A potential vulnerability in Microsoft’s Windows Hello facial recognition system was recently discovered by security firm CyberArk.<\/p>\n\n\n\n
Unlike Apple’s FaceID, which lets users use the feature only with cameras embedded in their latest iPhones and iPads, Hello facial recognition works with a number of third-party webcams.<\/p>\n\n\n\n
By manipulating a USB webcam to deliver an image selected by attackers, researchers discovered that Windows Hello could be tricked into thinking the device owner’s face was present.<\/p>\n\n\n\n
Microsoft called the vulnerability “Windows Hello security feature bypass vulnerability.” The company released patches on Tuesday which helped fix the issue.<\/p>\n\n\n\n
The company also suggests that users use “Windows Hello enhanced sign-in security.”<\/p>\n\n\n\n
A researcher from the security firm CyberArk, Omer Tsarfati, took a closer look at the vulnerability discovered and explained: “We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option. We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.”<\/p>\n\n\n