Windows 10's face authentication defeated with a picture


Users will have to meet a minimum requirement of 7th Gen Intel Core processor or higher, Intel HD graphics with up-to-date drivers or Nvidia GeForce GTX 1050 and higher, and Windows must be updated with the Fall Creators update.

Hackers can get past the Windows Hello face recognition on old Windows 10 by using a printed photograph, a German security outfit has discovered.

So, in order to address the issues in security updates, Microsoft and Adobe has issued quick fixes for a number of Windows applications. The researchers tested the trick against several products, including a Dell Latitude laptop with a USB webcam and Microsoft's own Surface Pro 4.

"Microsoft added the necessary OS and browser changes in their Windows 10 Fall Creators Update and our engineers integrated against those APIs to complete the video player work".

More news: YouTube seals deal with top music label amid streaming moves
More news: US Blames North Korea for WannaCry Ransomware Attack
More news: Xiaomi might skip the Redmi Note 5

Even those running the latest Fall Creators Update could potentially be victims here. It is unclear why Microsoft is using an older version when the latest version, 7.57.0 has been out for nearly three weeks, and preceding version, 7.56.1, has been out for nearly two months. Windows Hello must also be entirely reconfigured to prevent a successful attack, so facial recognition should be manually disabled and then turned back on.

According to a few proof of concept videos released by the security researchers (see the first clip below), Windows Hello can be spoofed with a relatively low resolution laser-printed photo of the user taken with a near IR (infrared) camera, although the image must be slightly modified. However, anti-spoofing proved ineffective with the Anniversary Update in SYSS' testing.

The good news is that the latest versions of Windows 10 have fixed the flaw. However, the discovery's still a significant weakness for Windows Hello, described by Microsoft as the "most secure way" to unlock Windows 10. If a user were to update from an older version like 1607 without reconfiguring Hello, then they will still be vulnerable to the attack. Here's what the company will highlight at RSA next week.