In depth with Windows 11 Recall—and what Microsoft has (and hasn’t) fixed

-


We’d also like there to be a way for apps to tell Recall to exclude them by default, which would be useful for password managers, encrypted messaging apps, and any other software where privacy is meant to be the point. Yes, users can choose to exclude these apps from Recall backups themselves. But as with Recall itself, opting in to having that data collected would be preferable to needing to opt out.

You need a fingerprint reader or face-scanning camera to get Recall set up, but once it is set up, anyone with your PIN and access to your PC can get in and see all your stuff.


Credit:

Andrew Cunningham

Another issue is that, while Recall does require a fingerprint reader or face-scanning camera when you set it up the very first time, you can unlock it with a Windows Hello PIN after it’s already going.

Microsoft has said that this is meant to be a fallback option in case you need to access your Recall database and there’s some kind of hardware issue with your fingerprint sensor. But in practice, it feels like too easy a workaround for a domestic abuser or someone else with access to your PC and a reason to know your PIN (and note that the PIN also gets them into your PC in the first place, so encryption isn’t really a fix for this). It feels like too broad a solution for a relatively rare problem.

Security researcher Kevin Beaumont, whose testing helped call attention to the problems with the original version of Recall last year, identified this as one of Recall’s biggest outstanding technical problems.

“In my opinion, requiring devices to have enhanced biometrics with Windows Hello   but then not requiring said biometrics to actually access Recall snapshots is a big problem,” Beaumont wrote. “It will create a false sense of security in customers and false downstream advertising about the security of Recall.”

Beaumont also noted that, while the encryption on the Recall snapshots and database made it a “much, much better design,” “all hell would break loose” if attackers ever worked out a way to bypass this encryption.



Source link

Latest news

Metadata Shows the FBI’s ‘Raw’ Jeffrey Epstein Prison Video Was Likely Modified

The United States Department of Justice this week released nearly 11 hours of what it described as “full...

Julie Wainwright joins Tech Zone Daily Disrupt 2025 in a fireside chat

Tech Zone Daily Disrupt 2025 returns to Moscone West in San Francisco from October 27–29, uniting over 10,000+...

Coffee! Coffee Now! Get Your Caffeine Fix With These Prime Day Deals

What’s more WIRED than coffee? Before you plug into the matrix, you need your coffee fix. We know...

You Should Buy Anker’s Laptop Power Bank Before This Deal Ends

I have tested hundreds of portable chargers over the years, but the Anker Laptop Power Bank ($94, down...

Humanoids, AVs, and what’s next in AI hardware at Disrupt 2025

Tech Zone Daily Disrupt 2025 hits Moscone West in San Francisco from October 27 to 29, bringing together...

Helios wants to be the AI operating system for public policy professionals

When OpenAI was having its ChatGPT moment in 2022, Joe Scheidler, co-founder and CEO of Helios, was tackling...

Must read

You might also likeRELATED
Recommended to you