Windows Hello critical vulnerability, defeated by pictures of people's faces.

[suicidalfranco]

what did you expect, when has MS ever made something that just works?

[8uhbbhu8]

Lets just face it. This tech will not be perfect for a while and we need more time I think before implementing this kinda stuff to find issues like this.

[Guest]

As long as they don’t force it to be enabled then I’m happy. 

 

For backstory, Windows 10 devices enrolled into AzureAD businesses / enterprise) auto login to Office 365/Azure portal. Essentially if you can fool Hello with an IR picture of the IT dude, you can have unrestricted access to the companies IT system even if you have passwords and MFA in place. 

[captain_to_fire]

3 hours ago, suicidalfranco said:

what did you expect, when has MS ever made something that just works?

Uhm the Xbox 360 “just works”. ?

[ItsMitch]

52 minutes ago, Windspeed36 said:

For backstory, Windows 10 devices enrolled into AzureAD businesses / enterprise) auto login to Office 365/Azure portal. Essentially if you can fool Hello with an IR picture of the IT dude, you can have unrestricted access to the companies IT system even if you have passwords and MFA in place

Sounds 100% secure and nothing could possibly go wrong at all. 

[captain_to_fire]

13 hours ago, DrMacintosh said:

Looks back at all the shade people tried to throw on Apple

In short, seeing Face ID fooled by identical twins and kids that look like their parents is the lesser of two evils in comparison to Windows Hello being fooled by a low resolution photo which is an embarrassment. 

 

And it only proves that passwords/PIN is still the most secure way of authentication and biometrics is more about better accessibility with the expense of less security. 

[jagdtigger]

58 minutes ago, Windspeed36 said:

As long as they don’t force it to be enabled then I’m happy. 

 

For backstory, Windows 10 devices enrolled into AzureAD businesses / enterprise) auto login to Office 365/Azure portal. Essentially if you can fool Hello with an IR picture of the IT dude, you can have unrestricted access to the companies IT system even if you have passwords and MFA in place. 

Lets hope that the IT guys that high up have more brain than r=1 users and avoid using this swiss cheese... (But i have my doubts since they using 10.)

[Kinda Bottlenecked]

LOL what a turn of events 

[RedRound2]

Man, if it ever was Apple, this topic would be trending with die hard haters.

Coming back on topic, is this really a surprise? Microsoft has an amazing track record of screwing up things in a colossal way and this seems to be no different.

[suicidalfranco]

1 hour ago, hey_yo_ said:

Uhm the Xbox 360 “just works”. ?

until it starts cooking itself 

[HarryNyquist]

10 hours ago, ravenshrike said:

Eh, if it's topographically mapped as well it's pretty unique. Course, that requires a hell of a lot more sophistication than Windows Hello.

9 hours ago, Commodus said:

Face security is fine when it's done well.  This is why Apple bent over backwards with its depth sensing approach to Face ID -- so you couldn't fool it with a photo. The problem is that Hello just isn't as sophisticated.

https://wccftech.com/apple-iphone-x-friend-unlock-not-once-twice/

Skepticism aside, this isn't the only time this was reported with Face ID.

It just still begs the question for me. Fingerprints are highly probable to be unique. Passwords/phrases as well. I get that it's convenient to look-unlock the phone, and I get for perhaps a home computer as well, but at what cost for a public computer or a phone you carry daily? At what point does it become a nuisance that this supposedly "secure" feature is being thwarted seemingly so easily?

 

[captain_to_fire]

2 minutes ago, HarryNyquist said:

Fingerprints are highly probable to be unique.

True. As a matter of fact, even identical twins don't have the same fingerprints.

[jagdtigger]

14 minutes ago, suicidalfranco said:

until it starts cooking itself 

At least that one can be fixed at home...

[Sauron]

*cough* use a password *cough*

[vanished]

On 12/21/2017 at 10:28 PM, DrMacintosh said:

Looks back at all the shade people tried to throw on Apple

which was fully deserved lol

as is any and all complaints about this failure

[Thony]

On 21/12/2017 at 4:44 PM, goodtofufriday said:

I dont understand? Where is the vulnerability here? its just bad software.

Im with u. 

[KhandakeF]

On 12/21/2017 at 12:17 PM, tjcater said:

Jokes on them, my laptop doesn't even support it But seriously, that has to be one poorly thought out algorithm if its defeated by low res pictures. (Wasn't Windows Hello supposed to have depth detection too?)

Edit: Another thought, they might need to disable supporting facial logins when lighting is poor

I have actually been able to login via hello in a completely dark room except for the light from my screen

[BlueChinchillaEatingDorito]

On ‎2017‎-‎12‎-‎21 at 2:28 PM, DrMacintosh said:

Looks back at all the shade people tried to throw on Apple

It goes both ways. 

[mr moose]

On 12/23/2017 at 12:00 AM, RedRound2 said:

Man, if it ever was Apple, this topic would be trending with die hard haters.

Coming back on topic, is this really a surprise? Microsoft has an amazing track record of screwing up things in a colossal way and this seems to be no different.

 

I fully expect those who where defending apple to defend MS now,  seeing as it's the same people shitting on MS for this as it was for apple.

[suicidalfranco]

1 minute ago, mr moose said:

 

I fully expect those who where defending apple to defend MS now,  seeing as it's the same people shitting on MS for this as it was for apple.

ahahahah

Not happening.

[Trik'Stari]

On 12/21/2017 at 11:44 AM, goodtofufriday said:

I dont understand? Where is the vulnerability here? its just bad software.

"Windows 10" would be the vulnerability.

 

I'm no longer on Windows 7, but I do like some of the things about Windows 10. I just wish it would do what I tell it and only what I tell it. Every time there's an update I have to redo my settings.