That said, the whole device-based authentication piece seems useful. A Windows 10 computer is now one factor in a 2FA scheme and the OS (and at least one of its browsers) gets to be directly integrated into Microsoft's SSO scheme.
Before long, I can imagine someone being able to build facial models capable of fooling recognition systems using only a few source images. Your finger prints are everywhere. Iris would be a bit harder, for now, but potentially possible with an image of high enough resolution.
That's why these should be used only as a replacement for usernames and not for passwords.
https://www.cylab.cmu.edu/research/projects/2012/long-range-...
In fact my research lab recently received a donation of high power telescopes after being used for testing extremely long range iris identification technology. I'm not sure if the project was scrapped or if they are planning on continuing development.
A lot harder with biometrics.
> Likewise, I'm curious if there's a fallback authentication method for people who lose a finger, get their faces deformed, etc.
Deformation is a very real challenge for biometrics, but there is also a lot of active research in the area.
http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Plus it's pretty difficult to reissue a biometric ID if it is compromised.
A biometric is both a 'username' and a 'password' - for instance, when you access your computer/device/whatnot you type in your username and your password to identify to the system that you are requesting access (on mobile the account is implied). When using a biometric, the system will have a stored template (similar to a password) that it associates to the system user account, and in ideal situations you (the user) do not need to do anything other than be present to access the system resources. It's a difference between identification and verification. Do you go to your friends each time they ask you something and say "are you so and so?", or have you already identified who they are? Based on the video it seems that MS is starting to understand this difference. Check out the video at ~2:35. He sits down at the login screen, and it just opens the desktop. For consumer applications this is really the goal of any biometric system.
Now spoofing and biometric template data being stolen are still real problems. Unfortunately, spoofing is not a very hot topic in the biometric field (usually conferences only have a relatively small percentage of papers on the subject), but given more consumer applications I'm hoping more funding will start to head that way. Concerning biometric template data, no you can't change it in it's most raw format, your fingerprint is static..that's what so great about it. However, there are methods such as key-binding where the template is itself encrypted with a private key. This however leads to more passwords... In any case, it's unfortunately up to companies like MS to start paving the way to successful implementations - if the data breaches we hear about almost monthly (Uber, Target, etc) are any indication, your password is just as at risk as your fingerprint.
This is true, but usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.
"our password is just as at risk as your fingerprint."
Also true, but what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face. With existing password infrastructures after a breach the infrastructure can be upgraded to prevent that breach, then the users can be told to change their passwords, then that vulnerability is closed. Once a person's biometric data is stolen (or just taken from the hundreds of sources of our biometric data we leave around daily in the form of pictures and fingerprints) that's it, you can't close whatever breach they used to get in and then move on, because the user can't change their "password" to one that has not been compromised. That account is forever breached.
Biometrics violate several of the requirements for something that can be used as authentication, which is why they are great as identifiers, but terrible as authenticators.
Yea i see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.
> what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face.
I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.
In the future the bottom 64 bits of your ipv6 address will be a unique biometric identifier that all licensed internet devices must collect and send with each and every packet.
Two things - let's assume these companies follow best practices and both the fingerprints, biometric details and passwords are all hashed. Still:
a) Unlike a password your biometric data is publicly obtainable.
b) You cannot change your biometric data after it's been compromised.
> As someone who actively researches biometric authentication,
If you are an expert in the field - I think you are doing people an active disservice by telling them the security is just as good.
Finally I think typing passwords just isn't that hard - everyone is used to it by now. I maybe odd in this - but its hard for me to see the greater degree of convenience as a huge breakthrough (even without the security implications).
Read the post, i never discuss the security or merit of a biometric versus a standard user/pass login. I only discuss the advantages/disadvantages and goals of each system. If you inferred a recommendation for one or the other then you misunderstood.
> Finally I think typing passwords just isn't that hard - everyone is used to it by now. I maybe odd in this
I completely agree. However, when you see people go to their 'secret drawer' and open up their password book to login to X, then you realize it's a fundamentally broken system (just as using a raw biometric is).
Latent fingerprints, high resolution video, facebook profiles...all examples of how i can pick up someone's biometric. This is not an unknown problem.
> 2: once compromised, you can't reset your biometric profile.
Clearly. Just based on the definition you can draw that conclusion - a unique, unchanging trait that is used to separate the user from a group.
Common and justified criticisms that people think are just the 'silver bullet' of why a biometric should never be implemented. I've posted replies to these a few times. Feel free to check them out.
Either way, the difference between a corporate login system, and me logging into my laptop is huge. MS implementing a biometric for a consumer laptop is fitting given the current state of the field. Use it or don't, no one is forcing you.
However, I always have the choice of not giving up my passwords, under (even painful) threat. Also, someone cannot get my passwords if I am dead. Ever.
Unfortunately, with biometrics, it is quite easy to force me to put my face/finger/iris in front of the machine and unlock it. Even if I am (freshly) dead.
Not that cool, really.
In the real world, torture is a fairly effective way to make somebody divulge information, especially in the case where it can be readily checked (by trying the password they divulge). It's a fairly well proven fact that living beings will do pretty much anything to make the pain stop. For recent reference, this HN article, where he repeatedly complied with demands, even including lying about being tortured, in the hope that it would make the torture stop:
You actually really need the three of them. The last one prevents the <Torture to death> scenario.
99.9999% of the time this comes up in real life, it's an inconvenience.
Passwords are only broken because for most intended purposes they act as a symmetric key that you happen to leave around everywhere and when it leaks, you have a problem.
If we had a web standard for asymmetric key authentication, you just unlock your device and your device authenticates you. A leaked public key (created for a single service) is useless.
And once you only need to unlock ONE device, you might as well remember that single password, because at that point it is way more secure than a fingerprint.
Of course devices break and get stolen, so you need to back up your keychain, and I bet that is exactly what MS Passport does for you, which is why it will never be adapted by other vendors.
Also, after everything we know about Microsoft and and the security services, there's absolutely no way I'd give them my biometric data.
http://lilyasussman.com/2009/11/30/im-sorry-but-we-blew-up-y...
Actually the reference doesn't totally work in hindsight because she was never asked for her password, but it seems as though it was encrypted and hence they just destroyed her laptop instead of asking her for the pw. If it had biometrics they might have just forced her to open it. So actually, the example might work after all.
No matter what is on the device, border security shouldn't be able to access it without probable cause for a search, and knowing what they are looking for.
From what I understand this is simply not true - could someone with a security background weigh in if this statement has any basis (were they comparing to <first_name>-"1234" and "user"-"password")?
and later in the webpage:
all OEM systems incorporating the Intel® RealSense™ 3D Camera (F200) will support the facial and iris unlock features of Windows Hello
So by reading this we can assume it does more than 2D recognitions since this is a "3D Camera"
However, if I were to pick, I'd go for fingerprint recognition instead. Images of people's faces are everywhere online. It's much less likely to have a good photo of your fingerprints.
As Raymond Chen likes to say, "it rather involved being on the other side of this airtight hatchway." Once you have root, yes, you have compromised the machine.
edit: the article does not cover using your voice. I'm 99% sure they demoed to us the ability to use a custom phrase to authenticate with your voice as well.
Can you clarify what you mean by that. People like to parrot it, but few if any will explain why they feel that way.
If you simply mean that you don't find it secure enough, wouldn't that really depend on the use-case? For example, what may not be secure enough to log into a DC, may be secure enough to let the secretary log into their computer which just has access to address books and calendars. It is all relative.
Some biometric systems are fairly secure, like fingerprints. The cost and skill required to extract and reproduce a fingerprint so it is scannable make it a non-trivial affair. While the security services and a dedicated adversary could, for 80%+ of normal computer users it is a non-threat.
Android's face unlock may have been trivially beaten but it reads like Microsoft are using multi-level photography (i.e. both IR for under-the-skin and visible light for on-the-skin) to extract a layered model of a person's face and head which could (maybe) prove harder to bypass with just a photograph.
Biometric data are not secret (face, fingerprints, voice) nor can be changed.
That means they are easy to forge and hard to revoke when compromised, and at most they can be useful as identification, like your email, and not as password.
I wonder why none thought of biometric identification with an hardware token which plays a one time tone outside audible spectrum. That would be incredibly convenient for users and still quite resilient. Just throw in side channel auth like phone message for unknown position or devices and of you go.
It identifies who you are talking to, which is not the same as confirming who you are talking to (verifying authenticity of identity.)
I'd assume it's doing the equivalent of password hashing, so the authentication mechanism just verifies a hash match.
Technically that is also the human element but I think you are talking specifically about users.
