The clickbait 'title' makes some claim to vulnerability, except that's the wrong word entirely. The described "vulnerability" is logically equivalent to briefly removing one's face from the frame, because that's what this is. The article actually suggests that as the usual alternative!
There's nothing else going on here beyond "think about Windows Hello, please". Is this really what we want HN to be about?
Given it's from Old New Thing, I'm willing to bet clickbaiting was indeed the intention of the poster (Mr. Chen), as this title and the article itself seem to follow his sense of humor.
Free advice: Do not use biometrics to unlock devices. Face/fingerprint recognition is subject to different, lesser, protections than memorized passwords.
Criminal defense 101: Don't talk to the police. Don't admit anything, including any sort admission of owning a phone. If they can use your face/finger to unlock a phone, that proves it is your phone. Even if you one day want to admit owning that phone, do not allow them to unlock it without your permission. The unlocking of any device should only happen after negotiations with the assistance of counsel, not at 2am in a parking lot. Use some sort of memorized password/pattern.
I've had a SP4 since they were released. It's got some faults, but Windows Hello has worked flawlessly for me. It sounded like such a gimmick before I used it but it's actually pretty neat.
SP4 user here too, Windows Hello failed exactly once for me: when I was setting it up. Ever since then it's worked flawlessly. It's so insanely good it's almost hard to believe Microsoft built it.
When Android first came up with face recognition it was a gimmick; half of the time it didn't work, it took too long, you needed the right amount of light, etc etc. But I can confidently say that Microsoft's implementation is nothing like it, they've actually made it work.
The main thing that worries me about it is that "what your face looks like" is superbly easy to copy.
I mean, fingerprints aren't that much more secure in a technical sense, but at least a lot of people don't actively post images of their fingerprints to all their social media accounts.
If I'm not mistaken Windows Hello will only do facial recognition on a depth-sensing camera, so you would need to create a 3D model of my face to fool it.
Twins are easily distinguishable if you know them -- I went to high school with three pairs and they were easy to tell apart. Almost everyone has some pockmark etc. on their face, and Identical twins often have these in mirror image.
No, it doesn't, I have no idea what wizardry is involved. All I'm saying is that if you assume some magic that can distinguish Bob from Steve, then those same techniques, whatever they are, can be used to distinguish Bob from his twin Todd.
Sure it does, they have unique distinguishing features; they only look identical if you don't look too hard. Computers are good at seeing all the details.
The infrared might help: the capillaries transporting (hot) blood under the skin probably grow somewhat randomly per individual, giving everyone a slightly different pattern of heat running through their face.
Windows Hello only works with newer cameras that support depth/3d sensing. Only a handful of laptops and a couple external cameras have this functionality. Windows Hello doesn't work with standard cameras as it would be easier to bypass.
I have Windows Hello enabled on my phone (a 950) and it scans my iris with an infra-red camera/light. This means it still works in the dark and cant be fooled by a photo (or a 3d model I guess!)
> The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account
What pin is this talking about? The only pin I see related to my account is a 6-digit one that the Google authenticator app generates.
As someone who has accidentally locked himself out of his own Windows device before, there is definitely an attempt limiter on PINs in Windows. You have to resign in with your full password and must reset the PIN.
There's nothing else going on here beyond "think about Windows Hello, please". Is this really what we want HN to be about?