Microsoft has designed the Windows Hello authentication system to be compatible with webcams across many brands. But this feature designed for ease of adoption may also make the technology vulnerable to attacks.
Biometric authentication is an essential part of the tech industry’s plans to make the world passwordless. Services like Apple’s FaceID have made facial recognition authentication more popular in recent years, with Windows Hello adoption increasing.
Apple only allows you to use FaceID with the built-in cameras on recent iPhones and iPads, and it’s still not supported on Macs.
But given the variety of Windows devices, Windows Hello works with a range of third-party webcams.
And while some might see adoption as easy, researchers from security firm CyberArk saw a potential vulnerability.
Microsoft Windows Hello authentication requires cameras with both RGB and infrared sensors. But when checking the authentication system, the researchers found that it only processes infrared frames.
In order to verify the results, the researchers created a custom USB device, and uploaded it with infrared images of the user and RGB images of Spongebob.
Windows Hello identifies the device as a USB camera, and unlocks using only the user’s infrared images.
What’s more, the researchers found, they don’t even need multiple infrared images, as a single frame of infrared with a single black frame can unlock a Windows Hello-protected computer.
Read also: Google and Microsoft push for fewer passwords
Microsoft’s cheatable authentication system
It would be very difficult to break into someone’s computer using this technology. This is given that the attacker needs an infrared image of the user.
However, it is still a vulnerability that can be exploited by those with special motives to infiltrate someone’s computer.
Tech companies need to make sure their authentication technologies are secure if they want to rely more and more on biometrics and move away from passwords as a means of authentication.
And the CyberArk team’s testing caused Microsoft’s Windows Hello system to be subjected to scrutiny. This is because it is one of the most widely used passwordless authentication systems.
And theissued Microsoft patches what it calls Hello Security Feature Bypass Vulnerability. The tech giant is also proposing to turn on enhanced login security in Windows Hello, which encrypts a user’s facial data and stores it in a protected area.
Also Read: Enable Block Suspicious Behaviors Security Feature in Windows 10