Security researchers at a German security firm, SySS, have shown that the Windows Hello facial recognition can be tricked by using specially prepared printouts of photographs. Microsoft added an “enhanced anti-spoofing” mode in the Windows 10 Creators Update earlier this year that properly defeats the attack, but it’s neither enabled by default nor compatible with all Windows Hello hardware.
The obvious question with any kind of facial recognition-based biometric authentication system is, how easily can it be tricked with a photograph? Since it’s easy to take a picture of someone’s face, often without them even knowing, a facial recognition system that can be fooled by a photo isn’t much use. The Windows Hello system has two main parts: there’s the physical hardware, which for Hello is a webcam with infrared illumination and detection, and the software algorithms, which are part of Microsoft’s Biometric Framework. With this design, Microsoft can refine and improve the algorithms, and the improvements should work for any compatible hardware.
Windows Hello’s infrared requirement should protect it from being spoofed by regular photos. So what the researchers from SySS did was use a photo taken with an infrared camera. This photo was then adjusted to change its contrast and brightness and printed at a low resolution on a laser printer. The resulting picture was successful at authenticating a user with Hello on two separate devices: a Surface Pro 4, using its integrated camera, and a laptop, using a discrete LilBit USB camera.