Saltar al contenido

What is Windows Hello? Microsoft’s biometric security system explained

What is Windows Hello?  Microsoft's biometric security system explained

Windows Hello gives Windows users an alternative way to connect to their devices and applications using a fingerprint, iris scan, or facial recognition. This is what technology does, who uses it and the hardware needed.

Windows Hello is a biometrics-based technology that allows Windows 10 users (and those upgrading to Windows 11) to authenticate secure access to their devices, applications, online services, and networks with just a fingerprint, iris scan, or facial recognition. The connection mechanism is essentially an alternative to passwords and is considered an easier to use, more secure and more reliable way to access critical devices, services and data than traditional authentications using passwords.

«Windows Hello solves some issues: security and inconvenience,» said Patrick Moorhead, president and chief analyst at Moor Insights & Strategy. «Traditional passwords aren’t strong because they’re hard to remember, so people choose passwords that are easy to guess or write them down.»

«Because we depend even more on being online for anything in our lives, we’re more than ready to remove passwords,» said Katharine Holdsworth, senior group program manager, Windows Security.

«Passwords are complicated to use and present security risks for users and organizations of all sizes …. With multi-factor authentication, an account is 99.9% less likely to be compromised. «

How Windows Hello works

Windows Hello limits the surface of Windows attack by eliminating the need for passwords and other methods by which identities are more likely to be stolen.

«Windows Hello uses structured 3D light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people who create a fake head or mask to fake the system,» Moorhead said.

Windows users can configure Windows Hello in the login options in the account settings. Users need to set up a face scan, iris scan or fingerprint to get started, but they can improve these scans at any time and add or remove additional fingerprints. Once set up, a look at your device or a finger scan will unlock access to Microsoft accounts, core applications, and third-party applications that use the API.

Adopting the FIDO specification means that Microsoft partners can provide security keys for an extra layer of protection when you sign in with Windows Hello.

The FIDO specification was developed in 2014 by the FIDO Alliance, which now includes over 250 companies, but was founded by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio. FIDO authentication technology is available today on hundreds of devices, according to the group.

Microsoft has also accepted the latest version of the security protocol, FIDO2 . This allows users to access standard-based devices, such as USB dongles, which provide an extra layer of protection when connecting to Microsoft accounts.

Who uses Windows Hello?

Windows Hello is designed for both companies and consumers and has gained traction on both fronts. During the Microsoft Ignite 2017 conference , the company announced that over 37 million people were already using Windows Hello and more than 200 companies had implemented Windows Hello for business. (At the time, the company’s largest deployment outside of Microsoft’s IT team had more than 25,000 users, according to the company.)

These the numbers have only increased . In December last year, Microsoft called 2020 a «revolutionary year» for Windows Hello , with more than 150 million monthly users in May 2020 and almost double that number by the end of the year.


IDG / Mark Hachman

Why would you want Windows Hello?

Passwords, in short, are an obstacle. In this age of password (and human oblivion), security-conscious users find that a fingerprint, facial recognition, or iris scan to access important devices, accounts, and data is probably a more secure option. However, the password «is still the most used connection mechanism, but also a source of frustration for end users,» he said.

Raúl Castañón, senior analyst at 451 Research, or division of S&P Global Market Intelligence.

Microsoft is working with a growing number of service providers to provide their users with an easier way to authenticate multiple important Windows Hello accounts. All Microsoft Office applications are compatible with Windows Hello, along with third-party tools such as Dropbox.

Windows Hello has also been integrated into Google Chrome, allowing payments to be authenticated when using the browser on Windows.

What are the hardware requirements?

Windows Hello has a relatively low barrier to entry, but comes with specific hardware requirements. Microsoft Surface Pro, Surface Book, and most Windows 10 computers equipped with fingerprint scanners or cameras that can capture 2D infrared spectroscopy are compatible with Windows Hello.

Microsoft also works with device manufacturers to maintain consistent performance and security for all Windows Hello users and to set high-level benchmarks and benchmarks to set basic requirements. The acceptable performance range for fingerprint sensors is a false acceptance rate of less than 0.002 percent, and the acceptable range for facial recognition sensors is a false acceptance rate of less than 0.001 percent, according to Microsoft. This translates to 1 in 100,000 for fingerprints and half of this rate for facial recognition. (For comparison, Apple says the chances of cheating your Face ID are 1 in 1 million, while the chances of cheating your Touch ID are 1 in 50,000.)

In addition, false rejection rates for fingerprint and facial recognition scanners without anti-spoofing or life detection should fall below 5%. False rejection rates for fingerprint and facial recognition scanners with anti-spoof technology should drop below 10%, according to Microsoft guidelines.

For those unfamiliar with technology, life detection does more or less what it sounds like: it determines that a user is a living being before unlocking a device or application. All sensors must include anti-spoofing measures, such as activity detection, but setting these anti-spoofing features is optional and varies by system.

How does Windows Hello compare to Face ID?

Windows Hello has no direct competitors due to its exclusivity for Windows 10 devices, but it faces indirect competition from companies such as Apple, Samsung, Google and others that offer similar technology for their devices and related ecosystems. Face ID Apple is now used on most iPhones and iPads. (On tablets, it works even in landscape mode.)

dropbox face IDDropbox

Third-party apps like Dropbox have updated their apps with Face ID support.

«Windows Hello is very similar to Apple Face ID and Google Android biometrics,» Castañón said. “All three offer biometric authentication on the device; This means that the fingerprint or facial data is encrypted and stored on the device and not on a server, which is hackable and therefore inherently insecure.

The popularity of Apple’s biometric authentication has probably helped stimulate adoption, drawing attention to the benefits of the technology.

«Given the ease of use and the fact that Apple Face ID, probably the most popular facial authentication, has made this mechanism widely known to consumers in general, we can expect facial authentication and fingerprints on the device to continue. Gaining ground.» Said Chestnut.

According to Moorhead, Apple and Face ID fingerprint scanners are the most obvious competitors for Windows Hello, although, in his experience, Windows works best in low light environments. «Face ID works with glasses, Windows Hello doesn’t.» Windows Hello works well in the dark. He does ID, not so much, «he said. «Neither Windows Hello nor Face ID work well in bright light, but fingerprint scanners work in bright light and in the dark.»

What’s next for Windows Hello in Business?

While companies will benefit from an enhanced user experience and enhancement, it should be noted that Windows is just a device-level layer of protection.

«[E] This means that it should be seen as a complement and not as a replacement for other security mechanisms that companies implement (for example, at the application level), such as behavioral biometrics based on artificial intelligence, ”said Castañón.

Microsoft has indicated that Windows Hello will continue to provide users with password-free access to Windows 11, where it will take advantage of the Trusted Platform Module (TPM), a cryptoprocessor chip required on Windows 11 devices. TPM chips will be integrated into motherboards or added to processors and will provide additional security for Windows Hello data at the hardware level.

«With Windows 11, we will continue to focus on security, while helping customers stay safe,» Holdsworth said. «This will include investment in Windows 11 security features and a new hardware baseline needed to ensure we provide security and protection to keep our customers safe from the ever-increasing number of sophisticated attacks.»