Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 10's Biometric Security Layer Introduced

Posted by Soulskill on from the requires-multiple-bodily-fluids-for-authentication dept.

jones_supa writes: One of the major concepts of Windows 10 are new security ideas, and though Microsoft has touched on this topic before, it's only now giving us a more comprehensive look in the form of "Windows Hello." This is an authentication system that uses a variety of biometric signatures and combines hardware and software to allow for seamless and secure user recognition and sign-in. According to Microsoft, the ideal scenario here would be for you to simply look at or touch a new device running Windows 10 and to be immediately signed in. The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password. But the point of Windows Hello isn't only convenience, as the company's blog post notes, but also security. We've heard time and time again how insecure passwords are, and Microsoft is aiming to offer a widely-deployed replacement while still delivering enterprise grade security and privacy.

5 of 138 comments (clear)

  1. Re:Who you gonna call? by AchilleTalon · · Score: 3, Informative

    And the biometrics data hasn't have to be saved in clear anywhere, it can just be encrypted with a one-way crypto algorithm with the key to encrypt stored in the TPM. Then, the device collects the biometrics data, encrypt it with the key in the TPM and compare the resulting signature with the stored encrypted signature. If they match, you are the right guy, if not you are not authorized. Nobody can steal you biometrics data unless they temper with the hardware and introduce an hardware trojan horse. Getting the crypted data will not leak any useful information since it is equivalent to a very long password with very high entropy. A brute force method would take thousands years to crack it. And getting the key will not help since it is a one-way algorithm and the key is useless to decrypt.

    --
    Achille Talon
    Hop!
  2. Re:No thanks... by Anonymous Coward · · Score: 5, Informative

    The Microsoft account is optional. I don't use it. Please update your FUD accordingly.

  3. Re:No thanks... by vux984 · · Score: 5, Informative

    yo have to go to something that looks like a failure state before you can create a local account. fucking ridiculous.

    Not quite. It prompts you to sign in with your existing Microsoft account. At the bottom of that screen, it says "Don't have one? And a link to "create a new account".

    Contextually that, for a lot of people is interpreted to mean "Create a new Microsoft account" however, if you click it you are presented with an account creation page for a Microsoft account but at the bottom it offers another link "Sign in without a Microsoft account" and you can create a local account from there.

    The fail state you refer to is the -other- way of reaching the same page -- where you enter dummy microsoft credentials in; force it to fail to login; and that lands you on a page where you can create a local account as well.

    However, the "proper" way to reach the local account option is the first:

    Create new Account
    Sign in without a Microsoft account

    So its not as bad you suggest, I agree it's just obscure enough to be misleading.

    For what its worth a lot of OEMs are shipping with a local user account pre-configured or are otherwise customizing it to create a local account by default.

  4. Re:No thanks... by Vlado · · Score: 3, Informative

    Maybe the experience there was customized. But if you want to create your local account on Windows 8.1 you are pretty much forced to go to the selection, which you would look at if you were about to create a Microsoft account and THEN there is a way to create it locally.
    Here is instruction list from MS site on how to create a local account from within the Windows itself (not easy).

    Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you're using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)
    Tap or click Accounts, and then tap or click Other accounts.
    Tap or click Add an account, and then tap or click Sign in without a Microsoft account (not recommended).
    Tap or click Local account.
    Enter a user name for the new account.
    If you want this person to sign in with a password, enter and verify the password, add a password hint, and then tap or click Next.
    If your PC is on a domain, depending on the domain's security settings, you might be able to skip this step and tap or click Next, if you prefer.
    Tap or click Finish.

  5. Re:No thanks... by LordLimecat · · Score: 3, Informative

    He is in fact correct. They make it somewhat difficult to avoid being sucked into a Microsoft account, though there are ways to force it to desist. SkyDrive (or whatever its called now) also tries pretty hard to pull you in, though again you CAN force it to back off somewhat.