Windows Hello can be tricked with a printed photo


Windows 10 users have been urged to up their security protection after researchers discovered a major flaw in one of Microsoft's software tools.

Experts from German security firm SYSS have claimed that the Windows Hello system, which allows logging in to devices using facial recognition, can be tricked into granting access.

According to the company, printed versions of a user's face can be enough to trick the tool on some systems.

The researchers claim that any Windows 10 device which has not yet installed Microsoft's recent Fall Creators Update could be at risk from what it calls a, "simple spoofing attack".

The flaw affects multiple different makes of hardware, with the team testing their claim on one of Microsoft's own Surface Pro 4 devices as well as others made by different manufacturers.

Microsoft has not yet responded to the claims, but SYSS says it plans to reveal more work on the attack next spring.

"According to our test results, the newer Windows 10 branches 1703 and 1709 are not vulnerable to the described spoofing attack by using a paper printout if the "enhanced anti-spoofing" feature is used with respective compatible hardware," SYSS wrote in a blog post picked up by The Register.

"Thus, concerning the use of Windows Hello face authentication, SYSS recommend updating the Windows 10 operating system to the latest revision of branch 1709, enabling the "enhanced anti-spoofing" feature, and reconfiguring Windows Hello face authentication afterwards."