It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft’s way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.
hastily integrating the browser into everything, regardless of it making sense
So software development in general in the last couple of years?
Yes. JavaScript is famously the best programming language ever, so why not? /s
Wtf. It shouldn’t even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.
It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it’s by design on Microsoft’s end. You can then use the Windows Hello credential as a passkey but if you don’t want that, you’d need another solution for biometric auth.
Still, that does not explain the Edge dependency. Lots of programs can communicate with their respective servers without browser technology.
This is why I use Linux, the fingerprint device wouldn’t be supported so this wouldn’t be an issue /s
The one on my Thinkpad works just fine :)
I got a T80s and the sensor doesn’t work. It’s an 8th gen Intel machine, that’s like four or five generations behind.
I’ve got a T440p and I just set it up through the menu in the KDE settings, it worked right out of the box.
Stop using biometrics for authentication!!!
Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.
Use an authentacator app or security key kids!!
Biometrics are perfectly fine! We probably don’t even live in the same country, I’m not going to get a hold of your fingerprints.
There seems to be a fundamental misunderstanding of what the biometrics actually do. The biometrics only unlock the device and give access to the security key. Once unlocked it’s exactly the same as using a yubikey, and far better than an authenticator app, as they use a crypto key, not a 6 digit number.
Well
The biometrics only unlock the device
Yes
and give access to the security key
This is the goal, sure, but what does this actually mean on device that’s mostly governed by software?
There’s a chip (like a yubikey) in the device that can hold cryptographic keys.
That’s good because the key cannot (easily) be extracted from the device.
That’s good as long as no one has physical access to your device.
With physical access, you hope that the device’s unlock mechanism is reasonably secure. That’s biometrics OR password/pin.
The ‘or’ is the problem. For practical reasons you don’t want exactly one method hard-wired. You have a fingerprint scanner (good enough), the secure element (good enough) and lots of hard- and software in between (tricky).
I’m not against biometrics (to unlock a device) because it’s convinient and much better than not locking the device at all. I’m also not against device trust (which you need if you want to store crypto keys sonewhere without separate hardware), but the convience of a single-device solution (laptop or phone) comes with a risk.
If an attacker can bypass the unlock method or trick you into unlocking or compromise the device, your secrets are at risk. Having the key stored in the secure enclave (and not in a regular file on the hard disk) prevents copying the key material, but it does not prevent using the key when the attacker has some control over the (unlocked) device.
A yubikey is more secure because it’s tiny and you can carry it on your keychain. The same chip inside your laptop is more likely to fall into the hands of an attacker.
Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.
Biometrics are two factor, because you need the fingerprint and the device they unlock.
You can’t use the device without the fingerprint and you can’t take someone’s fingerprint then use them from a different device.
You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.
If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.
When we talk online accounts, I’d count device+fingerprint as one factor. Sure, the maid from the example above can’t login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that’s like a password. One factor.
Technically, it’s slightly better than a password, because this token can be short-lived (although often it’s not), could be cryptographic signature to be used exactly once (although…), you cannot brute-force guess the token… But IF the token leaks, the attacker has full access (or enough to cause damage).
That’s why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.
