Researchers fool Windows Hello face recognition on older versions of Windows 10

The flaw, discovered by researchers at Syss (via The Register) allows Windows Hello to be spoofed on Windows 10 releases older than the Creators Update (build 1703). However, even if your PC is currently running the Creators Update or Falls Creators Update, facial recognition needs to be set up again to circumvent the flaw.

Matthias Deeg and Philipp Buchegger, the researchers who discovered the attack, say that Windows Hello can be fooled by using printed photos of an authorized user that has been modified. Using a frontal photo taken with a near-infrared camera, facial recognition on the affected Windows 10 versions could be fooled. Deeg and Buchegger tested the spoofing attack with Windows Hello's standard setup, as well as with "enhanced anti-spoofing" enabled, and were able to bypass both. From the report:

Both, the default Windows Hello configuration and Windows Hello with the enabled "enhanced anti-spoofing" feature on different Windows 10 versions are vulnerable to the described spoofing attack and can be bypassed. If "enhanced anti-spoofing" is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible. In general, the simple spoofing attack is less reliable when the "enhanced anti-spoofing" feature is enabled.

While worrying, the attack requires a pretty specific set of steps to work. The best way to stay protected is to make sure you're PC is current with either the Creators Update or Fall Creators Update. Once updated, you'll want to set up Windows Hello's face recognition from scratch to guard against spoofing.

You can view demonstrations of the exploit in action in the videos below.

Thanks, Daniel, for the tip!

Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

  • Well, unlike the other companies solutions, this one requires some good level of effort to trick it. I am sure Microosft will be working, if they are not already, on improving Windows Hello to make it even harder to trick.
  • No idea why this is even being covered since it has already been fixed in newer versions of Windows 10.  Hey guys guess what?!?  There used to be a bug in Windows XP!  News at 11!
  • Another reason explaining why Microsoft does not let users disable updates on Windows 10.
  • Because it requires you to configure it again once the update for CU have been applied for it to be effective against the exploit.
  • read the freaking article again!
  • I wonder if this can be used to fool Apple's FaceID as well.
  • Apparently you can just be a totally different person and unlock the iphone in some cases.  There are reports of kids passing FaceID of their parents' phones just by trying a few times over and over.
  • No. The RealSense-based Windows Hello and FaceID are completely different technologies. RealSense uses infrared camera to scan sub-skin features while FaceID uses projected dot grid to scan surface features. So the way you will fool Hello is by using an IR scan (as the researchers did) and you will fool FaceID by using an object that has the same features as the one scanned (and also moves similarly as it seems to be affecting it as well). That's why identical twins will alway fool FaceID while they won't fool Hello.
  • FaceID senses depth using a projected dot grid as others have said so technically a photo won't work.
  • I guess good luck with getting IR photo of person you're trying to hack. It's interesting study but doesn't make Hello insecure.
  • Vindictive soon to be ex girlfriends are the real threat here. Motive means and opportunity. Well dunno about an ir photo can that be done on any printer?
  • So let me see if I have this right. A person has to follow me around and take a frontal face picture of me with a near IR camera. Then follow me to my house. Then case the house for days to see when I might not be home. Then break into my home. Then put the picture up in front of my windows hello camera and hope I'm not updated. Or try to steal my computer, but wait mine it locked with airplane cable connected to a large coffee table (and not around the legs, I have holes drilled right into the table top). All while my alarm system is going off and my security cameras are recording them. Then they hope they can get anything off my computer and get out before the cops get there. Seriously? No one is going to put that much effort into it. Thieves will usually go for the easiest target.
  • Wow. Alarms, cable locks, tables... And here I am, only using Windows Hello to log in faster, and I don't even lock the door when I go out.
  • I live in a very rural area where there is virtually no crime and seeing another car is rare let alone another person, but that said.... when you have an expensive house, a 60K Lexus, lots of toys and electronics, and firearms to protect, it's the old adage, better safe than sorry. Plus all the IOT things I have including the alarm and cameras is all part of my smart home solution. I can monitor and control just about everything in my home from anywhere. Knowing my family and "things" are safe and being able to verify that by opening an app is piece of mind. Plus the smart home stuff is just plain old fun. I undestand many people, including people I know, don't lock their doors when they are not home, but honestly, you protect your computer, why not protect your home, family, and toys too. Make no sense to me, not too. Leaving your doors unlocked leaves you vulnerable to anyone with bad intensions and that sets you up for.... it's not IF something bad will happen, it's WHEN. But to each his own I guess.
  • Why use face recognition when fingerprint works just fine? Also, fingerprint recognition can’t be fooled, and logs you in much faster than face recognition. I’ll make sure my next laptop has a built in fingerprint reader.
  • Have you.. Used a Surface? Windows Hello on the Surface is the fastest login I've ever used. Faster than my iPhone 7's TouchID and faster than my iPhone X's FaceID.
  • I unlock my phone with fingerprint before it's even out of my pocket.
  • Iris Recognition is fast as well... if you don't wear glasses. I've also had fingerprint recognition fail on me as well.
  • Um, you should try a Surface with Windows Hello, it's really good.  Usually it's unlocked before I could even move my hands to the keyboard to type a PIN / password.  As for fingerprint, hmm well then you have to touch the device in the right spot, with no gloves on, I'd turn your question around and ask "Why use fingerprint when face recognition works so well".  Also not sure why you think fingerprint recognition cannot be fooled?  Each to their own of course :-)
  • Good to know Dan, I was worried about this especially when there are tonnes of low end laptops that don't have sufficient space to 'upgrade' since OEMs keep insisting of selling them with 32gigs of storage. Nothing is completely secure.
  • All this face/fingerprint recognition is still beta testing (at least as far as MS is concerned) I used to use fingerprint recognition on my laptop, until one day I had the bizarre idea to improve the fingerprint print recognition, so I removed the actual fingerprints and now Windows 10 (with all available updates installed) won’t let me setup my fingerprints again and guess what, I’m quite happy with the Pin/Password solution...
  • Microsoft removed the Beta status for Windows Hello in Windows 10 some time ago. It is now fully supported.  Perhaps this conincided with the update that removed the (slight and impractcal) vulnerability discussed in the article?
  • 1.  Most people have nothing worth stealing on their computers. 2.  Windows hello is primarily for convenience and cool factor, not security. 3.  What the heck is a "near IR" photo?
  • ***** WARNING ****** DO NOT REMOVE YOUR WINDOWS HELLO FACE RECOGNITION OR FINGERPRINT setup in windows 10 1709 build 16299.125. After reading this article I had a few concerned friends ask me about this (I'm a desktop engineer). I told them not to worry about it, but if they wanted go ahead and remove their face recognition and then set it up again. After removing, when trying to set up face recognition everyone that tried gets "Sorry something went wrong. Close windows hello, then try going thru the settings again." Of course trying again fails again. I then decided to try it on my brand new 1 month old computer that has the Intel real sense camera built into the monitor. And of course I get the same $%^&#$ error. Now myself and everyone else I know that tried this CANNOT setup windows hello anymore after removing the current face recognition, that WAS working perfectly fine. I did some digging, updated every Intel driver I could find from Dell, tweaked biometrics setings in gpedit, rebooted dozens of times, turned everything off that was running, ran the troubleshooter........ nothing helps. Searching the internet you can find 100's, if not 1000's of posts all saying the same thing. Windows Hello setup is completely broken on fall creators update. TIP for window central bloggers......... before writing an article that tells you to remove a setting and then put it back, you should probably try it yourself first. It is irresponsible to not test first. So thanks MS and WC, mine and tons of others users windows hello is now broken.
  • It does not happen on a Surface Pro 4. Granted I do not know if it uses Intel RealSense or something similar, but your wording makes it sound like it is an issue with all Windows Hello facial recognition hardware, which was not the case for me, as I recently(22nd of Dec.) re-satup Windows Hello (PIN + Facial Recognition) from scratch using build 16299.125, and I encountered no error or anything out of the ordinary :) This was after a TMP firmware-fix was rolled out to Surface Pro 4 devices, which required re-enrollment of all effected devices. To summarise: I am not saying you are wrong, only that there are exceptions 😌