Windows Hello Biometrics: how well do the security options work, what to look out for and when are they appropriate

Many security pundits have been saying passwords must go for years, and biometrics are an alternative to passwords, but not all security professionals believe biometrics are the best alternative to passwords.

Microsoft Windows 10 provides native support of biometric authentication and as result many people are  making a new look at the viability of biometric authentication. Windows 10 supports multiple types of biometrics including fingerprints, facial recognition, and iris recognition. It supports existing fingerprint readers, but to use facial or iris recognition, the use of an Intel RealSense 3D infrared camera will be required.

Many existing fingerprint readers are not very good from a security perspective. If you own a PC with fingerprint reader be sure to read the fine print. Many come with a warning that the reader is for convenience only, and does not provide high security.

I know of at least one person that had a popular business computer with the fingerprint authentication enabled. The person was on a conference call and saw that his young nephew was trying to log into the computer using the fingerprint reader. He turned his back and continued with his conference call, assuming the nephew would be occupied swiping his finger but never getting into the computer. A few minutes later he heard various computer noises, turned around and saw that his four year old nephew was logged in and opening and closing various programs. The child had gained access simply by persistently swiping his finger across the reader at different speeds and angles.

For facial or iris recognition an infrared camera is required in order to eliminate some of the daily varieties in a person’s appearance. For example, a person may or may not have facial hair at different times; or a person may not wear makeup all the time. The infrared technology is also intended to allow the facial recognition feature to work in all kinds of lighting situations. While Microsoft has experience using this technology with Kinect on Xbox, it remains to be seen how consistent it will be when used on the larger population under a wider variety of conditions imposed by laptop and mobile users.

One problem with biometrics is that people change slightly from day to day, and under different conditions, in order to work, there has to be an approximate match to the original record. This means there is always some threshold of a mismatch which will accepted as match and the authentication will be successful. For example, if a person cuts their face while shaving in the morning, the infrared camera is likely to pick that up if used a short time after it occurs, but will that discrepancy cause the authentication to fail? Or can someone impersonate another user by using some makeup that masks infrared?

There are other  concerns with the technology. When using biometrics you can’t replace your face, iris or fingers if the underlying data gets compromised. Windows 10 doesn’t store the raw image of the face, iris, or fingerprint for comparisons. Instead it extracts some key metrics from the devices and stores those. In some ways this is like storing the hash of a password instead of the clear text of the password. Unfortunately, only time will tell if this “hash” is secure, or if an attacker can predict it and then inject that into a data stream during authentication.

Many security professionals are also concerned about the privacy implications of biometrics. There are already articles instructing users that care about privacy concerns to disable biometric authentication and third party software available to automatically disable it. Again, Windows does not store the raw images of a user’s face, iris, or fingerprint. But if the “hash” algorithm become known, and someone can harvest large amounts of the stored “hashes” and the information about who the “hash” identifies, then someone having a raw image might use the data to perform a match. One can image an authoritarian government using such data to help identify people that are not in their existing databases of fingerprints and faces.

Organization that already use multifactor authentication using devices similar to SecureID tokens or smart cards should stick with them rather migrating to the biometric support in Windows 10. On the other hand the feature might be attractive to some small businesses that cannot afford smart cards or secure tokens.