Windows 10 Hello Authentication

Discussion in 'privacy technology' started by deBoetie, Jun 1, 2015.

  1. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    As the reserve-your-copy of Windows 10 notifications start to emerge, I was hoping to get more information about the Windows Hello Passport biometric authentication.

    The information I have is that Hello allows you to (optionally) log in to Windows 10 and also participating websites based on (existing) fingerprint scanners, iris or (new) 3d face biometrics. The facial recognition appears to be based on 3d IR cameras.

    The backend seems to be based on Fido consortium U2F (universal two factor) biometric standards (which is potentially good for privacy to the extent that the certificates for the U2F are locally generated and unique per site).

    Aside from my normal antipathy to biometrics, I wondered if anyone had seen more analysis of the privacy implications of this authentication, and whether the authentication could be backed by a PIN. Can it be repudiated, and how? Is it local to the machine, or can it be put on a dongle? Are there ways to remotely determine those biometrics, and can you tell that the same person is accessing a site from different devices? Does the website access need the pin as well, or what? Any information gratefully received.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I see it as a step towards complete user transparency where your biometrics are linked to your name, credit card, address and phone number.
    Windows 10 will claim to preserve your privacy etc but once biometric authentication becomes the norm, the rest will slowly creep in.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Maybe all of that can be emulated locally in software. Biometric pseudonyms?
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Yes, I fear it's the creeping end of a device you actually own, as opposed to be a glorified dumb terminal to their distributed mainframe. And it's worse than handing over your mobile number to provide biometrics (though nominally U2F handles the biometrics locally).

    @mirimir - U2F already does allow dongle-based website access without biometrics. The biometrics part is very suspicious because it's much worse than a dongle IMO, the readers are bigger and more expensive for example.

    I think it's much more about the agenda to get the "real" you, and probably, in the case of people like Paypal etc (or any financial institution), for them to be able to claim that it really was you in cases of fraud (even if false positives/negatives make it not very reliable).
     
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Yes that is exactly how I see it and the pro biometrics people don't talk about what do you do when someone steals your biometric data. If someone steals your password you can change it, when someone steals your face scan data then what ? Plastic surgery ?
    You can be sure when biometrics becomes the norm, biometric stealing devices will be out there. Covert cameras that replicate the face scanner and store the data is all it would take. The adversary would then remove the face scanner from the computer and replace it with the device. The device sends its stored data to the computer to authenticate instead of performing the scan. You just got biohacked.
    IMO they are deceiving the public by selling it as a password free world, it doesn't do away with passwords, your face scan data becomes the password but unlike typed passwords your face is not a secret. I predict shortly after Windows ten machines are on sale, someone will take the face scanner out of a computer and rig up a portable face scan stealing device like the one I mentioned above.
    I don't think a whole lot has been said about all that but really the community should be concerned about the prospect of global corporations and governments imposing this on us without discussing the security implications.
     
    Last edited: Jun 2, 2015
Loading...