Here's a summary of the themes discussed in the Hacker News thread:
Security and Accuracy Compared to Windows Hello
A significant portion of the discussion revolves around howdy's security and accuracy, often drawing comparisons to Windows Hello. Many users expressed skepticism about howdy's ability to prevent spoofing due to its reliance on 2D images and the lack of depth reconstruction, which is a key feature of Windows Hello.
- "This isn't 'Windows Hello style.'" charcircuit stated, elaborating that "This program extracts features from a 2d image instead of doing depth reconstruction first. This makes it easy to fool with a piece of paper."
- Another user, jeroenhd, agreed, noting that "without the depth reconstruction, I do agree that this is nowhere close to Windows Hello's features." They also pointed out that "many fingerprint readers on Linux share similar risks and are often regarded as secure enough."
- The official security note within howdy itself was quoted by the user thekevan: "This package is in no way as secure as a password and will never be. Although it's harder to fool than normal face recognition, a person who looks similar to you, or a well-printed photo of you could be enough to do it. Howdy is a more quick and convenient way of logging in, not a more secure one."
- The importance of depth sensing for security was highlighted repeatedly. lozenge mentioned, "Windows also uses infrared LEDs to light your face and prevent a flat photo from being recognised as a face." Arnavion further clarified that "the explanation is in this commit message: [URL]. The dep on Python 2 is from Fedora's PAM module package, not from howdy itself." (This last quote is a bit tangential but demonstrates how deep the comparison went into technical details).
User Experience and Feature Requests
Users also discussed desired improvements to howdy's user experience, including better feedback and additional functionalities.
- aitchnyu voiced a desire for more explicit user feedback: "Last time I tried it, I wished the DM indicated its processing my face and also if it failed, and a button to retry."
- The main developer, Boltgolt, responded to these points by mentioning upcoming features: "If you're on the 3.0 version you'll be able to install howdy-gtk, which will show a popup at the top of your screen when authenticating." They also mentioned "rubberstamps" as a way to increase security and user interaction: "You can also enable "rubberstamps" which require an action from you like nodding yes to confirm authentication and making it harder to fool."
Corporate Security Policies and Biometric Adoption
The discussion touched upon the use of biometrics in corporate environments, with differing opinions on how widely they are adopted and mandated.
- senectus1 expressed a longing for seamless biometric login in the enterprise: "I'm doing an ubuntu MOE for a corp atm and man, I really miss the windows hello logins."
- _joel questioned this, asking, "Is 'Hello' and those kind of biometrics generally enabled at $CORP? The ones I've gigged at have been the polar opposite of using it, due to regulatroy requirements. Even disabling macos fingerprint reader company-wide, which is prerry darn good imho."
- senectus1 clarified their understanding of Hello's scope: "yeah hello encompass facial recognition (must be dual IR cams), Fingerprint sensor and PIN. None are perfect but they allow users to easily access their devices without having to remember and type in huge passwords."
- In contrast, lozenge shared a different corporate experience: "I've had the opposite experience, my CORP now pushes most auth through my phone's biometric authentication, I don't even use a password."
Technical Challenges with Linux Hardware and IR Cameras
Several comments delved into the technical hurdles of implementing features like Windows Hello's depth sensing on Linux, particularly concerning IR cameras and synchronization issues.
- Boltgolt, the main dev, explained the difficulty: "Depth reconstruction with IR cameras in laptops today is incredibly hard. While the camera itself is exposed in Linux as a USB camera, the sync with the IR emitters is completely lost. Because of this we cannot extract a 'left' and 'right' lit image reliably as Windows hello does."
- This lack of reliable depth sensing was a recurring point. charcircuit also noted that "This program also saves the landmarks of your face into a file in plain text when it gets added."
- Westurner and MengerSponge engaged in a more theoretical discussion about inferring 3D information from 2D sensors using concepts like the Huygens-Steiner theorem and light field cameras, suggesting potential future avenues, though practical implementation for secure biometric systems remains challenging.
Open Source vs. Commercial Biometrics and Limitations
The development approach for open-source projects like howdy versus commercial offerings like Windows Hello and Apple Face ID was also a theme, highlighting differences in resources and testing.
- bsimpson wondered about the comparison: "I know there was extensive testing when face recognition authentication came to smartphones. I wonder how an open source project like this one compares. I suspect there are substantially more false positives/negatives than on a commercially developed version that needs to support everyone to be successful."
- e-topy chimed in on accuracy: "Apple's Face ID uses what is essentially a 3D camera, a simple 2D color camera cannot compare to that in terms of accuracy."
- The user aniviacat brought up Pixel phones as an example of successful 2D facial recognition: "AFAIK Pixel phones, including the Pixel 9, only use 2D images for face unlock. So it's definitely possible to reach mainstream quality with conventional cameras."
- Finally, joelthelion expressed a preference for alternative biometrics: "I wish we had good support for fingerprint readers instead."