies so i
wasn't going to waste my time going over all the points again and again.

------
realo
Convenient, for sure.

However, I always have the choice of not giving up my passwords, under (even
painful) threat. Also, someone cannot get my passwords if I am dead. Ever.

Unfortunately, with biometrics, it is quite easy to force me to put my
face/finger/iris in front of the machine and unlock it. Even if I am (freshly)
dead.

Not that cool, really.

~~~
akerl_
Real talk: I feel like the demographic of people who read and comment on HN is
primarily people for whom "painful threat" is purely theoretical. Downstream
folks are talking about preventing information leak if the adversary is
literally willing to kill you via torture.

In the real world, torture is a fairly effective way to make somebody divulge
information, especially in the case where it can be readily checked (by trying
the password they divulge). It's a fairly well proven fact that living beings
will do pretty much anything to make the pain stop. For recent reference, this
HN article, where he repeatedly complied with demands, even including lying
about being tortured, in the hope that it would make the torture stop:

[https://news.ycombinator.com/item?id=9213753](https://news.ycombinator.com/item?id=9213753)

~~~
jotm
Not gonna lie, under threat of severe physical damage or death, I'd give away
everything I know. Granted, I don't have access to nuclear weapons or
anything, but I wouldn't care who gets effed up as long as I'm intact...

------
sly010
I honestly think biometric is just eye-candy. The real interesting thing here
is MS Passport.

Passwords are only broken because for most intended purposes they act as a
symmetric key that you happen to leave around everywhere and when it leaks,
you have a problem.

If we had a web standard for asymmetric key authentication, you just unlock
your device and your device authenticates you. A leaked public key (created
for a single service) is useless.

And once you only need to unlock ONE device, you might as well remember that
single password, because at that point it is way more secure than a
fingerprint.

Of course devices break and get stolen, so you need to back up your keychain,
and I bet that is exactly what MS Passport does for you, which is why it will
never be adapted by other vendors.

------
nanna
One thing I like about passwords is that they give me the choice to _not_
unlock something, should I wish that, which isn't the case with biometrics.
Say I'm a journalist who gets stopped at the border of a country and am asked
to open up my computer. If I want to, I can refuse - and face the consequences
but still, i can make that choice. With biometrics all they'd have to do is
force my finger onto the scanner, or put the computer in front of me and scan
my iris or face. That's a big downside.

Also, after everything we know about Microsoft and and the security services,
there's absolutely no way I'd give them my biometric data.

~~~
LLWM
That's not a downside. Why should you be allowed to smuggle contraband into
the country?

~~~
nanna
I had the linked image in mind when I wrote that, of a journalist whose laptop
was shot by Israeli border police whilst she was being interrogated.

[http://lilyasussman.com/2009/11/30/im-sorry-but-we-blew-
up-y...](http://lilyasussman.com/2009/11/30/im-sorry-but-we-blew-up-your-
laptop-welcome-to-israel/)

Actually the reference doesn't totally work in hindsight because she was never
asked for her password, but it seems as though it was encrypted and hence they
just destroyed her laptop instead of asking her for the pw. If it had
biometrics they might have just forced her to open it. So actually, the
example might work after all.

~~~
LLWM
If you are unwilling to allow border guards to inspect something you are
attempting to bring into their country, then you should be prepared for them
to tell you to leave it outside at best or punish you for attempted smuggling
at worst. I am skeptical of the story you linked as it's entirely from the
perspective of the smuggler, but I don't see any reason to believe anything
wrong happened there.

------
hurin
_with technology that is much safer than traditional passwords_

From what I understand this is simply not true - could someone with a security
background weigh in if this statement has any basis (were they comparing to
<first_name>-"1234" and "user"-"password")?

------
tdicola
I'd love to understand more about how the face recognition works. Does it have
any way to combat someone just printing out a picture of your face and holding
it up? I've done some simple face recognition stuff with OpenCV and it's super
easy to fool with photos.

~~~
vmarsy
_Windows Hello uses a combination of special hardware and software to
accurately verify it is you – not a picture of you or someone trying to
impersonate you. The cameras use infrared technology to identify your face or
iris and can recognize you in a variety of lighting conditions._

and later in the webpage:

 _all OEM systems incorporating the Intel® RealSense™ 3D Camera (F200) will
support the facial and iris unlock features of Windows Hello_

So by reading this we can assume it does more than 2D recognitions since this
is a "3D Camera"

~~~
higherpurpose
3D models have been created out of 2D images before. I'm not saying this will
be hackable from day one, but it will probably take a few short years for a
well sponsored and motivated attacker. Hopefully the technology will also keep
up and within a year or two we'll see updated versions that make it even
harder to replicate.

However, if I were to pick, I'd go for fingerprint recognition instead. Images
of people's faces are everywhere online. It's much less likely to have a good
photo of your fingerprints.

------
pqomdv
They claim physical access for "hacking" is required, but that is not true. As
long as you have a root access on a device you can do anything from anywhere.
I don't see how this replaces or improves passwords from this perspective. Yes
it is easier for the user, since they don't have to remember the password, but
everything else stays the same.

~~~
cwyers
> As long as you have a root access on a device you can do anything from
> anywhere.

As Raymond Chen likes to say, "it rather involved being on the other side of
this airtight hatchway." Once you have root, yes, you have compromised the
machine.

~~~
LoSboccacc
But if it is a biometric password then you compromised all machines of a user.

------
narrator
Biometrics sound like the next frontier for milking licensing revenue. Pretty
soon they will offer a discounted license for office, but only for one
biometricly identified user. Multiple users, such as library users, will
require the special license, even though they are all using the same computer.

~~~
therobot24
Never thought of this...i hope not.

------
maaaats
I hope this will make laptop vendors and others include IR capabilities in
their devices, and that those are usable outside Windows Hello. Would be cool
to see what other uses people could come up with, for this "baby-kinect".

------
jagermo
It would be interesting if Cortana would get speaker recognition on top of
speech recognition. Plus, she could ask you a question based on something
(maybe whom you met for lunch a few days ago)to counter recorded voice
attacks.

------
feld
This was demoed to my employer when Microsoft came through a month ago. I was
not impressed -- biometrics are a username, not a password.

edit: the article does not cover using your voice. I'm 99% sure they demoed to
us the ability to use a custom phrase to authenticate with your voice as well.

~~~
Someone1234
> biometrics are a username, not a password.

Can you clarify what you mean by that. People like to parrot it, but few if
any will explain why they feel that way.

If you simply mean that you don't find it secure enough, wouldn't that really
depend on the use-case? For example, what may not be secure enough to log into
a DC, may be secure enough to let the secretary log into their computer which
just has access to address books and calendars. It is all relative.

Some biometric systems are fairly secure, like fingerprints. The cost and
skill required to extract and reproduce a fingerprint so it is scannable make
it a non-trivial affair. While the security services and a dedicated adversary
could, for 80%+ of normal computer users it is a non-threat.

Android's face unlock may have been trivially beaten but it reads like
Microsoft are using multi-level photography (i.e. both IR for under-the-skin
and visible light for on-the-skin) to extract a layered model of a person's
face and head which could (maybe) prove harder to bypass with just a
photograph.

~~~
neohaven
Biometrics is identification, not authentication.

It identifies who you are talking to, which is not the same as confirming who
you are talking to (verifying authenticity of identity.)

~~~
mynameisvlad
An iris scan does not identify who you are talking to. A fingerprint scan does
not either. These are unique to an individual, if they were the person who set
them up, then it is, in 99% of cases, a unique element to a person that can be
used to authenticate them.

That's a whole of a lot better than a password, which _can_ be shared by
multiple people.

------
Roritharr
Great! While we're at it: Can i please use my Microsoft Account to Remote
Desktop into any currently available Device that is registered to my account,
without having to jump through the hoops of doing all the port and network
configuration beforehand?

------
sebleblanc
Great! Now the FBI does not even have to arrest me to get my fingerprints and
retina scanned!

~~~
jongalloway2
The video says it never stores image on the device:
[https://youtu.be/1AsoSnOmhvU?t=3m12s](https://youtu.be/1AsoSnOmhvU?t=3m12s)

I'd assume it's doing the equivalent of password hashing, so the
authentication mechanism just verifies a hash match.

------
lawnchair_larry
I don't think I'm comfortable with this.

------
higherpurpose
They say the passwords or biometric data will be kept in hardware - what does
that mean exactly? Is it the TPM? TPM 1.2? 2.0?

------
xena
The only insecure part about passwords is the human element.

~~~
pqomdv
What about password website leaks? Surely that is not my fault.

Technically that is also the human element but I think you are talking
specifically about users.

------
itsbits
3d camera!!..next what? Kinect inside may phone/laptop..wow..!!

