Security researchers fool Microsoft’s Windows Hello authentication system

Microsoft designed Windows Hello to be compatible with webcams across multiple brands, but that feature designed for ease of adoption could also make the technology vulnerable to bad actors. As reported by Wired, researchers from the security firm CyberArk managed to fool the Hello facial recognition system using images of the computer owner’s face. 

Windows Hello requires the use of cameras with both RGB and infrared sensors, but upon investigating the authentication system, the researchers found that it only processes infrared frames. To verify their finding, the researchers created a custom USB device, which they loaded with infrared photos of the user and RGB images of Spongebob. Hello recognized the device as a USB camera, and it was successfully unlocked with just the IR photos of the user. Moreover, the researchers found that they didn’t even need multiple IR images — a single IR frame with one black frame can unlock a Hello-protected PC. 

Breaking into someone’s computer using the technique would be terribly hard to pull off in reality, seeing as the attacker still needs an IR photo of the user. That said, it’s still a weakness that could be exploited by those especially motivated to infiltrate someone’s computer. Tech companies need to ensure their authentication technologies are secure if they want to rely more and more on biometrics and to move away from passwords as a means of authentication. The CyberArk team chose to put Windows Hello under scrutiny, because it’s one of the most widely used passwordless authentication systems.

Microsoft has already released patches for what it’s calling the “Hello Security Feature Bypass Vulnerability.” The tech giant also suggests switching on “Windows Hello enhanced sign-in security,” which will encrypt the user’s face data and store it in a protected area.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Source link

More from author


Please enter your comment!
Please enter your name here

Related posts


Latest posts

Have your preferences changed for what you like in a blush? (If so, how?)

Comments that do not adhere to our comment policy may be removed. Discussion and debate are highly encouraged but we expect community members to participate respectfully. Please...

Metroid Dread Update Now Live, Fixes Progression Bug And Various Other Issues

Update, 10/21/21: Nintendo has released a software update for Metroid Dread that fixes the progression bug it tweeted about last week. It fixes "several other...

Las Vegas can be next new F1 race in America

Oct.21 - Las Vegas, the fabled casino capital of the US, could be the next host to be added to the Formula 1...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!