
Windows Hello face recognition is vulnerable to the Jedi mind trick - edburdo
https://blogs.msdn.microsoft.com/oldnewthing/20160719-00/?p=93905
======
justratsinacoat
The clickbait 'title' makes some claim to vulnerability, except that's the
wrong word entirely. The described "vulnerability" is logically equivalent to
briefly removing one's face from the frame, _because that 's what this is_.
The article actually suggests that as the usual alternative!

There's nothing else going on here beyond "think about Windows Hello, please".
Is this really what we want HN to be about?

~~~
accatyyc
It is the title of the blog post though, which is a Microsoft blog. I don't
think clickbaiting was the intention of the poster.

~~~
WorldMaker
Given it's from Old New Thing, I'm willing to bet clickbaiting was indeed the
intention of the poster (Mr. Chen), as this title and the article itself seem
to follow his sense of humor.

------
sandworm101
Free advice: Do not use biometrics to unlock devices. Face/fingerprint
recognition is subject to different, lesser, protections than memorized
passwords.

Criminal defense 101: Don't talk to the police. Don't admit anything,
including any sort admission of owning a phone. If they can use your
face/finger to unlock a phone, that proves it is your phone. Even if you one
day want to admit owning that phone, do not allow them to unlock it without
your permission. The unlocking of any device should only happen after
negotiations with the assistance of counsel, not at 2am in a parking lot. Use
some sort of memorized password/pattern.

------
kevinherron
I've had a SP4 since they were released. It's got some faults, but Windows
Hello has worked flawlessly for me. It sounded like such a gimmick before I
used it but it's actually pretty neat.

~~~
zyxley
The main thing that worries me about it is that "what your face looks like" is
superbly easy to copy.

I mean, fingerprints aren't that much more secure in a technical sense, but at
least a lot of people don't actively post images of their fingerprints to all
their social media accounts.

~~~
shliachtx
If I'm not mistaken Windows Hello will only do facial recognition on a depth-
sensing camera, so you would need to create a 3D model of my face to fool it.

~~~
AaronFriel
I understand it not only uses depth sensing, but also infrared, and it can
distinguish between twins.

That last item is the most interesting and perplexing to me.

~~~
qq66
Twins are easily distinguishable if you know them -- I went to high school
with three pairs and they were easy to tell apart. Almost everyone has some
pockmark etc. on their face, and Identical twins often have these in mirror
image.

~~~
underwater
That doesn't explain how software can distinguish them.

~~~
qq66
No, it doesn't, I have no idea what wizardry is involved. All I'm saying is
that if you assume some magic that can distinguish Bob from Steve, then those
same techniques, whatever they are, can be used to distinguish Bob from his
twin Todd.

------
ctpide
Jedi: "These are not the faces you are looking for." Windows: "Are you sure?
[Yes] [No] [Cancel]"

~~~
balls187
Windows: "Are you sure? [Yes] [No] [Cancel] [Upgrade to Windows 10]"

~~~
deciplex
(The joke is in supposing that Windows would ask first.)

~~~
balls187
If you have VS installed:

Windows: "Are you sure? [Yes] [No] [Cancel] [Upgrade to Windows 10] [Debug]"

------
damianknz
I have Windows Hello enabled on my phone (a 950) and it scans my iris with an
infra-red camera/light. This means it still works in the dark and cant be
fooled by a photo (or a 3d model I guess!)

~~~
kylemuir
Still wouldn't stop Wesley Snipes in Demolition Man :)

------
Sylos
Who gives a fuck?

------
pookeh
Wow pretty desperate marketing for a design flaw.

~~~
algorithmsRcool
I highly doubt that Raymond Chen, a 24 year veteran of Microsoft and WinAPI /
NT kernel expert, is shilling for marketing kudos.

He probably just thought it was a neat side effect.

------
mtgx
Microsoft should fix its 4-digit PIN/no limiter app authentication first.

[https://www.cnil.fr/en/windows-10-cnil-publicly-serves-
forma...](https://www.cnil.fr/en/windows-10-cnil-publicly-serves-formal-
notice-microsoft-corporation-comply-french-data-protection)

~~~
fintler
_> The company allows users to choose a four characters PIN to authenticate
themselves for all its on-line services, notably to access to their Microsoft
account_

What pin is this talking about? The only pin I see related to my account is a
6-digit one that the Google authenticator app generates.

Is this some kind of enterprise feature?

~~~
AaronFriel
Windows 10 allows PIN sign in, but it's done with the TPM to ensure a limited
number of accesses.

~~~
NeutronBoy
And IIRC it's tied to a single machine, so you need physical access for it to
be any use.

~~~
mtgx
That's how PINs typically work. The main threat for a PIN password without any
attempt limiter is local bruteforce.

~~~
WorldMaker
As someone who has accidentally locked himself out of his own Windows device
before, there is definitely an attempt limiter on PINs in Windows. You have to
resign in with your full password and must reset the PIN.

