A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”
Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.
Well, until they come to the third paragraph of the article.
The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.
Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.
However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.
And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.