Skip to main content

Researchers disclose vulnerability in Windows Hello facial recognition

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.
Image used with permission by copyright holder

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

Recommended Videos

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Arif Bacchus
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
Windows 11 users outsmart Microsoft once again with new local account trick
A screenshot of the Windows 11 Microsoft Account setup page

A newly discovered trick allows Windows 11 users to bypass Microsoft’s online account requirement during setup, raising questions around user control and privacy. The workaround, shared by X user @witherornot1337, lets users set up Windows 11 with a local account instead of being forced to log in with a Microsoft account.

This follows previous similar methods, highlighting an ongoing cat-and-mouse game between Microsoft and privacy-conscious users. Microsoft has been increasingly pushing online accounts as a mandatory requirement for Windows 11, particularly in Home and Pro editions. This change has frustrated many users who prefer local accounts for greater privacy and independence from Microsoft’s ecosystem.

Read more
I hope Microsoft adds these 6 things to the next major Windows Update
Windows 11 logo on a laptop.

Windows 11 updates have a bit of a reputation, from slowing Intel's newest desktop processors to breaking games. Despite the occasional hiccup, we still look forward with cautious optimism.

Despite the occasional rough patch, Microsoft continues to evolve the OS, and each update feels like a chance for a new beginning. While Microsoft hasn't confirmed anything yet, the rumor mill is buzzing with what comes next, and I'm starting to feel excited. The talk of new features suggests fixes for long-standing annoyances, productivity boosts, and quality-of-life improvements worth waiting for.
What's coming to Windows in 2025?

Read more
Microsoft could make account-free Windows 11 installs a thing of the past
Windows 11 logo on a laptop.

The offline Windows 11 install looks like it could officially be a thing of the past. 

Microsoft is officially shutting the door on local accounts during Windows 11 setup, confirming that all new installations, Home and Pro alike, will now require a Microsoft account. 

Read more