Researchers have shown that it is possible to spoof and get through the Windows Hello facial recognition system used for passwordless logins on personal computers.
Windows Hello uses infrared and red-green-blue (RGB) cameras to scan users' faces and match the data obtained against a password hash for authentication.
By using a single captured infrared frame and a cloned USB device, resarchers at security vendor CyberArk were then able to spoof a user's visage and gain access to a PC running Windows Hello for Business for logins.
CyberArk believes it is possible to create the infrared frames through regular colour images as well, through automated filters and machine learning algorithms.
"Our research yielded an interesting attack vector: capture a victim’s image, save the captured frames, impersonate a USB camera device, and eventually send those frames to the system for verification," the researchers said.
"At the heart of this vulnerability lies the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust," the researchers said in their analysis of the flaw.
Microsoft issued a patch for the flaw today, applicable to supported versions of Windows 10 32-bit and 64-bit, and for ARM64-based systems.
To mitigate against attacks that could bypass biometric user authentication, Microsoft suggests to use Enhanced Sign-In Security.
CyberArk researchers say Enhanced Sign-In Security does mitigate against attacks, but it requires specialised cameras, firmware and hardware drivers to work.