This may be a rude awakening for Windows Hello users: Microsoft's much-vaunted biometric-authentication feature can be fooled by a low-resolution grayscale photo.
Researchers at German penetration-testing firm SySS defeated Windows Hello on various flavors of Windows 10. The guilty image was a 340 x 340 (or sometimes 480 x 480) laser printout of a photo taken at the near-infared wavelengths (i.e., not quite visible to humans) that windows Hello and night-vision cameras use.
This method worked against all available builds of Windows 10 on a Dell Latitude E7470 laptop equipped with a LilBit USB camera. But it didn't always work on a Microsoft Surface Pro 4 tablet, which has the advantage of an "enhanced anti-spoofing" Windows Hello option not available on the Dell.
The upshot: If you have a Surface Pro 4 or another Windows device with the appropriate built-in hardware, you should upgrade to Windows 10 versions 1703 or 1709, enable enhanced anti-spoofing, and finally re-enroll all users set up to use facial recognition. (SySS found that simply upgrading a Surface Pro 4 from Windows 10 version 1607 did not fix the problem.)
If you have a Windows Hello-compatible device that can't do enhanced anti-spoofing, like the Dell the researchers used, you're out of luck for the time being.
The SySS team posted three videos showing the attack against a Surface Pro 4 tablet. In almost all instances, a freshly printed image of an already enrolled user was enough to unlock the tablet.
The SySS team admitted that the image was "special" in the following ways, none of which are particularly exotic:
- "The image shows a frontal view of the person's face
- The image was taken with a near-infrared camera
- Brightness and contrast of the image were modified via simple image processing methods
- The paper printout was created with a laser printer"
Along with Apple's Face ID, Windows Hello's facial-recognition feature is regarded as one of the best in the business. (Unlike Face ID, Hello also handles iris and fingerprint recognition.) It's a bit disheartening to see it so easily fooled.
Other German researchers, especially Jan "Starbug" Krissler, have fooled several forms of biometric authentication using high-resolution photographs, but it's surprising to see Windows Hello spoofed by such a low-resolution image.
We've reached to Microsoft seeking comment and will update this story when we receive it.
Image credit: Artem Oleshko/Shutterstock