Windows Hello just got fooled by a face photo

By Eric Abent/Dec. 21, 2017 10:58 am EST

As time goes on, biometric authentication is becoming more and more important. We've seen that in the rise of fingerprint scanners and facial recognition software, such as Windows Hello and Face ID on the iPhone X. Just how foolproof are these biometric authentication methods, though? In the case of Windows Hello, it may not be as secure as you thought.

In a post to its Pentest Blog today, SySS GmbH describes a series of tests it recently ran on Windows Hello. The goal of the test was to see just how easy it is to fool Windows Hello through something as innocuous as a photo of the person in question. On certain versions of Windows, the two security researchers from SySS GmbH – Matthias Deeg and Philipp Buchegger – found out that a photo was all that was needed to beat Windows Hello.

The photo doesn't need to be anything special, either. Deeg and Buchegger explain that there are only four features that make the photo they used special. The first is that it shows a frontal view of the person's face, while the second is that it's taken with a near-infrared camera. After the photo was snapped, the two researchers made simple edits to contrast and brightness, and then finally, it was printed out with a laser printer.

The results are fairly concerning. On their first test device, which was a Dell Latitude E7470 with a LilBit USB camera, they were able to beat Windows Hello with a photo printout on all Windows 10 Pro builds they tested. There's more encouraging news, however, in that tests on a Surface Pro 4 weren't always successful.

The major difference here is that the Surface Pro 4 allows users to turn on an enhanced anti-spoofing feature. When that was turned on, tests on the two most recent Windows 10 Pro versions, 1709 and 1703, were unsuccessful, meaning Microsoft has improved security with these updates. In short, if you're using Windows 10 Pro versions 1709 or 1703 and you have the option to turn on enhanced anti-spoofing, you should absolutely do it (though that requires going through the Windows Hello set up process again).

That's part of the issue, though, as only certain hardware configurations support enhanced anti-spoofing. Maybe that will change in the future, but these tests make it clear that enhanced anti-spoofing is the difference maker when it comes to whether or not Windows Hello can be fooled with something as simple as a photo. SySS GmbH says it will have more research to share in the spring, but for now, be sure to give this initial report a read.