Các nhà nghiên cứu tại hãng bảo mật Đức SySS vừa phát hiện ra một điều khá bất ngờ, công nghệ nhận diện gương mặt Windows Hello trên Windows 10 khó bị tấn công hơn nhiều so với tưởng tượng nếu bạn chăm chỉ cập nhật hệ điều hành lên phiên bản mới nhất. Show
 Nhóm nghiên cứu SySS đã thử nghiệm khả năng bảo mật của Windows Hello trên cả phiên bản Windows 10 cũ và mới. Họ tiến hành thử nghiệm Windows Hello với cách vượt mặt sinh trắc học, đó là chụp hình cận cảnh phần đầu bằng camera hồng ngoại, sau đó chỉnh sửa và in bằng máy in laser. Trong thử nghiệm của SySS, nhóm sử dụng hai thiết bị bao gồm Dell Latitude E7470 tích hợp sẵn camera LilBit USB Webcam (có khả năng nhận diện gương mặt) và Surface Pro 4. Nhóm nghiên cứu phát hiện thấy, Windows 10 phiên bản thấp hơn (1511 và 1607) tỏ rõ nhược điểm khi bị qua mặt bằng phương thức trên. Nguyên nhân do các phiên bản này không hỗ trợ tính năng tăng cường bảo mật Enhanced Anti-Spoofing. Tính năng này sẽ yêu cầu người dùng buộc phải dùng khuôn mặt xác thực để mở máy. Thông thường, Enhanced Anti-Spoofing sẽ được kích hoạt mặc định. Trên bản Windows 10 Pro hoặc Enterprise, bạn có thể vào Local Group Policy Editor > kích hoạt tính năng theo đường dẫn sau: Administrative Templates > Windows Components > Biometrics > Facial Features. Đối với bản Windows 10 Home, bạn có thể tinh chỉnh trong registry của máy. Tất nhiên dù với bất cứ phiên bản nào, điều quan trọng nhất là máy tính hoặc điện thoại của bạn phải hỗ trợ phần cứng tương thích. Kết quả trên Surface Pro 4 cho thấy các bản Windows 10 thấp hơn dễ bị qua mặt ngay cả khi có hoặc không có Enhanced Anti-Spoofing Trong khi với thử nghiệm trên Surface Pro 4, tính năng bảo mật Enhanced Anti-Spoofing hoạt động khá ổn định và an toàn với bản Windows 10 build 1709 và 1703. Riêng bản Windows 10 build 1607 bị qua mặt khá dễ dàng. Điều này đặt ra nguy cơ với những thiết bị Windows 10 không hỗ trợ Enhanced Anti-Spoofing có thể dễ dàng bị tấn công, đặc biệt với các bản build đời cũ như 1511 hay 1607. Nếu người dùng đủ đáp ứng điều kiện phần cứng và dùng Windows Hello, cách tốt nhất là sớm cập nhật lên ít nhất bản buid 1703 hoặc 1709 để đảm bảo an toàn. Nhóm nghiên cứu dự kiến sẽ công bố chi tiết kết quả thử nghiệm vào đầu năm 2018. Microsoft là một trong những công ty mở đầu trào lưu sinh trắc học với việc tung Lumia 950XL, mẫu smartphone trang bị công nghệ nhận diện gương mặt Windows Hello vào năm 2015. Tới nay, Windows Hello cũng đã có mặt trên laptop và máy tính bảng Windows nhưng lại hiếm khi được sử dụng do hạn chế về phần cứng chưa phổ biến. Nếu Windows Hello sớm xuất hiện đại trà trên các sản phẩm di động hoặc laptop giống Face ID, người dùng có lẽ sẽ đặt niềm tin rất lớn cho công nghệ này của Microsoft. Windows Hello gives Windows users an alternate way to log into their devices and applications using a fingerprint, iris scan or facial recognition. Here’s what the technology does, who uses it and the hardware required.Windows Hello is a biometrics-based technology that enables Windows 10 users (and those who update to Windows 11) to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition. The sign-in mechanism is essentially an alternative to passwords and is widely considered to be a more user friendly, secure and reliable method to access critical devices, services and data than traditional logins using passwords. “Windows Hello solves a few problems: security and inconvenience,” said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy. “Traditional passwords are unsafe as they are hard to remember, and therefore people either choose easy-to-guess passwords or write down their passwords.” It is not uncommon for people to use the same password (or variations) across multiple sites and applications. Windows Hello and other biometric authentication features like Apple’s Face ID or Touch ID are designed to offer an alternative to passwords that is unique and more secure because it relies on technology that’s harder to break. “Since we depend even more on getting online for everything in our lives, we’re more than ready to be done with passwords,” said Katharine Holdsworth, principal group program manager, Windows Security. “Passwords are a hassle to use, and they present security risks for users and organizations of all sizes…. With multifactor authentication, an account is 99.9 percent less likely to be compromised.” How Windows Hello worksWindows Hello limits the attack surface for Windows by eliminating the need for passwords and other methods under which identities are more likely to be stolen. “Windows Hello uses 3D structured light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people creating a fake head or mask to spoof the system,” Moorhead said. Windows users can set up Windows Hello in the sign-in options under account settings. Users need to establish a facial scan, iris scan or fingerprint to get started, but they can always improve those scans, and add or remove additional fingerprints. Once set up, a glance at their device or scan of a finger will unlock access to Microsoft accounts, core applications and third-party applications that use the API. The adoption of the FIDO specification means that Microsoft’s partners can provide security keys for an additional layer of protection when signing in via Windows Hello. The FIDO specification was developed in 2014 by the FIDO Alliance, which now includes more than 250 companies, but was founded by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio. FIDO authentication technology is available in hundreds of devices today, according to the group. Microsoft has also given support to the latest version of the security protocol, FIDO2. This lets users access standards-based devices such as USB security keys that offer an extra layer of protection when signing in to Microsoft accounts. Who uses Windows Hello?Windows Hello is designed for both enterprises and consumers, and has gained traction on both fronts. During Microsoft’s Ignite 2017 conference, the company announced more than 37 million people were already using Windows Hello and more than 200 companies had deployed Windows Hello for Business. (At the time, the largest enterprise deployment outside of Microsoft’s IT team comprised more than 25,000 users, according to the company.) Those numbers have only grown. Last December, Microsoft called 2020 a “breakthrough year” for Windows Hello, with more than 150 million monthly users as of May 2020 — and almost double that number by year’s end. Why would you want Windows Hello?Passwords, in short, are a drag. In this age of password abundance (and human forgetfulness), security-minded users realize that a fingerprint, facial recognition or an iris scan to gain access to devices, important accounts and data is likely to be a safer option. Even so, the password “remains the most frequently used sign-in mechanism, but also a source of frustration for end users,” said Raúl Castañón, senior analyst at 451 Research, a division of S&P Global Market Intelligence. Microsoft is working with a growing number of service providers to give its users a more seamless method to authenticate multiple accounts of importance with Windows Hello. All Microsoft Office apps support Windows Hello, alongside third party tools such as Dropbox. Windows Hello has also been integrated into Google Chrome, enabling authentication of payments when using the browser in Windows. What are the hardware requirements?Windows Hello has a relatively low barrier to entry, but it does come with specific hardware requirements. Microsoft’s Surface Pro, Surface Book and most Windows 10 PCs equipped with fingerprint scanners or cameras that can capture two-dimensional infrared spectroscopy are compatible with Windows Hello. Microsoft is also working with device manufacturers to maintain consistent performance and security for all Windows Hello users, and set high-level benchmarks and reference designs to establish baseline requirements. The acceptable performance range for fingerprint sensors is a false accept rate of less than 0.002 percent, and the acceptable range for facial recognition sensors is a false accept rate of less than 0.001 percent, according to Microsoft. That translates into 1 in 100,000 for fingerprints and half that rate for facial recognition. (For comparison purposes, Apple says the chances of fooling its Face ID is 1 in 1 million, while the chances of fooling its Touch ID are 1 in 50,000.) Moreover, false reject rates for fingerprint and facial recognition scanners without anti-spoofing or liveness detection must fall under 5%. False reject rates for fingerprint and facial recognition scanners with anti-spoofing technology must fall under 10%, according to Microsoft’s guidelines. For those not familiar with the technology, liveness detection does pretty much what it sounds like: it determines that a user is a living being before unlocking a device or app. All sensors must include anti-spoofing measures like liveness detection, but the configuration of these anti-spoofing features is optional and varies with different systems. How does Windows Hello compare to Face ID?Windows Hello doesn’t have direct competitors because of its exclusivity to Windows 10 devices, but it does face indirect competition from the likes of Apple, Samsung, Google and others who provide similar technology for their devices and related ecosystems. Apple’s Face ID is now in use on most iPhones and iPads. (On the tablets, it even works in landscape mode.) Third-party apps like Dropbox have updated its apps with Face ID support. “Windows Hello is very similar to Apple Face ID and to Google Android biometrics,” said Castañon. “All three provide on-device biometric authentication; this means that the facial or fingerprint data is encrypted and stored on the device and not on a server – which is hackable and therefore inherently insecure. The popularity of Apple’s biometric authentication likely helped encourage adoption by drawing attention to the advantages of the technology. “Given the ease of use and the fact that Apple Face ID – probably the best-known facial authentication – has made this mechanism widely known to consumers in general, we can expect that on-device facial and fingerprint authentication will continue to gain traction,” said Castañon. According to Moorhead, Apple’s Face ID and fingerprint scanners are the most obvious competitors to Windows Hello, though in his experience Windows works better in low light environments. “Face ID works with glasses, Windows Hello doesn’t…. Windows Hello works well in the dark. Face ID, not so much,” he said. “Neither Windows Hello or Face ID work well in very bright light, but fingerprint scanners work in the bright light and the dark.” What’s next for Windows Hello in the enterprise?While businesses will benefit from improved user experience and enhance, it should be noted that Windows is just one layer of protection at device level. “[T]his means it should be seen as complementary – and not as a replacement – for other security mechanisms that businesses are deploying (for example, at the application level) such as AI-based behavioral biometrics,” Castañon said. Microsoft has indicated that Windows Hello will continue to offer users passwordless access in Windows 11, where it will benefit from the Trusted Platform Module (TPM), a cryptoprocessor chip required in Windows 11 devices. TPM chips will be integrated into motherboards or added to CPUs and will provide additional security for Windows Hello data at the hardware level. “With Windows 11 we will continue our focus on security as we help customers stay safe,” said Holdsworth. “This will include investments across the security features in Windows 11 and a new required hardware baseline to ensure we deliver safety and security to assist in keeping our customers safe from the ongoing and increasing number of sophisticated attacks.” |
