Windows Hello: Several publications report that the Windows 10 face recognition feature is one of the safest available.
But it turns out that Windows Hello can be misled with a simple photo just like Apple's Face ID.
The vulnerability was announced by the German security company Syss at Full Disclosure.
According to the researchers, even if you have installed all the latest updates for builds 1703 or 1709, face recognition should be set from the start to be resistant to the attack.
The "simple spoofing attacks" described in the researchers' announcement are all variations on the use of a "modified photo of an authorized user." So with a simple photo an attacker can enter a locked Windows 10 system.
The default configuration of Windows Hello has "enhanced anti-spoofing" enabled, says Syss.
If enhanced anti-spoofing is enabled, depending on the version of Windows 10, a slightly different modified photo should be used, but for an attacker the effort is negligible.
Researchers tested the attack on a Dell Latitude running Windows 10 Pro (build 1703), but also on a Microsoft Surface Pro 4 running on Windows at build 1607.
Researchers have tried to change the Surface Pro setting to "enhanced anti-spoofing", but claim that the "LilBit USB IR camera only supports the default setting and can not be used with more secure face recognition settings".
The researchers released the following three videos as PoC: