We guess most people would say Windows Hello has been a success for Microsoft. The biometric authentication tool is now on well over 100 unique devices, including a recent adoption on the Samsung Galaxy S8. However, a security company says during testing it was able to easily bypass the authentication.
SySS says two of its IT security experts, Matthias Deeg and Philipp Buchegger were conduction a research project. During the research, they were able to bypass Windows Hello, specifically the face authentication aspect.
The two SySS employees managed to get past the authentication on various versions of Windows 10. This was achieved using a spoofing attack, which means a mimic of the authorized persons face.
Simply using a special paper printout of the authorized person's face, hackers could bypass Hello. SySS describes exactly what the special paper would need to show:
- The image shows a frontal view of the person's face
- The image was taken with a near-infrared camera
- Brightness and contrast of the image were modified via simple image processing methods
- The paper printout was created with a laser printer
While face recognition is not the only authentication method for unlocking a device using Windows Hello. However, it is arguably the most important considering mobile technology is increasing turning to face recognition. With Apple's iPhone X showing the future of device authentication, Microsoft needs its own service to keep pace.
The company does not have the luxury of a successful mobile hardware range. It needs third parties to adopt Windows Hello, like Samsung has. If there are easy loopholes in the tech, OEMs will be reluctant.
It is worth noting that the vulnerability found by SySS only seems to be on Windows 10 machines. However, it hardly breeds confidence in the service. To highlight the problem, SySS published a proof-of-concept video. The clip shows a successful attack on Windows 10 1607 (Anniversary Update) on a Surface Pro 4.
Interestingly, newer versions 1703 (Creators Update) and 1709 (Fall Creators Update) are not affected. Does that mean Microsoft shored up the problem in those newer builds? SySS says it will publish further results in spring 2018, following further tests.