Spiria logo.

Windows Hello defeated with a picture

December 22, 2017.

Windows Hello.

Windows 10’s face authentication defeated with a picture. © SySS GmbH.

German security firm SYSS has just released a report that shows the vulnerability of Windows Hello: a printed photo of the device’s owner can be used to unlock devices where Windows Hello had previously been activated. Windows Hello has an infrared requirement, which in theory should prevent it from being tricked by regular photos, so the researchers at SySS used a photo taken with an infrared camera. The image was edited to change the contrast and brightness, and then printed on a laser printer at a low resolution. It was able to fool the integrated camera on a Surface Pro4 and a LilBit USB camera on a laptop.

Ars Technica, “Specially prepared photos shown bypassing Windows Hello facial recognition.”