Security and convenience with biometrics and Windows Hello

Regular readers will know that I'm a big fan of security, but I also believe that security shouldn't inconvenience people. Security that gets in the way will be bypassed or ignored by users and overall is a detriment to the cause of increasing security. I have a strong password on my PC and laptops and honestly it can be a pain, so I decided to solve the problem!



Protecting my devices

I have a strong password on basically everything that requires a password. Thanks to my extensive use of 1Password across all my devices, and my family devices too, I can have strong, unique passwords for almost everything. I say 'almost' because there was one thing that was holding me back, logging into my PC. My PC uses my Microsoft account as I'm running Windows 10 and I used my Microsoft account password to login. It's actually more of a passphrase and honestly, it's pretty long... I've gotten really, really good at typing it, but it still sucks having to type it in each time. After many years contracting in the government and finance sector I've also gotten used to incredibly aggressive lock times on inactive devices and my home PC and laptops both have the same. Also, if I get up to leave my desk, ⊞+L immediately locks the device. These are all great things to do and have, but still, it did suck having to type my password in each time I returned, so I fixed the problem and a fix was long overdue.



Windows Hello

I've known of Windows Hello for a while and in short, it provides an easier way to login to Windows 10 devices. You can use compatible cameras or fingerprint readers to use a look or touch to sign-in to your device instead. Without a compatible device to do biometrics you can also set a PIN for the device. This is a unique PIN for this device only that will allow you to login. I could setup a PIN for my desktop PC and it would allow me to login much more conveniently and the PIN would only work for this device. I just really didn't feel comfortable having what is essentially a weak password on this particular device, so I needed another solution. Fortunately for me it's gotten pretty cheap to buy Windows Hello compatible fingerprint readers!


Going biometric

I read reviews of Windows Hello compatible fingerprint readers and was pleasantly surprised to find that they weren't as expensive as I thought they were going to be! This meant I could buy one of these devices and turn my normal desktop PC into a biometric capable device. We've been using fingerprint unlock on our phones for some years now and it fundamentally changed the secure unlock experience. A simple touch of a fingertip is inconsequential given that you have to touch the device to wake it up anyway and compared to typing in even a mediocre password or passphrase it's lightyears ahead in terms of user experience. I wanted to bring the same experience of easy login and great security to my PC, so I picked up fingerprint reader.



At only £43.49 ($57 USD) this is a pretty cheap device to upgrade my PC with and is also fairly unobtrusive. Let's take a look at it.


Kensington VeriMark

I settled on this particular fingerprint reader but there are many others out there in different form factors too. The reviews online were good, and I hit the order button. Here it is with a YubiKey for size comparison.






It's a great size and the reason I went for a small USB port sized one like this is that when I'm travelling I can take it out of my PC and pop it into my laptop for easy login while I'm on the road too! It would be a bit awkward if I had to reach under my desk to tap the fingerprint reader each time I wanted to login though, after all the whole point of this is convenience, so I bought a small stand to place it on my desk right next to my keyboard and mouse.



This means it's now super accessible and ready to be setup with Windows Hello. Plugging the device in, Windows automatically recognises it and install drivers and we're ready to go.


Setting up Windows Hello

At the lock screen of my PC I already get a prompt to setup Windows Hello when I login as it's detected a compatible device. Simply click the fingerprint icon and it launches the setup for Windows Hello.



You can also set up Windows Hello by heading to Settings -> Accounts -> Sign-in options. You'll see that if you have a compatible fingerprint reader installed there will be a setup prompt.





Using either process you can get started on adding your fingerprints which if you'd ever done this on a phone before, it's basically the same process.








Add this point you can add more fingers, I did a couple from each hand for convenience, and the final step is to set a Windows Hello PIN as a backup. I wasn't keen on this idea for the previously mentioned reasons, so I created another long passphrase and used that instead. Once the process is complete you're all set and ready to unlock your PC with your finger and holy crap is that so much easier and faster!



Bonus Round!

Yep, it gets better. Remember earlier I said I used 1Password? Well, the master password for that is an absolute monster. Typing that in each time I unlock my PC to unlock 1Password again was even more of a pain, but we can now use Windows Hello to unlock that too! After the first unlock using the master password in the morning, each time you go back to the 1Password app you now have a new icon under the password input field to unlock with Windows Hello.




With that single tap 1Password is unlocked and I can carry on with minimal disruption to what it was that I was doing! Another cool feature on the fingerprint reader is that when something is waiting for a fingerprint the device has a little blue status LED that lights up to say it's ready and waiting.



All in all, this has been a phenomenal change for the usability of my PC and laptop and security that is highly usable and convenient is the best kind of security. While using my laptop on trains and planes, or anywhere in public, I don't have to worry about typing in a password, PIN or passphrase that can be shoulder surfed. Instead, I can flip the device open and with a single tap be securely logged in. I have no idea why I haven't done this sooner and honestly, I really wish I had...