Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Windows Hello Face Recognition Tricked by Photo

The facial recognition-based authentication system in Windows Hello has been bypassed by researchers using a printed photo, but the method does not work in the latest versions of Windows 10.

The facial recognition-based authentication system in Windows Hello has been bypassed by researchers using a printed photo, but the method does not work in the latest versions of Windows 10.

Windows Hello, a feature available in Windows 10, allows users to quickly and easily log into their devices using their face or fingerprints. The face authentication system uses near-infrared (IR) imaging and it’s advertised by Microsoft as “an enterprise-grade identity verification mechanism.”

Researchers have demonstrated on several occasions that face authentication can be bypassed, but some systems, such as Apple’s Face ID, are more difficult to bypass than others. In the case of Windows Hello, experts managed to bypass facial authentication using only a photograph of the legitimate user printed in a certain way.

Matthias Deeg and Philipp Buchegger of Germany-based penetration testing firm SySS managed to conduct successful attacks using low-resolution near-IR photos even with the “enhanced anti-spoofing” feature enabled, which should make it more difficult to trick the system.

“By using a modified printed photo of an authorized user, an unauthorized attacker is able to log in to or unlock a locked Windows 10 system as this spoofed authorized user,” the researchers said in an advisory. “Thus, by having access to a suitable photo of an authorized person (frontal face photo), Windows Hello face authentication can easily be bypassed with little effort, enabling unauthorized access to the Windows system.”

Deeg and Buchegger have made available several videos demonstrating the spoofing method:

The attack was successfully replicated on Windows 10 versions 1511 and 1607 even with the “enhanced anti-spoofing” feature enabled. In newer versions of the operating system, such as 1703 and 1709, the method no longer works if the anti-spoofing mechanism is turned on.

However, the researchers highlighted that updating to newer versions of Windows 10 and enabling the anti-spoofing feature is not enough to block attacks. Users must also reconfigure Hello Face Authentication.

Related: Visa Makes Biometrics Easier for Financial Institutions

Related: U.S. Army to Protect Warfighters With Continuous Biometric Authentication

Related: Mastercard Launches Fingerprint-Based Biometric Card

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.