Windows Hello, Goodbye: Low-Res Photo Fools Microsoft Facial Recognition
This may be a rude awakening for Windows Hello users: Microsoft's much-vaunted biometric-authentication feature can be fooled by a low-resolution grayscale photo.
Researchers at German penetration-testing firm SySS defeated Windows Hello on various flavors of Windows 10. The guilty image was a 340 x 340 (or sometimes 480 x 480) laser printout of a photo taken at the near-infared wavelengths (i.e., not quite visible to humans) that windows Hello and night-vision cameras use.
This method worked against all available builds of Windows 10 on a Dell Latitude E7470 laptop equipped with a LilBit USB camera. But it didn't always work on a Microsoft Surface Pro 4 tablet, which has the advantage of an "enhanced anti-spoofing" Windows Hello option not available on the Dell.
The upshot: If you have a Surface Pro 4 or another Windows device with the appropriate built-in hardware, you should upgrade to Windows 10 versions 1703 or 1709, enable enhanced anti-spoofing, and finally re-enroll all users set up to use facial recognition. (SySS found that simply upgrading a Surface Pro 4 from Windows 10 version 1607 did not fix the problem.)
If you have a Windows Hello-compatible device that can't do enhanced anti-spoofing, like the Dell the researchers used, you're out of luck for the time being.
MORE: How to Set Up Windows Hello Facial Recognition
The SySS team posted three videos showing the attack against a Surface Pro 4 tablet. In almost all instances, a freshly printed image of an already enrolled user was enough to unlock the tablet.
Sign up to receive The Snapshot, a free special dispatch from Laptop Mag, in your inbox.
The SySS team admitted that the image was "special" in the following ways, none of which are particularly exotic:
- "The image shows a frontal view of the person's face
- The image was taken with a near-infrared camera
- Brightness and contrast of the image were modified via simple image processing methods
- The paper printout was created with a laser printer"
Along with Apple's Face ID, Windows Hello's facial-recognition feature is regarded as one of the best in the business. (Unlike Face ID, Hello also handles iris and fingerprint recognition.) It's a bit disheartening to see it so easily fooled.
Other German researchers, especially Jan "Starbug" Krissler, have fooled several forms of biometric authentication using high-resolution photographs, but it's surprising to see Windows Hello spoofed by such a low-resolution image.
We've reached to Microsoft seeking comment and will update this story when we receive it.
Image credit: Artem Oleshko/Shutterstock