Security researchers fool Microsoft’s Windows Hello authentication system

Microsoft designed Windows Hello to be compatible with webcams across multiple brands, but that feature designed for ease of adoption could also make the technology vulnerable to bad actors. As reported by Wired, researchers from the security firm CyberArk managed to fool the Hello facial recognition system using images of the computer owner’s face. 

Windows Hello requires the use of cameras with both RGB and infrared sensors, but upon investigating the authentication system, the researchers found that it only processes infrared frames. To verify their finding, the researchers created a custom USB device, which they loaded with infrared photos of the user and RGB images of Spongebob. Hello recognized the device as a USB camera, and it was successfully unlocked with just the IR photos of the user. Moreover, the researchers found that they didn’t even need multiple IR images — a single IR frame with one black frame can unlock a Hello-protected PC. 

Breaking into someone’s computer using the technique would be terribly hard to pull off in reality, seeing as the attacker still needs an IR photo of the user. That said, it’s still a weakness that could be exploited by those especially motivated to infiltrate someone’s computer. Tech companies need to ensure their authentication technologies are secure if they want to rely more and more on biometrics and to move away from passwords as a means of authentication. The CyberArk team chose to put Windows Hello under scrutiny, because it’s one of the most widely used passwordless authentication systems.

Microsoft has already released patches for what it’s calling the “Hello Security Feature Bypass Vulnerability.” The tech giant also suggests switching on “Windows Hello enhanced sign-in security,” which will encrypt the user’s face data and store it in a protected area.