Windows Hello facial login gets tricked by printed photo on older Windows 10 versions

If you log into your PC using facial recognition on Windows 10 (otherwise known as Windows Hello), then be aware that older versions of Microsoft’s OS can be easily fooled with a simple printed photo of the user. Even those running the latest Fall Creators Update could potentially be victims here.

German security firm Syss discovered this exploit, which circumvents Windows Hello security on Windows 10 PCs running versions which are older than the Fall Creators Update.

But, crucially, it can affect even fully up-to-date Windows 10 machines running builds of the Fall Creators Update known as 1703 or 1709, if facial recognition was set up in a previous version. In other words, to avoid the exploit, you’ll need to set up Windows Hello again even on PCs using the latest version of Microsoft’s desktop OS.

According to a few proof of concept videos released by the security researchers (see the first clip below), Windows Hello can be spoofed with a relatively low resolution laser-printed photo of the user taken with a near IR (infrared) camera, although the image must be slightly modified.

The spoof is out there

As The Register reports, Syss claims that even if Windows Hello has its enhanced anti-spoofing mode enabled, a somewhat differently modified photo can still be used to successfully log onto the target machine. Even in this case, the researchers say that the “additional effort for an attacker is negligible.”

All this sounds like a very worrying hole in Microsoft’s facial recognition login procedure, for sure, assuming the security firm is on the money here.

We’ve contacted Microsoft for comment on the matter, and we’ll be sure to update this story if we receive a response.

It would seem, though, that if you use facial recognition for logging in to your Windows 10 PC, then it might be a prudent idea to set it up once again. Or, if you’re running an older version of Windows 10, you’ll first want to update to the new Fall Creators Update, and then set up Windows Hello again.