Security researchers trick Microsoft’s Windows Hello authentication system

Microsoft designed Windows Hello to be compatible with webcams from multiple brands, but this feature designed to facilitate adoption could also make the technology vulnerable to bad actors. As reported by Wired, researchers at security firm CyberArk successfully tricked the Hello facial recognition system into using images of the computer owner’s face.

Windows Hello requires the use of cameras with RGB and infrared sensors, but when investigating the authentication system, the researchers found that it only processed infrared images. To verify their discovery, the researchers created a custom USB device, which they loaded with infrared photos of the user and RGB images of SpongeBob SquarePants. Hello recognized the device as a USB camera and it was successfully unlocked with only the user’s infrared photos. Additionally, the researchers found that they didn’t even need multiple IR images – a single IR frame with a black frame can unlock a Hello-protected PC.

Breaking into someone’s computer using this technique would be extremely difficult to achieve in reality, as the attacker still needs an infrared photo of the user. That said, it’s still a weakness that could be exploited by those with a particular motivation to infiltrate someone’s computer. Tech companies need to ensure their authentication technologies are secure if they are to increasingly rely on biometrics and move away from passwords as a means of authentication. The CyberArk team has chosen to put Windows Hello under scrutiny because it is one of the most widely used passwordless authentication systems.

Microsoft has already released fixes for what it calls the “Hello security feature bypass vulnerability.” The tech giant also suggests enabling “Windows Hello’s enhanced sign-in security,” which will encrypt the user’s facial data and store it in a protected area.