Windows 10 Hello Face Authentication Defeated With A Simple Photo Printout

surface pro 3
If you're running an older version of Windows 10, and make heavy use of Windows Hello to login to your PC, you might want to consider moving to the latest build. Researchers from German security firm SYSS have discovered that the Windows Hello biometric authentication system can be defeated using a printed-out picture.

We should mention that while the is a serious security breach, it requires a bit of work to successfully accomplish. A close-up, high-resolution image of the target's face must first be captured with a near-infrared camera (that's the first hurdle). The captured image then forms the basis for tricking the near-infrared cameras that are embedded in modern notebooks to support Windows Hello. You will then need direct physical access to the computer in question (which represents the second hurdle).

The SYSS researchers found that with a Microsoft Surface Pro 4 convertible running the Windows 10 Anniversary Update (which was released during the summer of 2016), they were able to unlock it with the printed-out picture. To help protect against such attacks, Microsoft has an anti-spoofing option that can be enabled for additional protection. However, anti-spoofing proved ineffective with the Anniversary Update in SYSS' testing.

Microsoft beefed up its anti-spoofing technology with the follow-up Windows 10 Creators Update and Fall Creators Update releases in 2017. With the feature enabled, the researchers were unable to break through. However, with the feature disabled, they were able to once again fool Windows Hello.

While it's definitely good news to hear that the Creators Update and Fall Creators Update have hardened defenses against spoofing, we must point out that the majority of the notebooks that are shipping these days with Windows Hello cameras don't actually support anti-spoofing.

It should be noted that even if you have a system with a Windows Hello camera, have anti-spoofing enabled, and have upgraded to the Fall Creators Update, you still aren't guaranteed to be fully protected from the spoofing attack. After upgrading to the Fall Creators Update, users will need to go back and re-setup Windows Hello face authentication and re-enable anti-spoofing. 

While SYSS's spoof might be a bit challenging to successfully pull off, it's child's play compared to the efforts that must be undertaken to spoof the iPhone X's Face ID system.