Microsoft is planning to make Windows 10 PCs work without passwords. While the company has been working on removing passwords from Windows 10 and its Microsoft Accounts for a number of months now, the next major update to Windows 10 next year will go one step further. You’ll soon be able to enable a passwordless sign-in for Microsoft accounts on a Windows 10 device. This means PCs will use Windows Hello face authentication, fingerprints, or a PIN code. The password option will simply disappear from the login screen, if you decide to opt in to this new “make your device passwordless” feature.
I’m totally on board with this – I love the depth sensor-based Windows Hello on my Dell XPS 13 – but a big problem is that it’s so difficult to get Windows Hello facial recognition on a regular desktop. Only very few cameras actually have the required sensors – not even Microsoft’s own webcams support Windows Hello – making it hard to opt into this passwordless future.
Any company that can make an affordable Windows Hello sensor that’s small and easy to attach to a display gets my money.
Interesting! I’m in favor of a combination of face recognition and a short PIN code, maybe with a complex password or private key as backup.
A quick search reveals that there is an initiative for Linux too:
https://github.com/boltgolt/howdy
That’s fine as long as one always has the option to use a password.
Why is it hard to type a password? I have a complex password and my fingers type it without thinking. What’s the difference between a few seconds of typing and other options? Usually I’m even thinking about other things typing my password. In fact, if I had to rely on some kind of sensor, then my face has to be somewhere – and the light has to be right, etc, etc. My room has highly variable lighting because I like a lot of colors so they always cycle (think stage lighting). In a web cam, half the time the exposure is attempting to catch up if I put it on auto.
On a PC with a keyboard, it’s totally easy to type a password. I don’t want a camera sensor on, at all, without my say so. I cover all cameras on my laptops, including mics until I’m going to use them. Why? I don’t want corporate listening devices in my environment where their motivation is to get as much money out of me as possible. I understand they need to run businesses, but you want me to put facial recognition in my home? I don’t think so. That’s not flying here. And Yes, I have a real Faraday bag for electronics (that works). *I* manage the security I can manage. I don’t want to farm out my computers security to Microsoft, or facial recognition, or fingerprint sensors. In order to break or get passwords, something bad has to happen. Either someone somewhere has to do something very untoward, or companies have to break the law. We know with “home security cameras,” what happens. One popular company had a huge directory with people’s movies in it, and some of the people in the company were viewing the videos for fun. Let’s remember, these are – humans – we are talking about.
The passwordless future seems to intimate that I am ok with depending on someone else’s recognizance when it comes to my security. If I have control of the EM bans, and the TCP/IP communications of all hardware, maybe I might go for it. If I have to trust a profit centered company for my security. No go.
The whole pin system and otherwise seems to be a workaround for the problems posed by using an online account password as a local login. For my laptop I went back to a local password after a few struggles due to not being connected to the internet when logging in. It’s a solution to a problem they invented.
For a single computer, PIN and password don’t *look* different (other than the UI encouraging short/simple PINs). My understanding is that the difference is that a PIN is a password that is checked by the TPM as opposed to a hash in a password file. The TPM is theoretically designed to prevent direct access to the hash and to prevent brute force attacks on the password. I assume they’re using the term “PIN” instead of “password” because this is similar to how an unlock PIN on a phone is handled. (A quick search found this documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password )
Typing passwords is easy. Remembering tons of password and making these good enough is damn hard for non-tech people. I do totally agree that a password option is mandatory, because I want my freedom of not unlocking my computer which has encrypted partitions and I do not want to self-incriminate to police or state force. But I would rather have the average Joe unlock his computer with his smartphone, face analysis, fingerprints or whatever, than use “password” or his wedding date as an easy to remember password.
I like the multi-factor authentication, and I’ve often wondered why it can’t be a combination of biometric(voice, face, fingerprint) and pin with a password backup.
Soon a chip will be all you need ? In your forehead or on your right hand .. ? :-O And it will be hooked up to that beautiful 5G network.
This is going to utterly destroy enterprises that use password policies, rotation, etc. and rely on Active Directory rather than online Microsoft accounts if it gets rolled out to Pro and Enterprise SKUs. I can’t imagine they’re that stupid, but maybe I’m wrong.
Well,
password policies don’t actually help. All you get from a password policy is people writing down passwords.
The only way to make a password more secure is to make it longer. A more complex password is not more secure, it is just less easy to memorize.
TL;DR:
https://xkcd.com/936/
combine a really long passphrase that you remember really well with 2FA and you’re way better off than with a “strong” password.
Spoiler Alert: They aren’t that stupid. They are still releasing patches for Windows XP, for heavens sake. They won’t kill the golden goose of windows adoption by screwing over their most valuable customers.
obvious question – how secure is windows facial recognition?
for all I know every facial recognition system in the “mass market” has been fooled by cleverly made things based on photographs so far…
“Any company that can make an affordable Windows Hello sensor that’s small and easy to attach to a display gets my money.” – the problem being that since it’s an external device, it poses a *huge* security risk: it would be easy to spoof with a microcontroller that acts like a USB device and has someone’s 3D profile stored on it. That’s why it must be built-in, temper-proof.
PIN means you will have to use a Microsoft account… which I don’t want to use at all. If they go that way, I will use a smartcard or USB key anonymized, I refuse to use any online account. The trend to integrate OS authentication with online services is disgraceful and violate privacy.
I don’t really know what Windows Hello is, but by the talk I read here, I don’t want to use it. I’m against all that crap that depends on online external services. A good password is more secure than that.
In my opinion, desktop OSes have reached a peak of technical features and performance, now it’s just services that are being bundled on top and discussed as being “part” of the OS, which of course is complete bullcrap.
I’m just worried about the data leaking out. What happens if the face image depth data (or in case of fingerprint sensors) get’s leaked?
And it will leak! They always do :\
I can easily change my password, but depth and fingerprint data is associated to me forever.
From a security standpoint, this is pretty freaking dangerous and reckless, if you ask me.
(and don’t get me started on privacy issues)
Repeat after me: biometric data is the USERNAME, NEVER the PASSWORD. Using biometric data as a password is beyond retarded as the moment it leaks, you’re screwed. What are you going to do, get plastic surgery every time you need to “change your password”?
biometric data is the USERNAME, NEVER the PASSWORD.
I’ve really grown in favor of things security Keys. I have the Yubikey setup as 2 factor Auth and it’s great. I got the USB-C version, so I just keep it on my keychain with a backup key stored elsewhere. I wish more website supported it as well as Google does.
Some have OTP codes or whatever, but I just find the whole process confusing. It probably isn’t, but I can’t be bothered. I like Google. Just plug in the key, it sets it up, and that’s it from then on.
A security key and a code/pw of some sort is pretty good in my view.