Windows 10 Hello Face Authentication Defeated With A Simple Photo Printout

by Brandon Hill — Thursday, December 21, 2017, 11:35 AM EDT

If you're running an older version of Windows 10, and make heavy use of Windows Hello to login to your PC, you might want to consider moving to the latest build. Researchers from German security firm SYSS have discovered that the Windows Hello biometric authentication system can be defeated using a printed-out picture.

We should mention that while the is a serious security breach, it requires a bit of work to successfully accomplish. A close-up, high-resolution image of the target's face must first be captured with a near-infrared camera (that's the first hurdle). The captured image then forms the basis for tricking the near-infrared cameras that are embedded in modern notebooks to support Windows Hello. You will then need direct physical access to the computer in question (which represents the second hurdle).

The SYSS researchers found that with a Microsoft Surface Pro 4 convertible running the Windows 10 Anniversary Update (which was released during the summer of 2016), they were able to unlock it with the printed-out picture. To help protect against such attacks, Microsoft has an anti-spoofing option that can be enabled for additional protection. However, anti-spoofing proved ineffective with the Anniversary Update in SYSS' testing.

Microsoft beefed up its anti-spoofing technology with the follow-up Windows 10 Creators Update and Fall Creators Update releases in 2017. With the feature enabled, the researchers were unable to break through. However, with the feature disabled, they were able to once again fool Windows Hello.

While it's definitely good news to hear that the Creators Update and Fall Creators Update have hardened defenses against spoofing, we must point out that the majority of the notebooks that are shipping these days with Windows Hello cameras don't actually support anti-spoofing.

It should be noted that even if you have a system with a Windows Hello camera, have anti-spoofing enabled, and have upgraded to the Fall Creators Update, you still aren't guaranteed to be fully protected from the spoofing attack. After upgrading to the Fall Creators Update, users will need to go back and re-setup Windows Hello face authentication and re-enable anti-spoofing.

While SYSS's spoof might be a bit challenging to successfully pull off, it's child's play compared to the efforts that must be undertaken to spoof the iPhone X's Face ID system.

Tags: Windows 10, (nasdaq:msft), windows hello, fall creators update, syss

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now