Windows 10 facial unlocking can be tricked with a photograph, according to security experts
Windows Hello, the system that allows you to log in to Windows 10 by means of a fingerprint or facial recognition, can be deceived by a photograph printed by Matthias Deeg and Philipp Buchegger, computer security experts from the German company SySS GmbH. These researchers have published three videos in which they test several computers with different versions of the latest Microsoft operating system.
According to his research, Windows 10 Anniversary Update is vulnerable to an attack of identity theft using a printed photo with certain very specific characteristics of an authorized person. The systems with the Creators Update, launched in the first half of this year, and the Fall Creators Update, released about two months ago, however, are immune to these methods if the computers support the anti-spoofing feature and have it activated.
“You only need a special impression”
“An attacker,” they say, “just needs a special impression.” The photograph capable of circumventing the security of Windows Hello should show a frontal view of the face of an authorized person, be taken with a near infrared camera, have a brightness and a specially modified contrast, in addition to being printed with a laser printer.
It is not easy, although it is not impossible either, because the preparation of such an attack would require a lot of logistics and several tests until an impression capable of tricking Microsoft authentication is found. For these reasons, an average user would not have to worry, although they do realize that practically no method is absolutely infallible. Although the solution is very innovative and apparently robust.
It should be noted, finally, that updated Windows 10 users who previously configured Windows Hello in an earlier version of the system, as indicated by the German company, would continue to be vulnerable. For this reason, researchers recommend setting facial recognition from scratch, making sure to activate anti-spoofing if the computer is compatible.