If I'm not mistaken Windows Hello will only do facial recognition on a depth-sensing camera, so you would need to create a 3D model of my face to fool it.

I understand it not only uses depth sensing, but also infrared, and it can distinguish between twins.

That last item is the most interesting and perplexing to me.

Twins are easily distinguishable if you know them -- I went to high school with three pairs and they were easy to tell apart. Almost everyone has some pockmark etc. on their face, and Identical twins often have these in mirror image.

That doesn't explain how software can distinguish them.

No, it doesn't, I have no idea what wizardry is involved. All I'm saying is that if you assume some magic that can distinguish Bob from Steve, then those same techniques, whatever they are, can be used to distinguish Bob from his twin Todd.

Sure it does, they have unique distinguishing features; they only look identical if you don't look too hard. Computers are good at seeing all the details.

Computers aren't good at seeing subtle details in photos. At least not yet.

The infrared might help: the capillaries transporting (hot) blood under the skin probably grow somewhat randomly per individual, giving everyone a slightly different pattern of heat running through their face.

Windows Hello only works with newer cameras that support depth/3d sensing. Only a handful of laptops and a couple external cameras have this functionality. Windows Hello doesn't work with standard cameras as it would be easier to bypass.

I don't think the threat model for this cares about that.

This is designed for home users who don't have security requirements that make them carry around OTP devices just to see their desktop.

I mean, you can argue that passwords are pretty easy to copy as well -- you just need a video camera facing at the keyboard for a day or three.