Slashdot Mirror
Windows 10's Biometric Security Layer Introduced
jones_supa writes: One of the major concepts of Windows 10 are new security ideas, and though Microsoft has touched on this topic before, it's only now giving us a more comprehensive look in the form of "Windows Hello." This is an authentication system that uses a variety of biometric signatures and combines hardware and software to allow for seamless and secure user recognition and sign-in. According to Microsoft, the ideal scenario here would be for you to simply look at or touch a new device running Windows 10 and to be immediately signed in. The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password. But the point of Windows Hello isn't only convenience, as the company's blog post notes, but also security. We've heard time and time again how insecure passwords are, and Microsoft is aiming to offer a widely-deployed replacement while still delivering enterprise grade security and privacy.
Considering I have heard tales of biometric scanners being bypassed by pressing a warm hot dog against them, I think I'll pass.
I'm sure they've improved, but I don't know that they've improved enough. Plus, I'm not sure I'd want to be auto-logged in by just picking up the device.
Will you have to retrain the mechanism to recognize you every time you switch from Brand A biometric sensor to Brand B? If so, it might not recognize you across devices anyway. It seems attractive in theory but I wonder how practical it will be in practice, since a typical user will have access to a variety of Windows devices at home and work.
Twinstiq, game news
We've heard time and time again how insecure users are.
FTFY. And I don't see how fancy biometric wizardry will fix the users.
Try and get me to sign in otherwise ;-)
Didn't rtfa but does it take into account user breach? As in I am tied to a chair?
Windows secure
Better than Zen
Will it scandal-free insure
Her Majesty, then?
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
this personal information is stored somewhere.
could you imagine the result of a database of thousands or millions of this information leaking by way of hack or some other spill to the public?
people jest about "oh great now I'll lose body part X because of this" but isn't it much simpler than that? imo information security of this kind should be protected under existing medical privacy law(s). and not used for everyday auth by everyday joe.
if the traditional password is done away with in future MS products, I'll finally make the leap off of using MS Windows forever.
what's next, Windows auth via implanted microchip?
I've seen cases recently where people crossing the border from one nation to another have been asked to enter their phone or laptop password for inspection. They are at this point free to refuse to divulge this information though there may be the obvious consequences. Using biometrics, would it not be possible for an attacker to simply force one to provide biometrics to unlock a device? What about other attacks such as a spouse unlocking a device using his/her partner's fingerprint while (s)he is asleep? I would think this would open up new security holes for the ones it fixes.
Can I still use passwords instead, if I want to?
I'm sure a lot of you have found the fake name generator site, how long before there's a fakebodypartprint site?
i guess John the Ripper for *nix would really be a sick name if it matured into using photo indexes of prints vs. dictionaries.
...in case you're in an accident and your hand is cut off, or your face needs to be reconstructed, or whatever else that could happen. That mechanism better be secure as well, and what will it rely on, another password?
Twinstiq, game news
You can expect the "I got locked out of my machine" help calls to go through the roof. Great.
"not only is Windows Hello more convenient than typing a password—it’s more secure!"
My gosh, wow!
" ...there will be plenty of exciting new Windows 10 devices to choose from..." ... It’s a solution that government, defense, financial, health care and other related organizations will use to enhance their overall security, with a simple experience designed to delight.
Keen! Peachy!
Well, dag my dogs! Delightful!
It's time to start donating to open source projects, especially solid Linux Distributions.
Evidently they did not consult Firefox on the name.
My laptop way back in 2007 running XP had a finger scanner for logins and the like. I guess it's nice if there's a UI/Authentication API standardized for which vendors only need to plugin in a hardware implementation.
Could they have picked a worse name? "Windows Hello" reminds me of all the awkward conversations I had with nontechnical Windows users about their "My Documents" folder. "Open My Documents." "Your documents?" "No, your My Documents." "My your documents?" "NO!..."
If I can log in by singing Total Eclipse of the Heart, that'd be pretty cool. Other than that, giving people two ways to log in instead of one is ridiculous and a horrible idea. It's always biometrics + password backup.
Passwords are not a perfect solution, no one denies that. But overall, they are a good solution, especially when combined with something like and RSA key or Google authentication. Biometrics seems easier and more secure, and on the face it is. The issue with biometrics is that once there is a way around it, there is no way to change it. So you fingerprint is secure today. But tomorrow someone comes up with a way to fake your fingerprint. You are now stuck because you can't change you fingerprint. With a password, if it is hacked you can change it. With biometrics, if they are hacked you are entirely screwed because it can't be changed (which is the point of biometrics). Sorry, I'll stick with passwords for now.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
I've been reading about biometric scanners for over a decade now, starting with the fingerprint reader bar that was on old IBM Thinkpads.
Every single attempt at cheap biometric security has been demonstrated to be insecure or unreliable. When I got my Lenovo laptop, the first thing I uninstalled was their camera-using face scanner software, because I'd read about how easy it was to hack with a photo of the person to be identified.
Sure, there are real biometric devices out there such as government iris scanners and such, but those are not cheap enough for mass deployment. Until such high reliability security devices are available to the consumer at a sane price, I'm going to stick with good old fashioned passwords.
Besides, getting into the machine is only the first step. All that would gain you access to is some personal photographs and documents. Everything else would require access to the keystore and the key passwords for accessing remote servers, so I'm still relatively comfortable that someone hacking my password isn't that great a risk.
I'm also perfectly comfortable with "da goobernmint" scanning my system (with a warrant), because all my "secure" data resides elsewhere, and they won't find so much as a PDF of a bank account statement on the box itself.
I do not fail; I succeed at finding out what does not work.
Passwords are insecure if you are stupid and use crap passwords.
This system, nor stupidly complex passwords, will stop a hacked DB from leaking.
It is trivial to create huge passwords using sentences and numeral separators instead of spaces. (said numeral wrapping if you reach the end before your sentence ends.)
Throw a non-dictionary word or few in there, the universe will die before it gets cracked.
Microsoft, going on about security of passwords, is priceless considering they fucking gimped Hotmail by limiting password length. (and ironically made it impossible for me to login even when I DO truncate my long password. Great one you IDIOTS, not that I cared, Hotmail is/was trash)
Biometrics are shit. I can't wait for this fad to die. Again. Like 3D.
The W10 preview is all one big browser which connects to MS and requires an MS id to be of any use unless you download third party software. Mail needs an MS id. Calendar need an MS id and so on and so on. Their privacy policy basically states that you have none and they and their affiliates can do as they please. So why even bother pretending that the information is locked when it will already be stored on their servers and can be accessed without your knowledge.
On another note what good is biometrics if the device can be accessed physically? Is the data encrypted? Can I simply show a picture to the camera? Can my finger be held and swiped? I haven't seen a consumer grade biometrics solution that can't be tricked or worked around. At least with a PIN I enter it wrong three times and bye bye data.
DRM? No thanks, I'll just get it somewhere else...
that I tried, no. We will not be using this. To be fair, I think I've logged into five out of the over two hundred I've tried, but that's still a security problem.
collected by Windows and the device, will be passed on to NSA etc., so as to keep building better and more complete profiles and "timelines" of people and Internet users everywhere, this is worth pointing out.
...and for the uber-security concious, the bio-readers will contain a small blowdart laced with Anthrax/SARS/poop/whatever. If the wrong person tries to log into your device, PFFT! Poop in the eye!
~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
Who is Microsoft trying to fool?
Also, just call it Windows 8.2.
I'd rather them not try do that.
Imagine logging in with just a picture of the fingerprint from a cup. no access to the machine even - all you start with is that cup. or a picture of the dude.
like, if it would log in just by the way you look.. just run a video to the computer of the guy. and what if you don't want to open the computer, for whatever reason?
world was created 5 seconds before this post as it is.
How will I log into computers that customers bring to my store. How will I admin the hundreds of computers that see at customer locations?
Take a good look at the underlying "Palladium" security software, confusingly retitled "Trusted Computing".
Microsoft owns the master keys. Microsoft owns your hardware, softwrae, and personal keys, which they report back to the mothership and keep in "escrow. And they have no public policy for when, how or if they turn those keys over or revoke your own personal keys at the request of the US government, the Chinese government, their own business managers to screw with competitors personal systems, or the that crazy guy Fred who just got a job as a janitor and cleans the room with the computers with the screens left open with access to the keys.
Yeah, I really trust them to protect biometric identification of my every login and personal correspondence.
Comes with a rectal probe.
"delivering enterprise grade security and privacy"
:)) So, good luck with all that :))
Somewhat offtopic: I'd so wish people would stop flinging this phrase around, like it would actually exist... That enterprise grade security has failed millions of people over the years, sometimes quite spectacularly. Adding a heuristic set of mixed-up unreliable biometrics won't change that, but it will make your life hell, when it fails (as it inevitably will). All that incorporated into an OS that likes to call home more often than an average person calls their Mom
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
If you think that is bad, try using one as the user ID and the password. We did that, and due to the birthday paradox, we had quite a few employees that logged in as the wrong user. That was with a Dell Latitude D820 in 2008 so maybe the scanner is better now, but then it was terrible.
"The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password.
Fabulous. So in the Brave New World of Windows Hello, a "hacker" is a guy with an axe and a microwave.
And I'm the one they call "Lefty".
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Introducing the new Microsoft Biometric Login Dildo. It identifies you by your anal signature.....or whatever....
they installed ultrasonic harassment coming from computer every 3-4 minutes in the note of e/f
I trust you at Microsoft to create an operating system that sort of work, I do NOT trust you guys at Microsoft to guard or guarantee my privacy, nor offer proper security.
I pretty much see Microsoft and the Windows products as some kind of NSA tool at this point in time. :(
To all M$ management,
We the users of our product have no interest in your attempts to turn it into a walled garden. This means we do not want you to have access to personal information like retina scans and fingerprints.
It also means most of us have no interest in your live accounts. I got one of those accounts when hotmail stopped (I know, hotmail, but everyone needs a spam mail address right?) and ever since M$ took them in they suddenly need a different E-mail address, telephone numbers and other personal information I don't want any company to know. specially not big companies with so many MBAS's employed that all ethics went out the window ages ago.
Furthermore, as users of your product we find you should be spending much more time on making your product stable, fast and lightweight rather then trying to bury us all in useless whistles and bells.All users of your products know they crash with frightening regularity. Maybe instead of wasting all this cash on useless bells and whistles, you might invest in actually adding value to your product.
Now if M$ management MBA's can be somehow convinced to stop trying to enter irrational stupidity into the software product (lynching anyone;) MBA's don't have souls and therefore we can't be sued right ;) ) the technically capable people in M$ may yet save at least some of win 10.
Full disclosure, yes indeed I own a torch and pitchfork shop, why do you ask ;)
It sounds like a piece of shit.
People are sometimes being compelled to give up their passwords for devices when they cross borders. This could potentially require a person to provide his fingerprint (already required to cross some borders, for some people) and his/her face/voice.
I think this could make it easier for governments to get in your knickers.
Microsoft always does this... There are always new versions coming up without actually introducing meaningful changes that really matter.
Every time you are forced to give a name to make an account use "Luther Blissett"
Windows is a dying breed. Most of its usage is just old PCs in businesses trying to do what they have been doing for years. Is anyone really going to care about innovation that is based upon the Windows platform?
Genius, lets replace a possibly insecure typed password that can be easily changed if it is compromised with a relatively easy to bypass biometric sensor with a "password" (fingerprint, image, etc) that can't be changed at all. That'll improve security for sure!
"Trying to do what they have been doing for years" also means "running some software without needing or wanting anything from the OS rather than a window manager, device drivers, a filesystem, and a networking stack". Just because the "platform" isn't "innovating" doesn't mean that people don't run nifty software on it.
Most of the frustration with Windows comes from trying to get the Microsoft marketing bullshit to fuck off so we can use computers for what computers are for: running software.
... Just because the "platform" isn't "innovating" doesn't mean that people don't run nifty software on it....
I agree. When I asked if innovation in Windows was relevant, I was referring to innovation in the Windows OS itself, not the apps that run on it.
No thanks. Not after the annoyance that is XBox One. They really push you to have an account per person, and to be recognized by Kinect (yes it falls through to password but it's a major pain on the game console). I've had to train my kids where to sit, what they are allowed to be doing or wearing, and how to reset the Kinect, in order to play their games.
Most of the "innovations" are actually detrimental to corporate users who simply are trying to keep everything running and they don't want to climb a learning curve just to get back to their former level of productivity. But that is what MS is pushing. Tinkering under the hood to improve performance is one thing. Arguably Windows 8 is a good OS under a god-awful and painful GUI. Messing with GUIs is probably Microsoft's biggest error. They should provide different GUIs for different installations, but provide a freakling XP/Win7 GUI wrapper for the folks simply trying to get work done on a desktop that have been using that sort of interface for 20+ years.
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
If you have no direct physical access to the machine, all you have to authenticate by is the picture or processed picture of your fingerprint or selected other body part.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
This is just the beginning of a long push, to get us ALL hooked into the NWO technocracy. https://www.youtube.com/watch?...