2 min read

Fooling Windows 10 facial authentication with a photo

Graham CLULEY

December 21, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Fooling Windows 10 facial authentication with a photo

Maybe you’re one of those people who care enough about the security and privacy of your computer that you enable the facial recognition feature built into versions of Windows 10, but find it too much of a pain to set up a password.

If so, you’re potentially at risk of having your computer unlocked by an attacker holding a modified low resolution laser-printed photograph of you in front of your webcam.

As described on the Full Disclosure mailing list, a team of German penetration testers discovered it was all too easy to trick a locked Windows 10 system into letting them login using a “modified printed photo of an authorised user.”

Windows Hello is a feature currently only shipping in Windows 10, allowing PCs with the necessary hardware to use special imaging techniques to let you sign in with just a look.

The researchers tested the spoofing attack against a Dell Latitude E7470 laptop running Windows 10 Pro (Version 1703) with a Windows Hello compatible webcam, and against a Microsoft Surface Pro 4 device running Windows 10 Pro (Version 1607) with a built-in camera.

The results were disappointing for those who care about security:

The default Windows Hello configuration could successfully be bypassed on both test devices with all tested Windows 10 versions. The more secure configuration with enabled “enhanced anti-spoofing” feature could only successfully be bypassed on the Windows 10 branches 1511 and 1607.

You can see the attack in action in the following YouTube video:

In October Microsoft rolled out Windows Creator updates to address the vulnerabilities discovered by the researchers, but users are recommended to enable the “enhanced anti-spoofing” feature of Windows Hello, and setup Windows Hello Face Authentication from scratch again to ensure that it can repel any unauthorised users.

Facial authentication has once again proven itself not as reliable as we might hope, and my advice for enterprises in particular is not to rely upon it for security.

What’s so wrong with a strong, unique, hard-to-crack password? Unlocking your computer with a smile might save you four seconds, but you might be in danger of losing a lot more by relying solely on your face for security.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read