Windows Hello spoofing with near-IR photoGerman security company SySS was able to bypass Microsoft’s “Windows Hello” face authentication system with a modified near-infrared photo of an authorized user.
Windows Hello Face Authentication
Windows Hello is a biometric authentication mechanism which supports face, iris, and fingerprint authentication. The company describes it as an “enterprise-grade” authentication method:
Microsoft face authentication in Windows 10 is an enterprise-grade identity verification mechanism that's integrated into the Windows Biometric Framework (WBF) as a core Microsoft Windows component called Windows Hello. Windows Hello face authentication utilizes a camera specially configured for near infrared (IR) imaging to authenticate and unlock Windows devices as well as unlock your Microsoft Passport.
Microsoft has been emphasizing the face authentication feature more than the rest lately, including on its Surface Pro 4 machine, presumably because it’s slightly more convenient to users than using fingerprint authentication.
However, as we’ve come to learn by now, virtually all face authentication systems are eventually spoofed by researchers or malicious hackers, either with a simple photo or one that has a few modifications to fool the more advanced systems. Even Apple’s new Face ID, which for now likely remains the most advanced face authentication system, can be spoofed with 3D masks or bypassed by people who look similarly to you.
How Windows Hello Spoofing Works
By using a modified near-IR high-resolution photo of the targeted user (such as by downloading the target’s photo from their Facebook page), an attacker could log in to or unlock a locked Windows 10 device. In the future, Hello will support a new web authentication mechanism, too, which will allow users to log in to websites using only their biometrics (coupled with public key encryption). That means that attackers could then use someone’s biometric data to hack into their online accounts, too.
Since the researchers reported the vulnerability in October this year, Microsoft has taken steps to protect Hello’s face authentication mechanism with an “enhanced anti-spoofing” feature that’s available in builds 1703 and 1709 of Windows 10.
However, if the users are upgrading from previous Windows 10 versions, then they will need to reset the face authentication system, otherwise they will remain vulnerable to this type of attack. In order for the protection to work, the enhanced anti-spoofing feature also needs compatible IR cameras that support it.