Windows Hello Gets Less Convenient

Microsoft will no longer let users "sign in" with their face in a darkened room. It's a deliberate choice of security over convenience.

The change affects the Windows Hello feature that lets users sign into their Windows device using something other than a password. This includes a PIN (which can only work on a specific device) or biometric logins such as a fingerprint or facial recognition.

One lesser-known limitation is that an ordinary webcam won't work for the feature. Instead, it must have an infrared capability that means it has depth perception. This effectively means it can scan a user's face with more three-dimensional information rather than a simple image comparison.

Potential Threat

Researchers at Nanywang Technological University in Singapore recently spotted a security vulnerability with Windows Hello using facial recognition. The vulnerability hasn't been publicly disclosed and there's no evidence of it being exploited by real attackers. (Source: theverge.com)

Unlike with most webcams, the infrared cameras are able to view faces even in low-lighting conditions. However, it appears the vulnerability has something to do with this capability.

For now at least, Windows Hello won't work in darker settings, even if the camera can still see the user. In most cases, the user must either switch on a light or significantly increase the screen brightness to log-in.

Workaround is Limited

There is a workaround with a big limitation: disabling the webcam in Windows Device Manager will make Windows revert to scanning the face using only the infrared sensors, which will still work in the dark. However, this will mean the webcam itself is no longer usable for video calls or recording. It appears user can't reactivate the webcam until logging into Windows again in brighter lighting.

As usual with any change, there's some dispute about not only whether the change is sensible, but how much difference it actually makes. Some users have reported being unable to log in without being in a fully lit room, while others say they could log in in near pitch darkness. (Source: pcworld.com)

Either way, nobody is being locked out of their device as a result of the change. If the facial recognition doesn't work, users can fall back on typing their device-specific PIN.

What's Your Opinion?

Do you use Windows Hello? Have you spotted any difference with the facial recognition? Do you find biometric logins easier or more reassuring than passwords or PINs.