You can try out Windows Hello biometric logins for the web, right now
Windows Hello is one of the standout features of Windows 10, allowing your PC to “recognize” you and free you from typing in a password each time you unlock your PC. Microsoft originally predicted that web sites would build in that same biometric technology, but that promise hasn’t materialized, yet. It will, though, as part of the the Windows 10 Anniversary Update, due to roll out this summer.
Why this matters: Anyone who’s used Hello knows it’s a convenience that’s become largely indispensable, like a television’s remote control. With the dozens of passwords that we’re forced to remember, most of us would welcome a simpler approach to the web. Consider, too, that this is specific to Microsoft Edge. Forget Edge extensions—Hello could be the “killer app” that sells Microsoft’s browser.
To show off what it can do, Microsoft has published a ”test drive” demo to the web, where you can try biometric logins for yourself. Naturally, you’ll need a Windows 10 machine with Windows Hello-capable hardware, such as a Microsoft Surface Pro 4 two-in-one. (Microsoft says the demo was designed to work with Insider builds, but the Windows 10 10586.218 that Surface Book upgraded to on Wednesday seems to run the demo just fine.) You can also use the Tobii eyeX peripheral that we recently reviewed. Make sure you have set up Windows Hello using Settings > Accounts > Sign-in options > Windows Hello.
Even if you’ve never used Windows Hello before, setting it up should take just a few seconds—literally, all you have to do is look at the screen. And the demo itself should take just the same amount of time. Again, look at the screen when prompted, and voila!—you’re logged in. (The premise is that Windows Hello confirms your identity locally, then sends a token to the web site that authenticates you. You can also use the site’s password, as you always have.)
Note that the demo is an example of what Microsoft has previously called an “early implementation” of the Web Authentication (formerly FIDO 2.0) specification. Microsoft says it is working closely with industry leaders in both the FIDO Alliance and W3C Web Authentication working group to standardize these APIs.
There’s one thing I noticed, though, that you might think about. Windows Hello does a fine job, in my experience, of logging me in and blocking others from using my PC. But Windows 10 also allows you to use a four-digit PIN to unlock your PC, and allows that same PIN to authenticate you to the web.
The vast majority of us use two-factor authentication to log in to, say, an ATM—by combining a banking card with a four-digit PIN. Our privacy and security are much more at risk when a simple PIN, which Microsoft has implied is more of a convenience than anything else for accessing our PCs, becomes a means of also accessing your bank’s site. If and when Windows Hello logins become mainstream, consider removing that PIN and using either a password or biometric login as your primary methods of authentication.