Cybersecurity experts at the German IT company SySS GmbH successfully bypassed the Windows 10 OS facial recognition system simply by using a printed photo of the user’s face.
The researchers fooled Windows Hello password-free security program on both a Microsoft and Dell laptops running different versions of Windows 10 operating system.
Deceiving Windows 10 facial recognition software didn’t take too much effort. Cybercriminals just need access to a suitable photo of the victim’s face in order to bypass the security system and get access to PC.
Hello Windows uses an infrared camera to recognize the unique shape and contours of user’s face before granting or denying access to a Windows account. However, the detected security flaw appeared due to an insecure implementation of the biometric face recognition in some Windows 10 versions.
But not all Windows versions are vulnerable. In 2016, Microsoft created a new feature called Enhanced Anti-Spoofing to limit this type of picture trickery. But even if this feature is activated in your Windows settings, the experts found a way to bypass the facial recognition system that ran older Windows versions. However, the new Windows versions (1703 and 1709) are not vulnerable to the most simple spoofing attacks (using a printed photograph) if Enhanced Anti-Spoofing is enabled.
Security experts recommend to update your Windows 10 to 1709 version, to enable anti-spoofing feature, and then to make Windows Hello reanalyze your face.
Infrared facial recognition in consumer applications is still relatively new, so security flaws should be expected.