Windows 10 face recognition login can be bypassed using a photo

Windows 10 face recognition login can be bypassed using a photo

IT

The exploit circumvents Windows Hello security meaning if you log into your PC using facial recognition on Windows 10, then you should be aware that not only older versions of Microsoft's OS can be easily fooled.

For Windows users, the fix starts by upgrading to the latest version of Windows 10.

SYSS warns that even applying the Fall Creators Update might not be enough to prevent the exploit, as anyone who set up Windows Hello on an older version of the OS will still be vulnerable to the attack.

Hackers can get past the Windows Hello face recognition on old Windows 10 by using a printed photograph, a German security outfit has discovered. It is unclear why Microsoft is using an older version when the latest version, 7.57.0 has been out for nearly three weeks, and preceding version, 7.56.1, has been out for nearly two months.

The Register spotted SYSS's advisory on Full Disclosure. Windows Hello uses near-IR imaging to unlock Windows devices. To help protect against such attacks, Microsoft has an anti-spoofing option that can be enabled for additional protection. Holding the printout up to a locked device's camera successfully unlocked it.

The security company first reported the vulnerability to Microsoft back in October, and it plans to publish further test results in Spring 2018.

Netflix's blog post notes its thrill "to announce the addition of High Dynamic Range (HDR) support on Windows 10 for both the Edge browser and the Netflix app", and says that "with this update, Netflix members who have a supported device and a premium plan can enjoy wonderful Netflix movies and shows in HDR".

Microsoft had not responded to a request for comment at the time of publication.

The pre-Christmas boost will be welcomed by Windows 10 users with compatible displays supporting 4K HDR. And it's unsurprisingly consolidating its mobile-keyboard strategy around SwiftKey.

Windows Insiders running Build 170653 or later can now try out this feature. In the case of Windows Hello, it may not be as secure as you thought.

  • Terrell Bush