Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo

Windows Hello, the face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. From a report: In a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software -- the doomsday scenario of using a printed photo of the device's owner. Researchers say that by using a laser color printout of a low-resolution (340x340 pixels) photo of the device owner's face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated. The attack worked even if the "enhanced anti-spoofing" feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480x480 pixels (which in reality is still a low-resolution photo). [...] Microsoft released updates earlier this month to patch the vulnerability.

Missing step

What does "modified to the near infrared spectrum" mean?

My printer can't print "near infrared" or radio waves. It can't even print gamma rays.

Re:Such a dumb idea!

[Anubis+IV]

How about everyone? After all, when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal? These companies are attempting to mimic the way things work in reality, which, generally speaking, is a good thing...when it’s done right.

Re:Is this really a surprise?

[phayes]

Simple means have been shown to be useful for simple biometrics. Simple means are of much less use when some thought is put into the sensors and how to use them.

The claim that FaceID is easily/cheaply bypassed can be laid to rest after a month where no-one other than the people from Bkav were able to duplicate it without resorting to using the passcode to train FaceID to recognize the 3D model.

As for being fingerprints, I've talked with some police forces lab techs who look for and scan crime scene fingerprints. The vast majority of liftable prints are from the balls of your fingers so don't use them for TouchID.

As anyone who has had their fingerprints taken for whatever reason knows, they only ask for the balls of your fingers though they often roll your fingers to get the sides too. What they rarely take is the ends of your fingers -- because with the exception of your dominant hand index, it is much less common that people leave them as usable prints.

By using just the tip of a a non-index finger for TouchID one it makes it much harder to gain that liftable print but still works fine with TouchID.

Even with people generally using the balls of their fingers with TouchID there have been zero reports of a lifted and duplicated print being used to bypass device security. If it were such a danger, one would expect there to have been at least a one story, but no.