Once you start using a Microsoft account to sign into Windows, you have to use a password every time. If you have a work account, you'll need a password for that, and you probably have to change it regularly.
And even if you just have a local Windows account, it's a good idea to have a password to keep your account safe. That doesn't mean you have to remember a complicated password, though – the new Windows Hello interface makes it easy to log in securely with biometrics.
In this slideshow, we'll take you through everything you need to know about Windows Hello, including what you need to use it, how secure the system is, and of course how to set it all up on Windows 10.
What you need to use Windows Hello
You don't need a new PC or notebook to use Windows Hello – almost all the existing fingerprint readers that are built into notebooks, keyboards and mice (as well as external USB-connected fingerprint readers) will work. For example, a Windows Vista era Lenovo ThinkPad with a fingerprint sensor works perfectly. Newer fingerprint readers are easier to use though, because they use capacitive sensors that you press your finger onto, rather than the old optical sensors that you have to swipe your finger over – often a couple of times.
If you were running Windows 7, you would have been using OEM software to make the fingerprint sensor work; you won't need that any longer, because support is built right into Windows 10. If you were using Windows 8 or 8.1, you're used to the fingerprint reader just working to log in, but the process and interface is different in Windows 10.
If you want to log in with your face, you need to either get a new notebook or all-in-one PC that has the Intel RealSense camera built in, or get the external RealSense F200 camera that Intel sells to developers who want to create applications using the camera – this works if you have a fourth generation or later Haswell CPU.
You need to install the Intel RealSense Depth Camera Manager (DCM) software which you have to download yourself to make the camera work, but not the SDK. You might also need to use Device Manager to stop your USB ports powering down so you can wake your PC with Hello. The RealSense camera is large, so it's only really suitable for desktop and all-in one PCs or for notebooks that you don't take out with you.
You can't yet use a Kinect with Windows Hello even though it's a 3D infrared camera. We understand from Microsoft that this is a driver issue and that there's a plan to make Kinect 2 work with Windows Hello, but it hasn't been officially announced and we don't know when support will come. Iris sensors are also coming later on – they're rumoured to be in the next generation of Lumia phones, for example.
Can your fingerprint be copied?
Most security technology can be fooled, one way or another, but it's quite hard to fool Hello. The RealSense camera is a 3D camera that uses infrared, so it's looking at the shape of your face and your temperature – so a photograph or a model of your head or even a mask over someone's face isn't going to look the same.
Modern fingerprint scanners check for the 3D structure of your fingerprint and for the temperature and even pulse of your finger, so a rubber finger won't pass the test. One German hacker with a lot of experience in faking fingerprints showed a technique for fooling the fingerprint sensor on an iPhone, but there have been no reports of anyone else being able to use their method to gain access to an iPhone.
Although researchers have recently found that fingerprints can be stolen from Android phones, that's going to be harder with Windows Hello. It doesn't store your photo or a picture of your fingerprint – the template it creates for your face or finger (based on up to 60 'landmarks' on your face and 40 points of data for your finger) is "more like a graph," Microsoft says, and it's encrypted and never sent off your PC.
Plus, it can't be used to recreate your face or fingerprint, so even if an attacker can get the template and unencrypt it they still have to find a way to make a PC accept that template when it's looking for a real face or finger.
For faces, Windows Hello can tell which way your head is facing, but it doesn't store that in the template – and it shouldn't matter if the lighting changes, because what it's looking at is the shape of your face rather than the way it looks.
Setting up Windows Hello
Open the Settings app and choose Accounts, Sign-in options. You have to create a PIN first to unlock the Hello options – you need that in case your face or fingerprint isn't recognised – for example if you cut your finger or have a bandage on it, or it's just too cold and your finger isn't recognised properly, you can still get to your account. You can always choose to use the PIN, and if Windows Hello can't recognise your face or fingerprint five times, you have to use the PIN. It's a PIN rather than a password, because a PIN is only ever saved on your PC – your password might get hacked in a variety of ways.
Click the Add button under PIN and enter a PIN (which means entering your password as well, to stop someone else locking you out of your PC), then you'll see the Windows Hello options for whichever biometrics you have. If you have the right camera you'll see the controls to set up your face recognition – if you have a fingerprint reader, you'll see the buttons to enroll one or more fingerprints.
Click Set-up to read an explanation of Windows Hello, then get in the right position for your camera and click Get Started; you need to enter your PIN to prove it's your face you're enrolling. The recognition takes only a few seconds – and you can see your face on-screen to check. Once it's done, you can click Improve Recognition if you want to take another snapshot, perhaps without your glasses; that takes much longer, because it scans more landmarks on your face – up to two minutes in some cases.
If the way you look changes – you grow a beard or switch from glasses to contact lenses, say – you can go back to the Sign-in options to re-enrol. You need the PIN to do that as well. Under Sign-in options, choose Improve Recognition again.
Hello keeps the previous representations it has of you, so if you shave off the beard or go back to your old glasses, it should recognise you without you needing to re-enroll.
The default is to unlock your PC automatically when your face is recognised; leave that on. If you want to be safer, select the option to turn your head from side to side to unlock the screen – that will use the 3D shape of more of your head to distinguish you from other people.
If you don't want to use your face or fingerprint to sign in any more, click the Remove button to delete your face or fingerprint templates.
What you can use Windows Hello for
Right now, you can use Windows Hello to log in to your PC (and wake it up from sleep by walking up to it). It works for your Microsoft account or your work account (unless your company has turned it off). You can also use your face or finger to pay for apps in the Windows Store instead of having to type your password every time.
But it will get a lot more useful when you can use Hello to unlock Windows Passport, the next-generation credentials that Microsoft hopes will replace passwords for online services, websites and other systems (including ones that support the other FIDO Alliance credentials like Google's key).
That's going to work by checking your face or your finger when you want to use Passport to log in, so you don't have to worry about signing in and then stepping away from your computer. And it will work in all the major browsers on Windows 10, not just Edge – but we're not going to see Passport until Windows Server 2016 ships.