How Secure Is Windows Hello?
Microsoft's Windows Hello biometric security is now built into laptops, tablets and smartphones. But how does it work, and how secure is it?
Microsoft today (Oct. 6) unveiled several new devices, including two high-end Lumia smartphones, a new Surface Pro tablet and the first Microsoft-branded laptop, the Surface Book. All four include Windows Hello, the biometric-authentication technology Microsoft introduced with Windows 10, but implement it in different ways, with varying levels of security.
Facial recognition
The new tablet, called the Surface Pro 4 (starting at $899), and the Surface Book laptop (starting at $1,499) each come with a Windows Hello-approved facial-recognition camera. The only previously-approved camera was Intel's RealSense F200, which appears on a handful of PCs and uses two separate lenses and an infrared (IR) blaster to get a 3D view of your visage. Since Microsoft didn't mention Intel's camera by name, we'll assume that its products are using a different component with similar capabilities.
MORE: Microsoft's Big Day: Surface Book, Lumia and HoloLens
Windows Hello facial recognition is pretty solid from a security standpoint. Many facial-recognition tools, such as Android's Face Unlock, can be fooled by a life-sized high-resolution photograph, but Windows Hello uses the dual cameras to create a virtual 3D model of the registered user's face. (Users may have to move around while registering themselves so the camera can capture more angles.) Thanks to the IR blaster, the Windows Hello facial recognition can (according to Microsoft) even work in the dark.
Fingerprint reader
The Surface Pro 4 can also be used with an optional keyboard ($130 extra), which has its own option to come with a fingerprint reader (presumably more than $130). Windows Hello handles fingerprint readers well, and is backwards compatible with the finger-swipe readers built into many older business laptops.
But most fingerprint readers can be fooled with a rubber fingerprint. Even Apple's much-ballyhooed Touch ID fingerprint reader can be spoofed by overlaying a fake fingerprint over a living finger, which provides the proof-of-life the Apple technology requires.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
If you're concerned about biometric security for your Surface Pro 4, stick with the built-in facial recognition and skip the fingerprint reader. The Surface Book, which according to Microsoft executive Panos Panay is "the most powerful laptop ever made," doesn't include a fingerprint reader.
Iris or retinal scans — maybe
Today's Microsoft presentation, and a related video, said the Lumia 950 ($549 unlocked) and Lumia 950 XL ($649 unlocked) smartphones include "Windows Hello Beta." Yet because the Microsoft spec sheets we got for the handsets don't mention Windows Hello, and the Microsoft Store page for the 950 XL says only that the device is "Windows Hello ready," we don't know exactly how the biometric-unlocking feature will work on either phone.
We do have a good of how it won't work. The approved Windows Hello facial-recognition camera is four inches wide, so it wouldn't fit on the top edge of a smartphone. And the phones don't appear to have fingerprint readers.
That leaves a few camera-based options: regular two-dimensional facial recognition, iris scans or a retinal scans. Regular facial recognition would be easiest to implement, and, as we've already mentioned, easiest to fool.
Iris recognition, which already exists on a few Android phones, uses a quick burst of infrared light to record the patterns of spots and bands surrounding the pupil in a person's eye. Iris patterns are as unique as fingerprints, and are easy to photograph and match with digitized images. But iris scanners can be fooled by high-resolution photographs.
MORE: High-Resolution Photos Fool Fingerprint, Iris Readers
Retinal scans, also available on a few Android phones, likewise use infrared light, but beam it deep into the pupil to illuminate the complex patterns of blood vessels on the back wall of the eye. As with fingerprints or iris patterns, each person has unique retinal patterns.
Retinal scanning is a little more intrusive than iris scanning, but is harder to fool. You'd have to create a life-sized, three-dimensional fake eyeball with perfectly duplicated retinal patterns to beat it.
Microsoft-provided photos of the Lumia 950 and 950 XL show what may be IR blasters next to the regular lens on the faces of the phones. If so, the phones may have the hardware to perform either iris scans or retinal scans. We're asking Microsoft for further details and will update this story when we learn more.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.