Windows Hello face authentication can be bypassed with modified IR headshot

Laurent Giret

Windows Hello, like many other facial authentication technologies in the market today isn’t 100% secure, ZDNet reported yesterday (via The Verge). Indeed, researchers from German company SYSS have managed to spoof the system with a modified IR headshot, though the attempt to unlock a Windows 10 PC didn’t succeed with all versions of the OS.

The researchers tried to bypass Windows Hello facial authentication on two PCs running different versions of Windows 10: a Dell Latitude with a LilBit USB camera (a Windows Hello compatible webcam that doesn’t support the “enhanced anti-spoofing” feature of Windows 10) and a Surface Pro 4 with enhanced anti-spoofing enabled.

As it turned out, the spoofing attack was successful with all versions of Windows 10 on the Dell Latitude PC. On the Surface Pro 4, The default Windows Hello configuration could successfully be bypassed on the Windows 10 versions 1607 (Anniversary Update), 1703 (Creators Update) and 1709 (Fall Creators Update), but the spoofing attack also worked on Windows 10 version 1607 with enhanced anti-spoofing enabled. You can see a proof-of-concept video below:

It’s worth repeating that it’s apparently not possible to bypass Windows Hello Face authentication by using a non-modified picture taken by a near-infrared camera. “Depending on the targeted Windows 10 version and the target device hardware configuration, slightly different modifications of the spoofing attack had to be used, for example photos with higher resolution (480×480 pixels instead of 340×340 pixels) or specially colored images,” explained the researchers.

While this spoofing may not be easy to reproduce by attackers, the security company is urging users of the Windows 10 Anniversary to update to the latest version of the OS, enable the “enhanced anti-spoofing” feature (if available) and reconfigure Windows Hello Face Authentication from scratch after proceeding. “If only the Windows 10 operating system is updated from a vulnerable version like 1607 to the latest revision of 1709 without newly setting up Windows Hello Face Authentication, the simple spoofing attack still works,” explained the researchers.

The security company first reported the vulnerability to Microsoft back in October, and it plans to publish further test results in Spring 2018. We’ve reached out to Microsoft for comment and we’ll update this post if we hear anything back.