Windows Hello can't be fooled by your identical twin

by Mark Tyson on 21 August 2015, 10:10

Tags: Microsoft (NASDAQ:MSFT), Windows 10

Quick Link: HEXUS.net/qactxi

Add to My Vault: x

Microsoft's Windows Hello biometric secure authentication was first revealed back in March. We reported in more detail about the technology, which Microsoft claims is "much safer than traditional passwords," just over a month ago. At that time WinSuperSite published a demo showing the password-alternative system in action on a Windows 10 system equipped with an Intel RealSense camera.

Windows Hello uses asymmetric key cryptography technology combined with personal biometrics from your face, iris or fingerprints. Microsoft says this leaves hackers "nothing to steal" – so they can't copy your PIN, keylog your passwords etc. So how reliable, secure and foolproof is this kind of authentication?

Yesterday newspaper The Australian published its findings from testing Windows Hello with an eye on trying to 'derail' the system. It thought it could possibly bypass Microsoft's new secure authentication system that had learned one face, with the face of an identical twin.

According to the newspaper one per cent of the population is part of an identical twin, so it's quite a common feature of the population. The Australian managed to get six pairs of identical twins into its offices to see if it could hoodwink Windows Hello. I know that's not a very big sample, but it's still an interesting experiment.

Again this demo used an Intel RealSense camera setup. Intel focussed quite strongly on this camera hardware in its IDF 2015 keynote and in partner announcements earlier this week. The newspaper reported said that the face login "worked a treat," for him and was keen to see if the twins could sneak past the face-based authentication to see their sibling's account.

The procedure was as follows:

"One twin would register a Windows account on the Lenovo Thinkpad and go through the face registration process. Users could enhance the camera’s accuracy by registering variations in appearance, such as wearing glasses.
The first twin would make sure the computer reliably identified them before the moment of truth arrived. Could the second twin trick the camera?"

In one instance the system wouldn't log in both twins after the setup procedure. However there was never a false positive, there was "no case of it wrongly granting access".

In the wake of many recent stories of mass password and consumer data leaks, maybe this kind of system is going to find favour. Perhaps more companies should make use of Microsoft Passport, which is an application and website authentication system reliant on the Windows Hello tech. Microsoft says that the biometric key is stored only on the device where facial recognition is established, and usable only with it. It claims that its false acceptance rate is lower than one in 100,000.



HEXUS Forums :: 19 Comments

Login with Forum Account

Don't have an account? Register today!
Microsoft can never be smarter than upcoming hackers, I personally can access any windows version if I have forgotten passwords etc, you simply log into youtube and follow the steps……..easy like that!!
Lumireleon, it depends if the device is fully encrypted from a TPM onwards.

If that's the case, then no, you can not access the windows version at all, assuming there are no exploits for bitlocker or the TPM keystore.

MS have been making some strides in encouraging consumer devices, such as the Surface line to be enabled by default.
Now all we need are similar security safe guards for when data comes in and leaves our devices.
TheAnimus
….

MS have been making some strides in encouraging consumer devices, such as the Surface line to be enabled by default.
Great. MS helps protect us from others. Now, we just need someone to protect us from MS. ;) :D
What about if you have an “Evil Twin” :)