Why no picture lock screen for W10M?

[Panathas]

Any ideas why MS does not implement this for their mobile OS but only for their desktop OS? Would make much more sense on the phone.

 

[a5cent]

This is why:

Deriving the correct graphical password based on screen smudges is a rather trivial affair. Some studies have had over a 90% success rate. It's much simpler than deriving the correct PIN from the smudges on a 3x3 number pad.

As it does exist on W10, it could be argued it should eventually pop up in W10M too, but due to the Windows Hello features being included in W10M (iris scanning, facial recognition and fingerprint sensing), I suspect there simply is no need for this inferior approach... thankfully.

This might help.

 

[Panathas]

As you said, why then bringing it to the desktop version? Not all w10 phones will have an iris scanner, in fact, most will not probably.

 

[a5cent]

Not all w10 phones will have an iris scanner, in fact, most will not probably.

Where did I say every device would have an iris scanner? That's not the point. This is the point: given an old but secure authentication method, and a newer but less secure method, which is better?

As you said, why then bringing it to the desktop version?

For desktops, for reasons explained in the document I linked to, this is not an issue.

For tablets and other touch devices running W10 it admittedly is. I don't know what MS' thinking is here. The security of such a picture password is highly dependent on the chosen picture. Maybe MS thinks that on a tablet, a picture can be big enough to provide enough points of interest so as to make it a viable authentication method, whereas on a small smartphone screen it's hard to provide an image with more than three or four points of interest, which would be terribly insecure.

That's my best guess. I'm not aware of MS ever explaining their reasoning.

Either way, be thankful that Windows Hello provides much better options, and that MS isn't resorting to such insecure picture passwords on phones.

 

[Ma Rio]

a5cent is right, it's probably not so secure, but I'd like it eather way. Who cares, and where does it say that everything needs to be 100% secure. If that's the case, why can we use our phones without a lock.
All in all, I like it, and would want it, even though I wouldn't use it - I don't use any locks. The whole lock thing is mostly pointless to me. The best method of securing your phone is not giving it to someone you dont't want to see your stuff.

 

[a5cent]

a5cent is right, it's probably not so secure, but I'd like it eather way. Who cares, and where does it say that everything needs to be 100% secure.

I strongly disagree with this position, although I do understand it. I'm sure it's a popular view. This is the problem:

A) You don't lock the phone
It's obvious that anyone who can pick up the phone can access whatever is on it.

B) You lock the phone with a PIN
The user expects this to be secure, which it largely is.

C) You lock the phone with a picture password
The user expects this to be secure, which it largely is NOT. Adding security features that aren't secure is worse than no security at all, since it implies your phone is secure when that is just not true.

This necessitates that people who require this security feature make very informed decisions, but most people are completely oblivious to this stuff. It's not realistic to expect users to be that competent. As always, users are any technical system's biggest security risk, and in that sense it's an OS' job to help protect users from their own incompetence. This counts double or tripple for OS' that are designed for use in corporate environments...

If an OS provides security features that just aren't that secure, it deserves to eventually be viewed as an insecure OS. I'm sure none of us want that for WM ��