Slashdot Mirror
Windows 10's Biometric Security Layer Introduced
jones_supa writes: One of the major concepts of Windows 10 are new security ideas, and though Microsoft has touched on this topic before, it's only now giving us a more comprehensive look in the form of "Windows Hello." This is an authentication system that uses a variety of biometric signatures and combines hardware and software to allow for seamless and secure user recognition and sign-in. According to Microsoft, the ideal scenario here would be for you to simply look at or touch a new device running Windows 10 and to be immediately signed in. The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password. But the point of Windows Hello isn't only convenience, as the company's blog post notes, but also security. We've heard time and time again how insecure passwords are, and Microsoft is aiming to offer a widely-deployed replacement while still delivering enterprise grade security and privacy.
Considering I have heard tales of biometric scanners being bypassed by pressing a warm hot dog against them, I think I'll pass.
I'm sure they've improved, but I don't know that they've improved enough. Plus, I'm not sure I'd want to be auto-logged in by just picking up the device.
Will you have to retrain the mechanism to recognize you every time you switch from Brand A biometric sensor to Brand B? If so, it might not recognize you across devices anyway. It seems attractive in theory but I wonder how practical it will be in practice, since a typical user will have access to a variety of Windows devices at home and work.
Twinstiq, game news
We've heard time and time again how insecure users are.
FTFY. And I don't see how fancy biometric wizardry will fix the users.
Windows secure
Better than Zen
Will it scandal-free insure
Her Majesty, then?
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I've seen cases recently where people crossing the border from one nation to another have been asked to enter their phone or laptop password for inspection. They are at this point free to refuse to divulge this information though there may be the obvious consequences. Using biometrics, would it not be possible for an attacker to simply force one to provide biometrics to unlock a device? What about other attacks such as a spouse unlocking a device using his/her partner's fingerprint while (s)he is asleep? I would think this would open up new security holes for the ones it fixes.
...in case you're in an accident and your hand is cut off, or your face needs to be reconstructed, or whatever else that could happen. That mechanism better be secure as well, and what will it rely on, another password?
Twinstiq, game news
I imagine it would not be stored centrally but in the TPM where the TPM says yay or nae when presented with the image. In theory the TPM doesn't release the actual key even to the BIOS but rather just does the authentication. But who knows what kinds of attacks they can withstand when physically pulled off the mainboard.
You can expect the "I got locked out of my machine" help calls to go through the roof. Great.
Evidently they did not consult Firefox on the name.
My laptop way back in 2007 running XP had a finger scanner for logins and the like. I guess it's nice if there's a UI/Authentication API standardized for which vendors only need to plugin in a hardware implementation.
Could they have picked a worse name? "Windows Hello" reminds me of all the awkward conversations I had with nontechnical Windows users about their "My Documents" folder. "Open My Documents." "Your documents?" "No, your My Documents." "My your documents?" "NO!..."
And the biometrics data hasn't have to be saved in clear anywhere, it can just be encrypted with a one-way crypto algorithm with the key to encrypt stored in the TPM. Then, the device collects the biometrics data, encrypt it with the key in the TPM and compare the resulting signature with the stored encrypted signature. If they match, you are the right guy, if not you are not authorized. Nobody can steal you biometrics data unless they temper with the hardware and introduce an hardware trojan horse. Getting the crypted data will not leak any useful information since it is equivalent to a very long password with very high entropy. A brute force method would take thousands years to crack it. And getting the key will not help since it is a one-way algorithm and the key is useless to decrypt.
Achille Talon
Hop!
If I can log in by singing Total Eclipse of the Heart, that'd be pretty cool. Other than that, giving people two ways to log in instead of one is ridiculous and a horrible idea. It's always biometrics + password backup.
Passwords are not a perfect solution, no one denies that. But overall, they are a good solution, especially when combined with something like and RSA key or Google authentication. Biometrics seems easier and more secure, and on the face it is. The issue with biometrics is that once there is a way around it, there is no way to change it. So you fingerprint is secure today. But tomorrow someone comes up with a way to fake your fingerprint. You are now stuck because you can't change you fingerprint. With a password, if it is hacked you can change it. With biometrics, if they are hacked you are entirely screwed because it can't be changed (which is the point of biometrics). Sorry, I'll stick with passwords for now.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
I've been reading about biometric scanners for over a decade now, starting with the fingerprint reader bar that was on old IBM Thinkpads.
Every single attempt at cheap biometric security has been demonstrated to be insecure or unreliable. When I got my Lenovo laptop, the first thing I uninstalled was their camera-using face scanner software, because I'd read about how easy it was to hack with a photo of the person to be identified.
Sure, there are real biometric devices out there such as government iris scanners and such, but those are not cheap enough for mass deployment. Until such high reliability security devices are available to the consumer at a sane price, I'm going to stick with good old fashioned passwords.
Besides, getting into the machine is only the first step. All that would gain you access to is some personal photographs and documents. Everything else would require access to the keystore and the key passwords for accessing remote servers, so I'm still relatively comfortable that someone hacking my password isn't that great a risk.
I'm also perfectly comfortable with "da goobernmint" scanning my system (with a warrant), because all my "secure" data resides elsewhere, and they won't find so much as a PDF of a bank account statement on the box itself.
I do not fail; I succeed at finding out what does not work.
The W10 preview is all one big browser which connects to MS and requires an MS id to be of any use unless you download third party software. Mail needs an MS id. Calendar need an MS id and so on and so on. Their privacy policy basically states that you have none and they and their affiliates can do as they please. So why even bother pretending that the information is locked when it will already be stored on their servers and can be accessed without your knowledge.
On another note what good is biometrics if the device can be accessed physically? Is the data encrypted? Can I simply show a picture to the camera? Can my finger be held and swiped? I haven't seen a consumer grade biometrics solution that can't be tricked or worked around. At least with a PIN I enter it wrong three times and bye bye data.
DRM? No thanks, I'll just get it somewhere else...
You long passwords and the biometrics all will sucumb to the $5 wrench attack, or the five year incarceration threat by government goon
...and for the uber-security concious, the bio-readers will contain a small blowdart laced with Anthrax/SARS/poop/whatever. If the wrong person tries to log into your device, PFFT! Poop in the eye!
~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
If you're being tied to a chair and it isn't date night, I'd say the security of your laptop probably shouldn't be your top concern.
I'd rather them not try do that.
Imagine logging in with just a picture of the fingerprint from a cup. no access to the machine even - all you start with is that cup. or a picture of the dude.
like, if it would log in just by the way you look.. just run a video to the computer of the guy. and what if you don't want to open the computer, for whatever reason?
world was created 5 seconds before this post as it is.
How will I log into computers that customers bring to my store. How will I admin the hundreds of computers that see at customer locations?
But (hopefully) secure from all remote attacks. Kinda the whole idea, I thought.
You long passwords and the biometrics all will sucumb to the $5 wrench attack, or the five year incarceration threat by government goon
A security feature does not have to be perfect to still provide value. If you think about it, almost all security features have some weaknesses or ways to bypass them.
"delivering enterprise grade security and privacy"
:)) So, good luck with all that :))
Somewhat offtopic: I'd so wish people would stop flinging this phrase around, like it would actually exist... That enterprise grade security has failed millions of people over the years, sometimes quite spectacularly. Adding a heuristic set of mixed-up unreliable biometrics won't change that, but it will make your life hell, when it fails (as it inevitably will). All that incorporated into an OS that likes to call home more often than an average person calls their Mom
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
"The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password.
Fabulous. So in the Brave New World of Windows Hello, a "hacker" is a guy with an axe and a microwave.
And I'm the one they call "Lefty".
I've calculated my velocity with such exquisite precision that I have no idea where I am.
It sounds like a piece of shit.
People are sometimes being compelled to give up their passwords for devices when they cross borders. This could potentially require a person to provide his fingerprint (already required to cross some borders, for some people) and his/her face/voice.
I think this could make it easier for governments to get in your knickers.
Microsoft always does this... There are always new versions coming up without actually introducing meaningful changes that really matter.
Windows is a dying breed. Most of its usage is just old PCs in businesses trying to do what they have been doing for years. Is anyone really going to care about innovation that is based upon the Windows platform?
How about a setup where it will shred your data, or just present an empty system, if you log on with a different finger? i.e. right index erases the box, left index does regular logon
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
"Trying to do what they have been doing for years" also means "running some software without needing or wanting anything from the OS rather than a window manager, device drivers, a filesystem, and a networking stack". Just because the "platform" isn't "innovating" doesn't mean that people don't run nifty software on it.
Most of the frustration with Windows comes from trying to get the Microsoft marketing bullshit to fuck off so we can use computers for what computers are for: running software.
... Just because the "platform" isn't "innovating" doesn't mean that people don't run nifty software on it....
I agree. When I asked if innovation in Windows was relevant, I was referring to innovation in the Windows OS itself, not the apps that run on it.
Most of the "innovations" are actually detrimental to corporate users who simply are trying to keep everything running and they don't want to climb a learning curve just to get back to their former level of productivity. But that is what MS is pushing. Tinkering under the hood to improve performance is one thing. Arguably Windows 8 is a good OS under a god-awful and painful GUI. Messing with GUIs is probably Microsoft's biggest error. They should provide different GUIs for different installations, but provide a freakling XP/Win7 GUI wrapper for the folks simply trying to get work done on a desktop that have been using that sort of interface for 20+ years.
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
If you have no direct physical access to the machine, all you have to authenticate by is the picture or processed picture of your fingerprint or selected other body part.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The goon with the $5 wrench is not pleased. "Ouch time" -- Jarjar
If dealing with fed goon, obstruction of justice can get 20 years in federal pound-your-ass prison plus fines
This is just the beginning of a long push, to get us ALL hooked into the NWO technocracy. https://www.youtube.com/watch?...