Educause Security Discussion mailing list archives
Re: Windows Hello
From: "Jones, Justin" <jucjones () IU EDU>
Date: Thu, 23 Jul 2020 17:44:20 +0000
Hi Rob- I cannot speak for all of Indiana University, but I can speak about testing it in the department I work for. I was tasked with investigating Windows Hello and what it would take to enable it through a GPO. In order to utilize facial recognition through Windows Hello, you will want to make sure your laptops and/or external camera supports IR. See this website for the requirements: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello- for-business/hello-overview After you have determined your hardware meets the requirements there are a few settings you will want to enable through a GPO. The settings I enabled in my research are as follows: 1. Computer Configuration -> Policies -> Administrative Templates -> System/Login -> Turn on convenience PIN sign-in (enabled) 2. Computer Configuration -> Policies -> Administrative Templates -> Windows Components/Biometrics -> Allow domain users to log on using biometrics (enabled) 3. Computer Configuration -> Policies -> Administrative Templates -> Windows Components/Biometrics/Facial Features -> Configure enhanced anti-spoofing (enabled) 4. Computer Configuration -> Policies -> Administrative Templates -> Windows Components/Windows Hello for Business -> Use a hardware security device (enabled) & Do no use the following security devices: TPM 1.2 (disabled) 5. Computer Configuration -> Policies -> Administrative Templates -> Windows Components/Windows Hell for Business -> Use biometrics (enabled) After I enabled these settings, I was able to use the Windows Hello features. Microsoft's implementation of facial recognition is not as sophisticated as Apple's implementation. If you are wearing glasses with Windows Hello, you will always want to wear glasses or you will not be logged in. Now I have noticed Microsoft has been making improvements, so this is slowly changing, but I have found that if I am not wearing my glasses when I use facial recognition 8/10 times it will not log me in. Also it is worth noting, you will want to set a PIN just in case facial recognition fails as a back-up plan to quickly logging in to your computer. You will also be able to use the traditional username/password as well. I created this quick how-to guide for the people that I had test out Windows Hello so they could set it up on their computers as well: Windows Hello 1. Open Windows Settings by going to the Start menu and clicking on the gear icon 2. Go to Accounts 3. Go to Sign-in options on the left side of the Accounts window 4. On the Sign-in options page you can set up Windows Hello Face, Windows Hello Finger, and Windows Hello PIN a. Note: You will notice at the top of the screen it will say: *Some of these settings are hidden or managed by your organization* this is for the section called Require sign-in, this is controlled by a GPO. 5. Click on Windows Hello Face and proceed to set up Windows to log you in with facial recognition. It may ask you to create a PIN but will ask you to verify your login passphrase. Once verified please create a PIN. a. Note: Windows Hello Face does a decent job of recognizing you, but it can be easily confused. i. If you wear glasses, please wear them all the time. Windows Hello Face will not be able to recognize you without your glasses. ii. If you have a facial hair when you set up Windows Hello Face, and you shave your facial hair off; Windows Hello Face may not recognize you and log you in. 6. Click on Windows Hello Fingerprint and proceed to set up Windows to log you in with your fingerprint. It will ask you to input the PIN you created above. a. Note: Windows Hello Fingerprint does a good job of logging you in, but it can be tricky to set up if you have dry skin, callouses or any cuts or anything on your fingertips. i. Windows Hello Fingerprint will ask you to get different angles of your finger to provide a better mapping of your fingerprint. For the most part from my findings, Windows Hello works rather well, there are a few gotchas, but I believe Microsoft is working through those with each iteration of Windows 10. Also the camera technology is improving and overall process of logging in is speeding up with each new version of Windows 10 and new versions of hardware. I would recommend considering implementing it as an alternative to the traditional username/password. I hope this makes sense, and if you have any questions, please feel free to reach out to me. Thanks- Justin Justin Jones IT Support Analyst/IT Investigative Supervisor Client Support - Vice President for Research IT (VPRIT) Hardware | Security | Network Admin jucjones () iu edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Rob Milman Sent: Thursday, July 23, 2020 12:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] [SECURITY] Windows Hello This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. Has anyone enable Windows facial recognition at their schools? Would you care to share your experience if you have? The good, bad and ugly. Thanks, Rob Rob Milman Associate Director, Information Security Information Technology Services Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 - 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 (Cell) 403.606.3173 rob.milman () sait ca <mailto:rob.milman () sait ca> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
smime.p7s
Description:
Current thread:
- Windows Hello Rob Milman (Jul 23)
- Re: Windows Hello Jones, Justin (Jul 23)