The flaw, discovered by researchers at Syss (via The Register) allows Windows Hello to be spoofed on Windows 10 releases older than the Creators Update (build 1703). However, even if your PC is currently running the Creators Update or Falls Creators Update, facial recognition needs to be set up again to circumvent the flaw.
Matthias Deeg and Philipp Buchegger, the researchers who discovered the attack, say that Windows Hello can be fooled by using printed photos of an authorized user that has been modified. Using a frontal photo taken with a near-infrared camera, facial recognition on the affected Windows 10 versions could be fooled. Deeg and Buchegger tested the spoofing attack with Windows Hello's standard setup, as well as with "enhanced anti-spoofing" enabled, and were able to bypass both. From the report:
While worrying, the attack requires a pretty specific set of steps to work. The best way to stay protected is to make sure you're PC is current with either the Creators Update or Fall Creators Update. Once updated, you'll want to set up Windows Hello's face recognition from scratch to guard against spoofing.
You can view demonstrations of the exploit in action in the videos below.
Thanks, Daniel, for the tip!
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.