Windows Hello face recognition is vulnerable to the Jedi mind trick (opens in new tab)

(blogs.msdn.microsoft.com)

103 pointsedburdo9y ago36 comments

36 comments

25 comments · 8 top-level

kevinherron9y ago· 5 in thread

I've had a SP4 since they were released. It's got some faults, but Windows Hello has worked flawlessly for me. It sounded like such a gimmick before I used it but it's actually pretty neat.

Mahn9y ago

SP4 user here too, Windows Hello failed exactly once for me: when I was setting it up. Ever since then it's worked flawlessly. It's so insanely good it's almost hard to believe Microsoft built it.

When Android first came up with face recognition it was a gimmick; half of the time it didn't work, it took too long, you needed the right amount of light, etc etc. But I can confidently say that Microsoft's implementation is nothing like it, they've actually made it work.

1 more reply

zyxley9y ago

The main thing that worries me about it is that "what your face looks like" is superbly easy to copy.

I mean, fingerprints aren't that much more secure in a technical sense, but at least a lot of people don't actively post images of their fingerprints to all their social media accounts.

shliachtx9y ago

If I'm not mistaken Windows Hello will only do facial recognition on a depth-sensing camera, so you would need to create a 3D model of my face to fool it.

2 more replies

JohnTHaller9y ago

Windows Hello only works with newer cameras that support depth/3d sensing. Only a handful of laptops and a couple external cameras have this functionality. Windows Hello doesn't work with standard cameras as it would be easier to bypass.

fintler9y ago

I don't think the threat model for this cares about that.

This is designed for home users who don't have security requirements that make them carry around OTP devices just to see their desktop.

I mean, you can argue that passwords are pretty easy to copy as well -- you just need a video camera facing at the keyboard for a day or three.

justratsinacoat9y ago· 4 in thread

The clickbait 'title' makes some claim to vulnerability, except that's the wrong word entirely. The described "vulnerability" is logically equivalent to briefly removing one's face from the frame, because that's what this is. The article actually suggests that as the usual alternative!

There's nothing else going on here beyond "think about Windows Hello, please". Is this really what we want HN to be about?

accatyyc9y ago

It is the title of the blog post though, which is a Microsoft blog. I don't think clickbaiting was the intention of the poster.

WorldMaker9y ago

Given it's from Old New Thing, I'm willing to bet clickbaiting was indeed the intention of the poster (Mr. Chen), as this title and the article itself seem to follow his sense of humor.

blowski9y ago

It's tech-related fun, and yes, it made me chuckle so I'm fine with it being on HN. I might even say it's a 'hack'.

justratsinacoat9y ago

>I might even say it's a 'hack'

I guess it is an appropriate submission for Hac-- er I mean "Left-Facebook-Logged-In"-er News

ctpide9y ago· 3 in thread

Jedi: "These are not the faces you are looking for." Windows: "Are you sure? [Yes] [No] [Cancel]"

balls1879y ago

Windows: "Are you sure? [Yes] [No] [Cancel] [Upgrade to Windows 10]"

deciplex9y ago

(The joke is in supposing that Windows would ask first.)

1 more reply

kenjackson9y ago

Actually should prompt:

Retry, abort, or fail

pookeh9y ago· 2 in thread

Wow pretty desperate marketing for a design flaw.

algorithmsRcool9y ago

I highly doubt that Raymond Chen, a 24 year veteran of Microsoft and WinAPI / NT kernel expert, is shilling for marketing kudos.

He probably just thought it was a neat side effect.

Piskvorrr9y ago

It's not a bug - it's a feature! https://geekwhisperin.files.wordpress.com/2009/09/bug-vs-fea...

mtgx9y ago· 2 in thread

Microsoft should fix its 4-digit PIN/no limiter app authentication first.

https://www.cnil.fr/en/windows-10-cnil-publicly-serves-forma...

fintler9y ago

> The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account

What pin is this talking about? The only pin I see related to my account is a 6-digit one that the Google authenticator app generates.

Is this some kind of enterprise feature?

AaronFriel9y ago

Windows 10 allows PIN sign in, but it's done with the TPM to ensure a limited number of accesses.

1 more reply

damianknz9y ago· 1 in thread

I have Windows Hello enabled on my phone (a 950) and it scans my iris with an infra-red camera/light. This means it still works in the dark and cant be fooled by a photo (or a 3d model I guess!)

kylemuir9y ago

Still wouldn't stop Wesley Snipes in Demolition Man :)

sandworm1019y ago

Free advice: Do not use biometrics to unlock devices. Face/fingerprint recognition is subject to different, lesser, protections than memorized passwords.

Criminal defense 101: Don't talk to the police. Don't admit anything, including any sort admission of owning a phone. If they can use your face/finger to unlock a phone, that proves it is your phone. Even if you one day want to admit owning that phone, do not allow them to unlock it without your permission. The unlocking of any device should only happen after negotiations with the assistance of counsel, not at 2am in a parking lot. Use some sort of memorized password/pattern.

Sylos9y ago

Who gives a fuck?

j / k navigate · click thread line to collapse

36 comments

25 comments · 8 top-level

kevinherron9y ago· 5 in thread

I've had a SP4 since they were released. It's got some faults, but Windows Hello has worked flawlessly for me. It sounded like such a gimmick before I used it but it's actually pretty neat.

Mahn9y ago

SP4 user here too, Windows Hello failed exactly once for me: when I was setting it up. Ever since then it's worked flawlessly. It's so insanely good it's almost hard to believe Microsoft built it.

1 more reply

zyxley9y ago

The main thing that worries me about it is that "what your face looks like" is superbly easy to copy.

I mean, fingerprints aren't that much more secure in a technical sense, but at least a lot of people don't actively post images of their fingerprints to all their social media accounts.

shliachtx9y ago

If I'm not mistaken Windows Hello will only do facial recognition on a depth-sensing camera, so you would need to create a 3D model of my face to fool it.

2 more replies

JohnTHaller9y ago

fintler9y ago

I don't think the threat model for this cares about that.

This is designed for home users who don't have security requirements that make them carry around OTP devices just to see their desktop.

I mean, you can argue that passwords are pretty easy to copy as well -- you just need a video camera facing at the keyboard for a day or three.

justratsinacoat9y ago· 4 in thread

There's nothing else going on here beyond "think about Windows Hello, please". Is this really what we want HN to be about?

accatyyc9y ago

It is the title of the blog post though, which is a Microsoft blog. I don't think clickbaiting was the intention of the poster.

WorldMaker9y ago

Given it's from Old New Thing, I'm willing to bet clickbaiting was indeed the intention of the poster (Mr. Chen), as this title and the article itself seem to follow his sense of humor.

blowski9y ago

It's tech-related fun, and yes, it made me chuckle so I'm fine with it being on HN. I might even say it's a 'hack'.

justratsinacoat9y ago

>I might even say it's a 'hack'

I guess it is an appropriate submission for Hac-- er I mean "Left-Facebook-Logged-In"-er News

ctpide9y ago· 3 in thread

Jedi: "These are not the faces you are looking for." Windows: "Are you sure? [Yes] [No] [Cancel]"

balls1879y ago

Windows: "Are you sure? [Yes] [No] [Cancel] [Upgrade to Windows 10]"

deciplex9y ago

(The joke is in supposing that Windows would ask first.)

1 more reply

kenjackson9y ago

Actually should prompt:

Retry, abort, or fail

pookeh9y ago· 2 in thread

Wow pretty desperate marketing for a design flaw.

algorithmsRcool9y ago

I highly doubt that Raymond Chen, a 24 year veteran of Microsoft and WinAPI / NT kernel expert, is shilling for marketing kudos.

He probably just thought it was a neat side effect.

Piskvorrr9y ago

It's not a bug - it's a feature! https://geekwhisperin.files.wordpress.com/2009/09/bug-vs-fea...

mtgx9y ago· 2 in thread

Microsoft should fix its 4-digit PIN/no limiter app authentication first.

https://www.cnil.fr/en/windows-10-cnil-publicly-serves-forma...

fintler9y ago

> The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account

What pin is this talking about? The only pin I see related to my account is a 6-digit one that the Google authenticator app generates.

Is this some kind of enterprise feature?

AaronFriel9y ago

Windows 10 allows PIN sign in, but it's done with the TPM to ensure a limited number of accesses.

1 more reply

damianknz9y ago· 1 in thread

I have Windows Hello enabled on my phone (a 950) and it scans my iris with an infra-red camera/light. This means it still works in the dark and cant be fooled by a photo (or a 3d model I guess!)

kylemuir9y ago

Still wouldn't stop Wesley Snipes in Demolition Man :)

sandworm1019y ago

Free advice: Do not use biometrics to unlock devices. Face/fingerprint recognition is subject to different, lesser, protections than memorized passwords.

Sylos9y ago

Who gives a fuck?

j / k navigate · click thread line to collapse