The facial recognition-based authentication system in Windows Hello has been bypassed by researchers using a printed photo, but the method does not work in the latest versions of Windows 10.
Windows Hello, a feature available in Windows 10, allows users to quickly and easily log into their devices using their face or fingerprints. The face authentication system uses near-infrared (IR) imaging and it’s advertised by Microsoft as “an enterprise-grade identity verification mechanism.”
Researchers have demonstrated on several occasions that face authentication can be bypassed, but some systems, such as Apple’s Face ID, are more difficult to bypass than others. In the case of Windows Hello, experts managed to bypass facial authentication using only a photograph of the legitimate user printed in a certain way.
Matthias Deeg and Philipp Buchegger of Germany-based penetration testing firm SySS managed to conduct successful attacks using low-resolution near-IR photos even with the “enhanced anti-spoofing” feature enabled, which should make it more difficult to trick the system.
“By using a modified printed photo of an authorized user, an unauthorized attacker is able to log in to or unlock a locked Windows 10 system as this spoofed authorized user,” the researchers said in an advisory. “Thus, by having access to a suitable photo of an authorized person (frontal face photo), Windows Hello face authentication can easily be bypassed with little effort, enabling unauthorized access to the Windows system.”
Deeg and Buchegger have made available several videos demonstrating the spoofing method:
The attack was successfully replicated on Windows 10 versions 1511 and 1607 even with the “enhanced anti-spoofing” feature enabled. In newer versions of the operating system, such as 1703 and 1709, the method no longer works if the anti-spoofing mechanism is turned on.
However, the researchers highlighted that updating to newer versions of Windows 10 and enabling the anti-spoofing feature is not enough to block attacks. Users must also reconfigure Hello Face Authentication.
Related: Visa Makes Biometrics Easier for Financial Institutions
Related: U.S. Army to Protect Warfighters With Continuous Biometric Authentication
Related: Mastercard Launches Fingerprint-Based Biometric Card
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
