“You are the password,” is the catchy marketing slogan Microsoft used to launch its Windows 10 Hello face authentication system in 2015.
Except, according to researchers at German company SySS, a more accurate description might be: “you are the password – and so is a photograph of you.”
As incredible as it sounds, the team found it could bypass Hello on multiple versions of Windows 10 simply be presenting a printed infrared (IR) photo of the system’s owner.
In the proof-of-concept demo, this was printed at 340 x 340 on a colour laser printer after adjusting the brightness and contrast, and simply held up to a Dell Latitude with a LilBit USB near-IR camera connected to it.
That’s the simple part of this vulnerability because the degree to which a specific Window PC is susceptible will depend on an interaction of three variables:
- The version of Windows 10 being used
- If Hello’s enhanced anti-spoofing is turned on
- whether the IR camera supports enhanced anti-spoofing
The researchers also had to tweak the image, using colour or a higher resolution depending on the configuration they tried it against.
The attack reportedly works against all versions of Windows that don’t have Hello’s enhanced anti-spoofing technology turned on (turning this on, which must be done manually, only works if the IR camera supports it.)
In other words, spoof-proofing your PC against photographs means using the most recent version of Windows 10 (1709 or at least 1703 from April), having a PC or camera whose hardware supports enhanced anti-spoofing, and making sure this is enabled and has been reset after its most recent upgrade.
One system that meets those requirements is Microsoft’s own Surface Pro 4 laptop… as long as it’s running the Windows 10 Fall Creators Update (1709) and the user has re-enrolled on Windows Hello.
A bit more detail can be found in the advisory although how the end user works out whether their camera is compatible with enhanced anti-spoofing isn’t clear because SySS didn’t test them all.
In truth, the vulnerability here is probably small under real-world conditions because it still requires a frontal shot of the computer user’s face. What it serves as is a useful reminder not to take a biometric security system’s claims as read.
At least Microsoft isn’t the only big name struggling with the whys and wherefores of facial authentication, as Apple found out in November when another pen-testing company managed to fool the iPhone X’s Face ID with a painted mask.
I expect that facial biometrics will one day be a very secure and reliable way to authenticate yourself. Right now it seems that mainstream deployments like Hello and Face ID are driving increased scrutiny and software companies are still ironing out the kinks and discovering edge cases.
If your face really is your password then, like any password, it’s better as one part of a two-factor authentication.
Kenneth T.
I’ll take my chances (at least for the time being) with my password/phrase.
Windows 10 is still a big “turn-off” for me.
Anonymous
Even if the camera does support enhanced anti-spoofing, could you just plug a cheaper camera that doesn’t into a USB port and use that?
Anonymous
no – you need to setup what source is trusted on the machine, so if you can add another camera, you already have access to the machine.
Laurence Marks
After all the other facial recognition photo-bypasses that have been reported, it is astounding that Microsoft didn’t do this simple testing prior to release.
Velan
I still will not use my face as password, better use something else as two-factor authentication. Technology still not strong enough to detect spoofing.
Greybeard
“As incredible as it sounds”? Hardly. What security maven didn’t predict this the instant the feature was announced? Sheesh.
James
If the authentication system gets been compromised, how do I revoke my face?
Paul Ducklin
There was a Cage/Travolta movie from the late 1990s that presented one possible solution.
Andrew
Your face is not your password. It’s your user ID.
Brenda-Lee
What if I die? My computer is worthless ??? 🤔