Using your face as a password seems like an ideal
situation. You can’t forget it, and others can’t easily steal
But it turns out, Microsoft’s face-authentication
software for some older versions of Windows 10 can be fooled
rather easily with a modified photo.
The good news is that the latest versions of Windows 10
have fixed the flaw.
They tested the attack with a Dell Latitude and a Microsoft
Surface Pro, and found that over a half dozen versions of Windows
10 could be tricked. They posted their findings to Full
Disclosure, a site where researchers publish the holes they
find, where it was first spotted by
The Register’s Richard Chirgwin.
As is typical with these types of things, there are caveats. The
biggest is that if you are using the latest version of Windows,
“Fall Creators Update,” (aka versions 1703
or 1709), you may be safe. Those versions fixed the
flaw — but you have to set up Hello Windows from
scratch. Hello Windows has a feature called “anti-spoofing,”
and that feature must be turned on as well.
Another caveat is that the photo had to be modified to look
like it was a scan by a near-infrared camera. Windows Hello uses
near-infrared cameras to unlock devices because they work well in
low light and most photographs are not taken with such cameras.
In one test, they printed the photo using a printer and then
colored it with a red crayon.
The lesson here is that face identification, although promising,
is still far from totally foolproof, and your best bet is to make
sure you always keep all your devices updated.
Microsoft could not be immediately reached for comment.
Get the latest Microsoft stock price here.