Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows Hello

From: "Jones, Justin" <jucjones () IU EDU>
Date: Thu, 23 Jul 2020 17:44:20 +0000
Hi Rob-

 

I cannot speak for all of Indiana University, but I can speak about testing
it in the department I work for.  I was tasked with investigating Windows
Hello and what it would take to enable it through a GPO.

 

In order to utilize facial recognition through Windows Hello, you will want
to make sure your laptops and/or external camera supports IR.  See this
website for the requirements:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-
for-business/hello-overview  After you have determined your hardware meets
the requirements there are a few settings you will want to enable through a
GPO.  The settings I enabled in my research are as follows:

 

1.      Computer Configuration -> Policies -> Administrative Templates ->
System/Login -> Turn on convenience PIN sign-in (enabled)
2.      Computer Configuration -> Policies -> Administrative Templates ->
Windows Components/Biometrics -> Allow domain users to log on using
biometrics (enabled)
3.      Computer Configuration -> Policies -> Administrative Templates ->
Windows Components/Biometrics/Facial Features -> Configure enhanced
anti-spoofing (enabled)
4.      Computer Configuration -> Policies -> Administrative Templates ->
Windows Components/Windows Hello for Business -> Use a hardware security
device (enabled) & Do no use the following security devices:  TPM 1.2
(disabled)
5.      Computer Configuration -> Policies -> Administrative Templates ->
Windows Components/Windows Hell for Business -> Use biometrics (enabled)

 

After I enabled these settings, I was able to use the Windows Hello
features.  Microsoft's implementation of facial recognition is not as
sophisticated as Apple's implementation.  If you are wearing glasses with
Windows Hello, you will always want to wear glasses or you will not be
logged in.  Now I have noticed Microsoft has been making improvements, so
this is slowly changing, but I have found that if I am not wearing my
glasses when I use facial recognition 8/10 times it will not log me in.

 

Also it is worth noting, you will want to set a PIN just in case facial
recognition fails as a back-up plan to quickly logging in to your computer.
You will also be able to use the traditional username/password as well.

 

I created this quick how-to guide for the people that I had test out Windows
Hello so they could set it up on their computers as well:

 

Windows Hello

 

1.      Open Windows Settings by going to the Start menu and clicking on the
gear icon
2.      Go to Accounts
3.      Go to Sign-in options on the left side of the Accounts window
4.      On the Sign-in options page you can set up Windows Hello Face,
Windows Hello Finger, and Windows Hello PIN

a.      Note:  You will notice at the top of the screen it will say:  *Some
of these settings are hidden or managed by your organization* this is for
the section called Require sign-in, this is controlled by a GPO.

5.      Click on Windows Hello Face and proceed to set up Windows to log you
in with facial recognition.  It may ask you to create a PIN but will ask you
to verify your login passphrase.  Once verified please create a PIN.

a.      Note:  Windows Hello Face does a decent job of recognizing you, but
it can be easily confused.

                                                         i.      If you wear
glasses, please wear them all the time.  Windows Hello Face will not be able
to recognize you without your glasses.  

                                                       ii.      If you have
a facial hair when you set up Windows Hello Face, and you shave your facial
hair off; Windows Hello Face may not recognize you and log you in.

6.      Click on Windows Hello Fingerprint and proceed to set up Windows to
log you in with your fingerprint.  It will ask you to input the PIN you
created above.

a.      Note:  Windows Hello Fingerprint does a good job of logging you in,
but it can be tricky to set up if you have dry skin, callouses or any cuts
or anything on your fingertips.

                                                         i.      Windows
Hello Fingerprint will ask you to get different angles of your finger to
provide a better mapping of your fingerprint.

 

For the most part from my findings, Windows Hello works rather well, there
are a few gotchas, but I believe Microsoft is working through those with
each iteration of Windows 10.  Also the camera technology is improving and
overall process of logging in is speeding up with each new version of
Windows 10 and new versions of hardware.  I would recommend considering
implementing it as an alternative to the traditional username/password.

 

I hope this makes sense, and if you have any questions, please feel free to
reach out to me.

Thanks-

Justin

 

Justin Jones

IT Support Analyst/IT Investigative Supervisor

Client Support - Vice President for Research IT (VPRIT)

Hardware | Security | Network Admin

jucjones () iu edu

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Rob Milman
Sent: Thursday, July 23, 2020 12:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Windows Hello

 

This message was sent from a non-IU address. Please exercise caution when
clicking links or opening attachments from external sources.

 

Has anyone enable Windows facial recognition at their schools? Would you
care to share your experience if you have? The good, bad and ugly.

 

Thanks,

 

Rob

 




Rob Milman

Associate Director, Information Security

Information Technology Services

 

Southern Alberta Institute of Technology

EH Crandell Building, GA 214

1301 - 16 Avenue NW, Calgary AB, T2M 0L4

 

(Office) 403.774.5401  (Cell) 403.606.3173

rob.milman () sait ca <mailto:rob.milman () sait ca> 

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community 


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: