Fooling Windows Hello Authentication is Shockingly Easy for Researchers

If social media and discussion boards are anything to go by, a lot of people have been losing sleep over Apple's newest authentication mechanism – FaceID. It was introduced with the iPhone X, and people who can't really say how much they know about the technology were quick to predict that it will be hacked in no time. Indeed, hackers have been trying, and after spending a few hundred dollars on special masks, some even claim to have succeeded. As Australian researcher and security specialist Troy Hunt said, however, the attacks are unlikely to affect the average iPhone X user. That said, he does have other problems with FaceID.

What about Windows users? Are they in any danger of having their devices unlocked by an unauthorized party?

You may or may not know that Microsoft has its own piece of facial recognition tech. It was introduced way back in March 2015 as part of the Windows Hello authentication system. On the face of it, it works like Apple's FaceID – you look at the device, the camera "sees" your face, recognizes it, and logs you in. Sadly, it turns out that on some older versions of Windows 10, the device can be unlocked with a picture of your face.

Experts from a German penetration testing firm called Syss conducted the experiment by showing a Dell Latitude laptop and a Microsoft Surface Pro a modified photo of an authorized user. Windows Hello's face recognition works with near-infrared images, so fooling it is not quite as easy as taking a few phone snaps and using the nearest printer, but Syss still classify the attack as "simple," and they've got the videos to prove it.

The researchers tested the two devices running various Windows 10 versions, and they published three Proof-of-Concept videos showing the results.

As you can see, they took near-infrared pictures of the authorized individual in different resolutions and held them in front of the camera. Different modifications had to be made depending on the Windows version, but the most complex one involved drawing over the printed photo with a red crayon. The third video shows that putting opaque sticky tape over the RGB camera does nothing more than slow the attack down a bit.

Windows Hello comes with a feature called "enhanced anti-spoofing," which, it turned out, isn't quite so enhanced. The Windows Hello compatible web camera connected to the Dell laptop didn't support the feature, and even though they enabled it on the Surface tablet, they were still able to log in with ease.

Syss shared their research (details about which you can find here) with Microsoft back in October, and Redmond's security team acknowledged the issue. Released shortly after the disclosure, Windows 10 version 1709 came with a patch, but Syss said that if you want to protect yourself completely, you need to set up Windows Hello once again and make sure that "enhanced anti-spoofing" is turned on. The latter can only be done if your web camera supports it.

And this makes us look into the wider problem of facial recognition. The industry is in a constant struggle to provide products that are both user-friendly and secure. Biometric authentication and eliminating the need to remember and use passwords certainly looks like a massive leap in the right direction. Fingerprint readers have now become quite popular even on lower-end devices, and for the most part, they work well on both the security and usability front. Facial recognition, however, still seems like uncharted territory. Syss' experiments and various reviews describing iPhone X's FaceID as "unreliable" show that vendors still have some way to go. In the interest of fairness, we should point out that there are no reported incidents of bad guys hacking their way into users' devices through facial recognition, but there's no doubt that the technology needs to evolve. And if it is to be actively implemented in commercially available phones, tablets, and laptops, it needs to evolve quickly.