Microsoft’s ‘Enterprise-Grade’ Face Authentication Fooled By Photo

[Lucian Armasu]

Microsoft's Windows Hello biometric authentication system was spoofed by a modified photo of an authorized user.

Microsoft’s ‘Enterprise-Grade’ Face Authentication Fooled By Photo : Read more

 

[cryoburner]

By using a modified near-IR high-resolution photo of the targeted user (such as by downloading the target’s photo from their Facebook page), an attacker could log in to or unlock a locked Windows 10 device.

Who posts a near-Infrared photo of themself on their Facebook page? <_<

That said, getting a near-IR photo of someone wouldn't be much more difficult than snapping a regular photo of them while they are looking at you. You would need to use an IR camera though, or modify a regular camera to take IR photos. I didn't see anything in the videos mentioning that a standard photo could be modified to look like one, so it probably wouldn't be as easy as just using an existing, readily available photo.

 

[Lasselundberg]

takes about 10 minutes to modify ei remove the little piece of IR filter in a regular pocket camera

 

[cryoburner]

takes about 10 minutes to modify ei remove the little piece of IR filter in a regular pocket camera

There should be a little bit more involved than just that. The IR blocking filter is generally under the lens, so just removing it will tend to throw off the focus of the camera, resulting in out-of-focus images. To obtain sharp images, you'll likely need to replace it with a piece of glass or plastic with a similar material and thickness. Plus, you'll need to block visible light and only allow near-IR through by adding an IR pass filter, or else the visible light will be combined with the infrared, which might make the image unsuitable for this purpose. And you might also need an IR light source on the camera as well, since the camera on the laptop uses IR LEDs to evenly illuminate one's face.

Though yes, if someone were dedicated to bypassing face authentication on one of these systems, they likely could without too much trouble. Of course, that's assuming face authentication wasn't re-trained on the system after the exploit was patched.