Microsoft's fraudulent authentication system |
The Windows Hello authentication system developed by Microsoft is compatible with many webcam brands. But this feature, designed to facilitate adoption, could also make the technology vulnerable to attack.
Biometric authentication is an important part of the tech industry to achieve a global passwordless plan. In recent years, as the rate of Windows Hello adoption continues to rise, services like Apple's FaceID have made face authentication more popular.
Apple only allows you to use FaceID with a built-in camera on newer iPhones and iPads, and Macs still don't support it.
However, due to the variety of Windows devices, Windows Hello can be used with a number of third-party webcams.
While some people think it's easy to implement, researchers at security company CyberArk have discovered a potential vulnerability.
As reported, the researchers were able to trick the Windows Hello facial recognition system by using photos of the computer owner's face.
Microsoft Windows Hello authentication requires a camera with RGB and infrared sensors. However, when examining the authentication system, the researchers found that it only processes infrared frames.
To verify the results, the researchers created a custom USB device and uploaded the user's infrared image and the RGB image of SpongeBob.
Windows Hello recognizes the device as a USB camera and only uses the user's infrared image to unlock it.
More importantly, the researchers didn't even need multiple infrared images, as the infrared frame and the black frame could unlock a Windows Hello-protected computer.
Microsoft's fraudulent authentication system
It would be very difficult to hack someone's computer using this technology. This assumes that the attacker needs an infrared image of the user.
However, this is still a flaw that can be exploited by individuals with special motives to infiltrate someone's computer.
If tech companies are increasingly turning to biometrics and password scraping as a means of authentication, they need to make sure their authentication technology is secure.
The cyber team's tests also examined Microsoft's Windows Hello. In fact, it is one of the most widely used passwordless authentication systems.
Microsoft has released a patch for its Hello security bypass vulnerability. The tech giant also offered to enable enhanced login security in Windows Hello, which encrypts a user's facial data and stores it in a protected area.