Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Windows Hello face authentication can be bypassed with modified IR headshot
2 min. read
Published onDecember 21, 2017
published onDecember 21, 2017
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Windows Hello, like many other facial authentication technologies in the market today isn’t 100% secure,ZDNetreported yesterday (viaThe Verge). Indeed, researchers fromGerman company SYSShave managed to spoof the system with a modified IR headshot, though the attempt to unlock a Windows 10 PC didn’t succeed with all versions of the OS.
The researchers tried to bypass Windows Hello facial authentication on two PCs running different versions of Windows 10: a Dell Latitude with a LilBit USB camera (a Windows Hello compatible webcam that doesn’t support the “enhanced anti-spoofing” feature of Windows 10) and a Surface Pro 4 with enhanced anti-spoofing enabled.
As it turned out, the spoofing attack was successful with all versions of Windows 10 on the Dell Latitude PC. On the Surface Pro 4, The default Windows Hello configuration could successfully be bypassed on the Windows 10 versions 1607 (Anniversary Update), 1703 (Creators Update) and 1709 (Fall Creators Update), but the spoofing attack also worked on Windows 10 version 1607 with enhanced anti-spoofing enabled. You can see a proof-of-concept video below:
It’s worth repeating that it’s apparently not possible to bypass Windows Hello Face authentication by using a non-modified picture taken by a near-infrared camera. “Depending on the targeted Windows 10 version and the target device hardware configuration, slightly different modifications of the spoofing attack had to be used, for example photos with higher resolution (480×480 pixels instead of 340×340 pixels) or specially colored images,” explained the researchers.
While this spoofing may not be easy to reproduce by attackers, the security company is urging users of the Windows 10 Anniversary to update to the latest version of the OS, enable the “enhanced anti-spoofing” feature (if available) and reconfigure Windows Hello Face Authentication from scratch after proceeding. “If only the Windows 10 operating system is updated from a vulnerable version like 1607 to the latest revision of 1709 without newly setting up Windows Hello Face Authentication, the simple spoofing attack still works,” explained the researchers.
The security company first reported the vulnerability to Microsoft back in October, and it plans to publish further test results in Spring 2018. We’ve reached out to Microsoft for comment and we’ll update this post if we hear anything back.
Radu Tyrsina
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).
For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.
Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Radu Tyrsina
