Windows 10 users who rely on face scanning for authentication might be vulnerable to malicious attacks. Researchers from a German firm recently discovered that Windows Hello, Microsoft's face-authentication system, may be fooled with a photograph. Those who have not yet updated to the latest version of Windows 10 or the Fall Creators Update are especially vulnerable.
Multiple versions of Windows 10 are subject to the security flaw. The German research firm SYSS first tested a Surface Pro 4 that was running an Anniversary Edition of Windows 10. They also tested an older Dell Latitude with a Lilbit Universal Serial Bus (USB) camera.
The test involves tricking the system into thinking that an authorized user is trying to access the device by showing the scanner a printed photograph of said user.
They found out that both operating systems (OS) from these devices were vulnerable. The security flaw goes back as far as the earliest builds of Windows 10, version 1511.
They also discovered that even the anti-spoofing measures of the older versions of the OS were not enough to protect the devices from unauthorized access.
Furthermore, they found out that even the latest devices running Windows 10 that have the Fall Creators Update are not so secure. This latest version of Windows 10 can still be fooled by a photograph when the anti-spoofing feature is disabled in Windows Hello.
Therefore, SYSS advised those who run older versions of the OS to update to the latest release. Meanwhile, those who do have the latest Fall Creators Update should make sure they have anti-spoofing enabled to ensure full security.
However, it should be noted that Windows Hello cannot be fooled by just any photograph. It takes a photograph taken by an infrared (IR) camera to fool Microsoft's face authentication system.
This is similar to a vulnerability in Samsung Galaxy S8, wherein photographs can be used to fool the device's face scanner.
