FB pixel

Biometric spoof of Windows Hello not really resolved — researchers

Biometric spoof of Windows Hello not really resolved — researchers
 

It is still possible to fake out the face-biometric lock in Microsoft’s Windows 10 Hello authentication app.

The so-called pass-the-PRT attack, first identified by CyberArk Labs last month, gives unauthorized people access to Microsoft’s Azure resources, including 365 assets without an attacker needing to look like the target.

It also enables access to on-premises assets by allowing external data sources to collect biometric data, according to CyberArk researcher Omer Tsarfati.

In a post, Tsarfati writes that, as of August 4, Microsoft had taken steps to make the exploit less likely. He agrees that the opportunity is narrowed, but exploitation is still possible.

Doing so is a cumbersome, multi-step process that likely means attackers or their devices have to be physically close to a person. That just means attackers have to be more selective with their efforts.

Tsarfati has pointed out the counterintuitive way that this exploit works. Windows Hello is designed to identify a registered system user, but until this problem came to light, Windows did not need a secure USB camera.

The researchers cloned a camera and put a single infrared frame of the target and a black frame on it. (Now cameras from a list of trusted vendors must be used with the Windows Hello.)

While not trivial, it is possible to get IR images of a person.

Tsarfati also says that it might be possible to fake an IR data from a color image using filters or a machine learning algorithm.

The only way to guard against this biometric spoof attack completely is to only use cameras from a list approved as trusted with Windows devices.

His post, with video, goes into detail about the problem and the stakes.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Keyless’ ‘Zero-Knowledge Biometrics’ enable crypto wallet to meet MFA requirements

Swiss-licensed crypto wallet Relai has integrated biometric authentication from Keyless for logins, account recovery and account deletion. Keyless’ privacy-preserving authentication…

 

CBP biometric expansion at US borders moves ahead with new global entry plans

As the Trump administration doubles down on biometric surveillance at U.S. borders, Customs and Border Protection (CBP) is preparing for…

 

New Oloid privacy architecture to protect enterprise biometrics unveiled

Many enterprises scrambling to adopt biometrics to defend against fraud are struggling to ensure regulatory compliance and the trust of…

 

Biometrics top consumer choice to fend off AI fraud in finance

Veriff’s latest “The Future of Finance” report reveals that online identity verification fraud in financial services has surged with the…

 

Taiwan gathers perspectives on digital wallet as national infrastructure

Taiwan’s Ministry of Digital Development has concluded a series of workshops on the digital ID  wallet, bringing together experts and…

 

Idemia PS to share inside look at multi-modal biometrics registration solution

Idemia Public Security has upgraded its LiveScan series of biometric enrollment workstations with the Touch Print Enterprise 6, and presents…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events