Ask HN: Why doesnt windows require password for biometric auth?

[preciousoo]

Apple (and I believe Samsung) devices require atleast one password auth before allowing finger/face auth. In Apple devices, if you fail bio auth a certain amount of times, they will strictly require password auth.

On windows this is not so, in my experience. I can instantly use my face or password on system boot, and failing bio auth multiple times just requires me to click a couple buttons till I can try again. Do they believe in their auth so far? Or is it just a feature of Fastboot?(as in the fact that the password was verified once upon a time is flagged in fast boot)

[necovek]

Why does Apple or Samsung require one to enter their password at least once? Do they not trust their biometric auth?

Obviously, one could argue one is safer than the other, and they both have their pros and cons.

[al_borland]

I think the occasional forced password is a way to make sure people remember their password. It would be very easy to make a password, setup biometric auth, then never use the password again for 3+ years. Then what happens when the password is needed for something?

I think being able to quickly disable biometric auth is a feature. If I hold down the volume and side buttons on the iPhone for a few seconds, or just mash the side button a lot, it brings up the shutdown/emergency option, but also disables biometric auth until the passcode is entered again. While I don’t ever plan on having run ins with the police, a hope I don’t have other cause, I like that I have a means to discreetly and quickly disable biometric auth, so someone can’t take my phone, hold it up to my face, and have access to all my stuff… other passwords, bank info, you name it.

[necovek]

Samsung or Windows could easily develop a feature to quickly disable biometric auth, if that is a usecase they cared about. But this ultimately means you don't trust your biometric auth.

Remembering a password is only a problem if you don't trust your biometric auth: otherwise, your biometric data is pretty much your password.

If you don't trust it, a solution is simple: do not use it (on either Apple or any other device).

Apple approach could be somewhat more secure if done properly, but it only covers limited usecases (eg somebody getting your device before you had a chance to disable biometric auth) with increased complexity.

[Jtsummers]

The password/PIN decrypts the data on iOS/macOS needed for touch or face ID to work. Too many failed attempts, a reboot, or too much time between attempts requires the data to be decrypted again, which requires your PIN or password.

Why Windows doesn't require this generally, I don't know. One reason might be that the underlying hardware (equivalent to Apple's Secure Enclave) isn't on every device Windows runs on. Another might be that MS is just that much less concerned with security or the appearance of being secure.