Windows Hello Facial Recognition Bypassed with a Photo

This site may earn affiliate commissions from the links on this page. Terms of use.

Facial recognition is all the rage these days as a way to log into your devices. Apple went so far as ditching the fingerprint sensor on the iPhone X in favor of Face ID, but Microsoft came out big for facial recognition a few years ago with the launch of Windows 10. This feature requires special hardware in computers with the aim of making it more secure, but security firm SySS GmbH has shown it’s still possible to bypass Hello with a photo.

Windows Hello is the name for all of Windows 10’s biometric security features. That can include fingerprint scanners (still rare on computers) and facial recognition. While integrated webcams are universal, Windows Hello does not rely on a simple RGB sensor. Laptops with Window Hello need to have a near-infrared camera. These images are more consistent across varying lighting conditions, and they’re harder to spoof with a photo, as photos don’t emit the same wavelengths. It might be harder, but not impossible.

SySS GmbH has shown in its video that it’s possible to print a picture that will fool Windows hello in at least some instances. The photo has several special properties that make this attack a bit harder to pull off, though. They took the photo with an infrared camera, which you can purchase for as little as $ 50. The contrast and brightness were bumped up, but the image is otherwise unaltered. As you can see in the video, Windows Hello sees the infrared image it’s expecting, and the computer unlocks. Apple’s Face ID system is a bit different, because it uses a depth-sensing camera to make sure it’s looking at a real face and not a piece of paper.

In recent builds of Windows 10, Microsoft added an anti-spoofing feature that prevents this photo workaround. However, this won’t protect everyone. As SySS GmbH points out, not all users have upgraded the Windows 10 builds consistently, especially in business environments where IT can disable automatic updates. In addition, not all devices support the anti-spoofing feature. Even if you have it turned on, you need to delete and reconfigure your facial recognition models to be protected.

SySS GmbH recommends users make sure their computers are fully updated. The latest Windows 10 builds (1709 and 1703) were able to block the exploit when set up correctly with anti-spoofing. You also need to make sure that’s enabled, and that you’ve re-run the facial recognition setup after turning it on.

Let’s block ads! (Why?)

ExtremeTechExtremeTech

Leave a Reply

Your email address will not be published. Required fields are marked *

Read previous post:
The Top 5 Games We Played in 2017

As 2017 coasts to an end, we ExtremeTech writers have spent a good chunk of our time this month looking

Close