Their spoofing attempts were declared on the cybersecurity site Seclists on Dec. 18. The cybersecurity experts bypassed Windows Hello which is Microsoft’s password-free security Lock on both a Dell and Microsoft laptop operating different versions of Windows 10, which is the reason for concern for anyone utilizing this feature to log into their account.
Deceiving Windows 10 didn’t take too serious effort. It just needed “having access to a suitable photo of an approved person” to “easily” avoid the system, wrote the experts. The photo required is the full image of someone’s face so if someone actually wants to attempt to fool the facial recognition system, the walls aren’t too great.
Similar to the iPhone X’s Face ID camera, Hello Windows uses an infrared camera either built-in the or supplemented separately to recognize the individual shape and contours of a face before granting or refusing access to a Windows account. But a defect was found, specifically “an insecure implementation of the biometric face identification in some Windows 10 versions.”
Many but not all Windows versions are exposed. In 2016, Microsoft incorporated a new feature called Enhanced Anti-Spoofing to limit this sort of image trickery. But even if this feature is enabled in your Windows settings, the researchers found a way to avoid the facial recognition method that ran older Windows versions, such as a Microsoft Surface Pro 4 device working 2016’s Windows 10 Anniversary update, for instance.
However, the SySS researchers discovered that two new Windows versions, 1703 and 1709, are not exposed to their most simple spoofing attacks using a printed photograph if Enhanced Anti-Spoofing is equipped.
Their ultimate direction: Updating to Windows 10 version 1709, enabling anti-spoofing, and then having Windows Hello reanalyze your face again.
If this sounds unappealing or risky, you can forever go back to using a not dumb password. Infrared facial recognition in customer applications is still relatively new, so flaws should be suspected.
Similar to Apple’s Face ID, it strength helps to view Windows Hello as a utility feature, not a security feature.
To read the original article: