A team of cybersecurity researchers have revealed how Windows 10 computers can be accessed with just a printed photograph of the owner.
The attack targets Windows Hello, a facial recognition system used by some Windows 10 machines, such as the Microsoft Surface Pro 4 and Surface Book 2. Windows Hello learns the face of the owner, then unlocks the machine and logs them in when it sees them.
Microsoft describes Windows Hello as offering "enterprise-grade security without having to type in a password." As well as a facial scan, other input methods supported by Windows Hello include fingerprint and iris.
Detailed in the Full Disclosure mailing list, and spotted by security expert Graham Cluley, the German researchers discovered it was easy to trick their way into a Windows 10 machine by using a "modified printed photo of an authorized user." Machines yet to be updated with the recent Fall Creators Update remain vulnerable to the attack.
The hack was tested on a Dell Latitude laptop running Windows 10 Pro with a Windows Hello compatible webcam, and on a Microsoft Surface Pro 4 tablet, also running 10 Pro and using its own built-in camera.
An infrared image of the device owner was printed at a low resolution of just 340x340 pixels, then held up in front of the Windows Hello camera; the computer unlocked right away.
The researchers, from German security testing company SYSS, state: "The default Windows Hello configuration could successfully be bypassed on both test devices with all tested Windows 10 versions [1703 and 1607]."
Microsoft's Fall Creators Update for Windows 10, released in October, fixes the issue and all Windows Hello users are urged to install that update right away. After doing so, it is recommended that users enable Windows Hello's "enhanced anti-spoofing" feature and re-scan their face so the system can re-learn what they look like.