Security researchers at a German security firm, SySS, have shown that the Windows Hello facial recognition can be tricked by using specially prepared printouts of photographs. Microsoft added an "enhanced anti-spoofing" mode in the Windows 10 Creators Update earlier this year that properly defeats the attack, but it's neither enabled by default nor compatible with all Windows Hello hardware.

The obvious question with any kind of facial recognition-based biometric authentication system is, how easily can it be tricked with a photograph? Since it's easy to take a picture of someone's face, often without them even knowing, a facial recognition system that can be fooled by a photo isn't much use. The Windows Hello system has two main parts: there's the physical hardware, which for Hello is a webcam with infrared illumination and detection, and the software algorithms, which are part of Microsoft's Biometric Framework. With this design, Microsoft can refine and improve the algorithms, and the improvements should work for any compatible hardware.

Windows Hello's infrared requirement should protect it from being spoofed by regular photos. So what the researchers from SySS did was use a photo taken with an infrared camera. This photo was then adjusted to change its contrast and brightness and printed at a low resolution on a laser printer. The resulting picture was successful at authenticating a user with Hello on two separate devices: a Surface Pro 4, using its integrated camera, and a laptop, using a discrete LilBit USB camera.

While the picture produced this way would not fool an RGB camera, it looks sufficiently close to what the infrared camera expects to see to allow the attacker to log on.

The Windows 10 Creators Update, version 1703, included a little-documented feature called "enhanced anti-spoofing." Enabled by changing a registry key or Group Policy setting, the exact purpose or effect of this setting isn't entirely clear. It appears that it integrates infrared and RGB data, making the infrared-only photo distinguishable from a real human. With this setting enabled, the picture was no longer effective.

However, this setting isn't a panacea. As well as the awkwardness of enabling it—there's no user interface for it, so modifying the registry is the only way to go—it's not available for all Hello hardware, and there's no obvious way of knowing if it will work or not. The cameras integrated into Microsoft's Surface devices support enhanced anti-spoofing, but the LilBit that was tested doesn't. We also haven't seen compatibility with this feature disclosed on spec sheets, either for laptops or for standalone cameras. Additionally, even if compatible with your hardware, the setting isn't enabled by default, at least for systems that were upgraded to Windows 10 1703.

Taken together, all this means that a security option that every Windows Hello user should want to enable probably isn't turned on and may not even work.

Listing image by SySS