Serious security bug on Surface Pro 4?

[Blake Seaman]

My fiance just got the Surface Pro 4 (i5, 128GB, 4GB) and I set it up for her. Got the updates downloaded, but Windows Hello wasn't showing up in the settings. A quick restart triggered the appropriate update and everything was where it should have been.

We set up windows hello with facial recognition, and it worked flawlessly. When she sat down it recognized her and she could open the machine.

The problem is that when I sat down, and it said it didn't recognize me, I was still able to unlock the machine.

Is this a bug or known issue? The Windows Hello prompt at the top of the lock screen behaves as it should, but even when it says it doesn't recognize you, you can still unlock it.

 

[kg4icg]

If you knew the password to the machine, then there is no bug. If you didn't unlock it with hello, it was waiting for the password.

 

[Jezza]

There's actually a timer option to allow for how long the device is off for before having to re-enter a password that is set to 15 minutes by default if I remember correctly. If you go into settings you should be able to reduce the password delay option.

 

[Blake Seaman]

There's actually a timer option to allow for how long the device is off for before having to re-enter a password that is set to 15 minutes by default if I remember correctly. If you go into settings you should be able to reduce the password delay option.

.

I figured that out and was coming on to reply the same to kg4icg! I guess I just so automatically change that setting to "every time" for myself, I forgot to do the same for hers. Thanks guys. Will say though, while I expected the facial recognition to be a gimmick, it has proven anything but. It is reliable, crazy fast, and accurate.

 

[Jezza]

.

I figured that out and was coming on to reply the same to kg4icg! I guess I just so automatically change that setting to "every time" for myself, I forgot to do the same for hers. Thanks guys. Will say though, while I expected the facial recognition to be a gimmick, it has proven anything but. It is reliable, crazy fast, and accurate.

Agreed, I've been highly impressed by the facial recognition and how quick the login is.

 

[hprvez]

Not a security bug, not even serious

 

[Blake Seaman]

Not a security bug, not even serious

If it had been a bug, it would have been enormously serious, but as we discovered it wasn't a bug. Hindsight is 20-20 after all.

Though I'm a pretty heavy user though and for that setting to have skipped my eyes after a few glances, it makes me wonder whether it should be made more obvious for less serious users who may also miss that. Of course someone would have to steal your machine and open it within 15 minutes (or wait for you to leave the room), but still a vulnerability if you didn't know that was the case.