Microsoft's Windows Hello biometric secure authentication was first revealed back in March. We reported in more detail about the technology, which Microsoft claims is "much safer than traditional passwords," just over a month ago. At that time WinSuperSite published a demo showing the password-alternative system in action on a Windows 10 system equipped with an Intel RealSense camera.
Windows Hello uses asymmetric key cryptography technology combined with personal biometrics from your face, iris or fingerprints. Microsoft says this leaves hackers "nothing to steal" – so they can't copy your PIN, keylog your passwords etc. So how reliable, secure and foolproof is this kind of authentication?
Yesterday newspaper The Australian published its findings from testing Windows Hello with an eye on trying to 'derail' the system. It thought it could possibly bypass Microsoft's new secure authentication system that had learned one face, with the face of an identical twin.
According to the newspaper one per cent of the population is part of an identical twin, so it's quite a common feature of the population. The Australian managed to get six pairs of identical twins into its offices to see if it could hoodwink Windows Hello. I know that's not a very big sample, but it's still an interesting experiment.
Again this demo used an Intel RealSense camera setup. Intel focussed quite strongly on this camera hardware in its IDF 2015 keynote and in partner announcements earlier this week. The newspaper reported said that the face login "worked a treat," for him and was keen to see if the twins could sneak past the face-based authentication to see their sibling's account.
The procedure was as follows:
"One twin would register a Windows account on the Lenovo Thinkpad and go through the face registration process. Users could enhance the camera’s accuracy by registering variations in appearance, such as wearing glasses.
The first twin would make sure the computer reliably identified them before the moment of truth arrived. Could the second twin trick the camera?"
In one instance the system wouldn't log in both twins after the setup procedure. However there was never a false positive, there was "no case of it wrongly granting access".
In the wake of many recent stories of mass password and consumer data leaks, maybe this kind of system is going to find favour. Perhaps more companies should make use of Microsoft Passport, which is an application and website authentication system reliant on the Windows Hello tech. Microsoft says that the biometric key is stored only on the device where facial recognition is established, and usable only with it. It claims that its false acceptance rate is lower than one in 100,000.
