Hackers have recently shown that Windows Hello installations from last year could be fooled easily with only a print out of a picture of your face taken with a near-infrared camera.
Only more recent versions of Windows Hello could not be defeated, and only if more stringent settings were used in the setup, and also when it was set up from scratch.
Despite this major snafu, Microsoft is touting Windows Hello as the solution for password stress, and praised the sophistication of the technology, saying:
The infrared camera in Microsoft Surface devices isn’t just taking your photo for facial identification, says Rob Lefferts, director of program management for Windows Enterprise and Security. “It’s actually building a 3D map of your face. It has depth and characteristics, and we use multi-spectrum analysis so we’re getting multiple images of your face from different perspectives.”
Microsoft pushed biometrics as the password of the future, saying when available roughly 70 percent of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords.
The issue, of course, is that biometric passwords cannot be revoked (you can hardly change your face or fingerprints) making it imperative that Microsoft builds its technology right before exposing “roughly 70 percent of Windows 10 users” with biometric devices to hacks a teenager could easily perform.
Microsoft also touted its involvement with FIDO, who aim to replace password websites with proof of possession of devices. This cross-company initiative uses public key cryptography as the basis of the security model.”
The private key stays on your personal device; “it is never shared over the internet, it is never put in a database,” said Brett McDowell, executive director of the FIDO Alliance. “Instead of a password being stored on the server, only the public key for that account is ever shared with the online application so it can be used to verify what is called a ‘cryptographic signature’ from the user’s device during future authentication challenges.” This process confirms “proof of possession” of the private key without ever sharing the private key itself, he says, “thus ending phishing for credentials and/or reusing stolen credentials from a data breach.”
An issue Windows Phone users of old often faced, however, is finding their platform unsupported by proof of possession devices and authentication apps, making it more and more important to stick to mainstream operating systems.
“It will take time for all the parties, all the important websites and all the important line-of-business applications to adopt this technology, and it will take even more time for users, customers and organizations to make the cultural shift required so that people can really live in this new world,” said Lefferts “But we have the blueprint for accelerating the move away from passwords. The key to success is making sure that the user experience is actually easier and better than what they have with passwords today.”
Read Microsoft’s full blog post here.