We’ve seen a few examples of Apple’s Face ID system being tricked, either using a 3D-printed mask or by relatives such as identical siblings and children. But now it’s the turn of Windows Hello, Microsoft’s facial recognition security feature, to be spoofed, albeit using an older version of the operating system.
German security firm SYSS found that they could use nothing but a printed headshot to get past Windows Hello authentication. They say any Windows 10 systems that haven’t yet received the recent Fall Creators Update are vulnerable to the attack, and it works against multiple versions of Windows and different types of hardware.
In the videos, we see a researcher setting up Windows Hello Face Authentication on a Surface Pro 4 using Windows 10 version 1607—the Anniversary Update from last year—with the anti-spoofing feature enabled. He then prints out a modified, low-res laser printed photograph of himself taken with a near-infrared camera and uses it to unlock the device.
SYSS warns that even applying the Fall Creators Update might not be enough to prevent the exploit, as anyone who set up Windows Hello on an older version of the OS will still be vulnerable to the attack. Researchers recommend anyone using the feature to go back and set it up again after updating, while also making sure anti-spoofing is enabled.
The two videos show the proof of concept attacks, while the third shows how it still works after the system is upgraded to version 1709—assuming Windows Hello was in place in a previous version and hasn't yet been reconfigured after the update.