I don't see how this is much different from key generation software running on a phone or any other device. Useful as a 2nd factor for authentication and a little less friction (more convenient, less secure). I've yet to see any technology that can replace an old fashioned master password as the 1st factor. All the hype around biometrics a few years ago seemed especially silly given that it's pretty easy to steal fingerprints and once stolen, of course, they are pretty hard to change. Maybe I'm an outlier here but I think in 20 years we'll still be using password managers with master password type in authentication into a dashboard with varying degrees of additional authentication required to access sites/services within, based on relative sensitivity.
> I've yet to see any technology that can replace an old fashioned master password as the 1st factor.
Since a few weeks I'm using the Windows Hello system on my new Surface Pro 4. Its using facial recognition, and it's pretty awesome: turn on the PC, sit still for a second, it greets you, logs in and you can work. For two factor logins I use the Microsoft Account app on Android, which also works very well (no typing a code, just approve the request on the phone).
Now only if Microsoft would fix the power/sleep issues with Surface 4, it would be perfect.
Windows Hello uses an IR emitter and camera to get a 3D map to verify in addition to the ordinary webcam, and I've confirmed that mine doesn't fall prey to the most obvious of exploits.
Of course, it makes the assumption that "<user>'s face in front of the computer means <user> wants to log in", which may not always be the case.
That being said, I'm eagerly looking forward to reading about its pitfalls once people crack it.
I wonder if your face would look different enough in the 3D map while under duress to stop it from authenticating. Or what about if you're unconscious? It sounds like it would be real easy to break this security with a $5 wrench.
I've read it is very accurate: even twins who look very much alike won't fool it.
But it still has some funny characteristics: if you train it for two people/faces (you can scan multiple times), it will happily let both people log into the account.
Another gotcha: if I go for a coffee I usually lock my PC (Windows-L). If I then go too slowly, it will recognize me again and log me back in, leaving the pc unlocked.
My wife has a Surface Pro 3, and slams it from standing on it's leg down on the keyboard cover. I wince every time she does this, because I expect the glass to shatter. But she never has issues with it sleeping.
It's like the technological version of "Go the fuck to sleep" I suppose.
Touch ID or any other fingerprint readers are static, but what about behavioral biometrics which are very difficult to reproduce if done right, like voice verification or dynamic signature verification?
Don't forget that today's iris scan, using Daugman's algorithm are the gold standard in biometric technology.
