It seems like it wouldn't be a stretch to make a USB webcam that presented an "animated" infrared image -- would that defeat this fix?

What I'd really like is the system to consider every new USB device untrusted, and require specific approval before it's added as a device. This should apply to its capabilities too (eg: if a "keyboard" suddenly is presenting itself as storage, that causes a prompt). Think along the lines of "Acme WebCam XYZ wants to add a Camera and Microphone. Allow?"

And while the computer is locked this should absolutely be impossible.

I went looking for some commercial stuff, and there seems to be products aimed at businesses -- but seems these are centrally-managed, work by whitelisting specific devices ahead of time, and are more focused on data exfiltration than preventing a rogue keyboard, badusb or rubber ducky. Is there something that does this?

If you're using that as your sole authentication mechanism, then you're not encrypting your data with a password. It's already game over.

These kinds of things of 'security'* features can't be considered protection for the valuable data on your computer, or the e-commerce account you're currently signed in on.

This stuff is for preventing Steven from making a funny Facebook post in your name (he'll find a way anyways).

*roughly the same level of 'security' a "beware fluffy the furry menace" sign on your garden fence provides.

All I know is my 6 year old daughter was able to login to my admin account because of Windows Hello on multiple occasions.

There is certainly some resemblance, particularly what I looked like when I was 6, but not a huge one.

Catchy umbrella names for a set of security-related products/services cause more harm than good, see Google Titan. When just one facet of that gets compromised it sows doubt about the whole thing due to clickbaity titles.

Out of curiosity, why would showing a printed image of the user's face not have worked as well? Or, say, playing a video of the user's face from another device in front of the webcam? Does the biometric software look for glint or other characteristics of a replicating medium?

Interesting. I thought Windows Hello was implemented with dot matrix hardware like on iPhone, but clearly it isn't. It's illuminated infrared camera tech.

The problem is really how can we be sure that a device claimed to be a camera is really a camera and can be trusted? But yeah, as the device is already physically compromised, there is not much can be done in OS' perspective.

cool