How Secure Is Windows Hello?

Microsoft today (Oct. 6) unveiled several new devices, including two high-end Lumia smartphones, a new Surface Pro tablet and the first Microsoft-branded laptop, the Surface Book. All four include Windows Hello, the biometric-authentication technology Microsoft introduced with Windows 10, but implement it in different ways, with varying levels of security.

Microsoft's Surface Book laptop. Credit: Microsoft

(Image credit: Microsoft's Surface Book laptop. Credit: Microsoft)

Facial recognition

The new tablet, called the Surface Pro 4 (starting at $899), and the Surface Book laptop (starting at $1,499) each come with a Windows Hello-approved facial-recognition camera. The only previously-approved camera was Intel's RealSense F200, which appears on a handful of PCs and uses two separate lenses and an infrared (IR) blaster to get a 3D view of your visage. Since Microsoft didn't mention Intel's camera by name, we'll assume that its products are using a different component with similar capabilities.

MORE: Microsoft's Big Day: Surface Book, Lumia and HoloLens

Windows Hello facial recognition is pretty solid from a security standpoint. Many facial-recognition tools, such as Android's Face Unlock, can be fooled by a life-sized high-resolution photograph, but Windows Hello uses the dual cameras to create a virtual 3D model of the registered user's face. (Users may have to move around while registering themselves so the camera can capture more angles.) Thanks to the IR blaster, the Windows Hello facial recognition can (according to Microsoft) even work in the dark.

Fingerprint reader

The Surface Pro 4 can also be used with an optional keyboard ($130 extra), which has its own option to come with a fingerprint reader (presumably more than $130). Windows Hello handles fingerprint readers well, and is backwards compatible with the finger-swipe readers built into many older business laptops.

The Surface Pro 4, with the non-fingerprint-reading keyboard. Credit: Microsoft

(Image credit: The Surface Pro 4, with the non-fingerprint-reading keyboard. Credit: Microsoft)

But most fingerprint readers can be fooled with a rubber fingerprint. Even Apple's much-ballyhooed Touch ID fingerprint reader can be spoofed by overlaying a fake fingerprint over a living finger, which provides the proof-of-life the Apple technology requires.

If you're concerned about biometric security for your Surface Pro 4, stick with the built-in facial recognition and skip the fingerprint reader. The Surface Book, which according to Microsoft executive Panos Panay is "the most powerful laptop ever made," doesn't include a fingerprint reader.

Iris or retinal scans — maybe

Today's Microsoft presentation, and a related video, said the Lumia 950 ($549 unlocked) and Lumia 950 XL ($649 unlocked) smartphones include "Windows Hello Beta." Yet because the Microsoft spec sheets we got for the handsets don't mention Windows Hello, and the Microsoft Store page for the 950 XL says only that the device is "Windows Hello ready," we don't know exactly how the biometric-unlocking feature will work on either phone.

The Lumia 950, left, and the Lumia 950 XL. Credit: Microsoft

(Image credit: The Lumia 950, left, and the Lumia 950 XL. Credit: Microsoft)

We do have a good of how it won't work. The approved Windows Hello facial-recognition camera is four inches wide, so it wouldn't fit on the top edge of a smartphone. And the phones don't appear to have fingerprint readers.

That leaves a few camera-based options: regular two-dimensional facial recognition, iris scans or a retinal scans. Regular facial recognition would be easiest to implement, and, as we've already mentioned, easiest to fool.

Iris recognition, which already exists on a few Android phones, uses a quick burst of infrared light to record the patterns of spots and bands surrounding the pupil in a person's eye. Iris patterns are as unique as fingerprints, and are easy to photograph and match with digitized images. But iris scanners can be fooled by high-resolution photographs.

MORE: High-Resolution Photos Fool Fingerprint, Iris Readers

Retinal scans, also available on a few Android phones, likewise use infrared light, but beam it deep into the pupil to illuminate the complex patterns of blood vessels on the back wall of the eye. As with fingerprints or iris patterns, each person has unique retinal patterns.

Retinal scanning is a little more intrusive than iris scanning, but is harder to fool. You'd have to create a life-sized, three-dimensional fake eyeball with perfectly duplicated retinal patterns to beat it.

Microsoft-provided photos of the Lumia 950 and 950 XL show what may be IR blasters next to the regular lens on the faces of the phones. If so, the phones may have the hardware to perform either iris scans or retinal scans. We're asking Microsoft for further details and will update this story when we learn more.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.