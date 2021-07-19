Yes, you can also fool Windows Hello with a face that is not yours.

Nothing is foolproof, not even the latest authentication technology, and now security researchers have managed to fool Microsoft’s Windows Hello authentication system, and they have done so.

Windows Hello is a new secure way to log in with our face, a lifelong facial recognition system but integrated into Windows 10 and that allows us in this way for the webcam to verify that we are really the user so that it lets us enter the system no need to enter a password.

All you need to use Windows Hello recognition is an infrared-compatible webcam on your computer, and while it can also be used with a fingerprint, the main burden lies in the face unlock, which seems to be easily manipulated.

Now researchers from the security firm CyberArk have managed to fool this Windows Hello facial recognition system using images of the computer’s owner’s face, without his being present.

It appears that the researchers have discovered that the system only processes infrared frames and for this they created a custom USB device that they loaded with infrared photos of the user and RGB images. Interestingly Windows Hello recognized the device as a USB camera and was successfully unlocked with the user’s infrared photos only.

It should be clarified that despite this small vulnerability, it seems quite unlikely that a user could enter a foreign computer with this technique since they would not only need physical access to the computer for a while, but also an IR photo of the owner user.

It is not the first time that has happened, and yet Microsoft has previously released patches for Windows Hello to avoid this type of issue, and they are recommending activating the “enhanced Windows Hello login security” which it does is that it encrypts the user’s facial data and store it in a protected area.