Executive Summary

This security update resolves a Windows Hello facial recognition bypass vulnerability in Windows 10 that allows an attacker to replay an image to get access to a system. This bypass requires physical access with complete possession of a user’s physical device, custom hardware, and a specialized infrared (IR) image. 

Vulnerability Information

The 2021-07 cumulative security update addresses CVE-2021-34466 and was released on July 13, 2021.

A successful exploit requires the following prerequisites:

  1. The user must already be enrolled in Windows Hello face authentication.

  2. The attacker has physical access to the victim’s device.

  3. The attacker has softcopies of the victim’s infrared images.

  4. The attacker crafts a custom USB camera device that mimics a legitimate Windows Hello Face camera. The attacker plugs the malicious camera into the victim’s device and streams the image frames mentioned in item three.

Fixes & Mitigations

On July 13, 2021, Microsoft released the following fixes for patching this vulnerability:

  • KB5004237 for Windows 10, version 2004, all editions, Windows 10, version 20H2, all editions, and Windows 10, version 21H1, all editions

  • KB5004245 for Windows 10 Enterprise, version 1909, Windows 10 Enterprise and Education, version 1909, and Windows 10 IoT Enterprise, version 1909

  • KB5004244 for Windows 10 Enterprise 2019 LTSC and Windows 10 IoT Enterprise 2019 LTSC

  • KB5004281 for Windows 10 version 1803 (Available on request)

Resolution details

These security updates implement restrictions so that only trusted cameras are allowed to be used with Windows Hello face authentication.

  • Existing Windows Hello face authentication users – These are users who enrolled in Windows Hello face authentication before applying this update. Windows will prompt them to re-authenticate with their PIN only once after installing this update.

  • New Windows Hello face authentication users – These are users who apply this update before enrolling in Windows Hello face authentication. Windows will automatically trust the camera used for Windows Hello face authentication enrollment.

Optional configuration

Highly security conscious users can also configure the following registry value to disable all external cameras for use with Windows Hello Face.

Reg Path: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon] Key Name: "ShouldForbidExternalCameras"

Value = 1

Type: DWORD

Experienced users or IT professionals can also add the above registry value by running the following command from the administrator command prompt.

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon" /v ShouldForbidExternalCameras /t REG_DWORD /d 1 /f

Please note that configuring this registry value will prevent all external USB cameras from being used with Windows Hello Face. However, users can continue using the external camera with other applications such as Microsoft Teams.

Enhanced sign-in Security

Customers with Windows Hello Enhanced Sign-in Security are protected against this vulnerability. Enhanced Sign-in Security is a new security feature in Windows that requires specialized hardware, drivers, and firmware that are pre-installed on the system by device manufacturers. Please contact your device manufacturer to learn about support for Enhanced Sign-in Security on your device.

Affected Software

The following Windows 10 based systems are affected by this vulnerability:

  • Windows 10 Version 21H1 for x64-based Systems

  • Windows 10 Version 21H1 for 32-bit Systems

  • Windows 10 Version 21H1 for ARM64-based Systems

  • Windows 10 Version 21H1 for ARM-based Systems

  • Windows 10 Version 20H2 for x64-based Systems

  • Windows 10 Version 20H2 for 32-bit Systems

  • Windows 10 Version 20H2 for ARM64-based Systems

  • Windows 10 Version 20H2 for ARM-based Systems

  • Windows 10 Version 2004 for x64-based Systems

  • Windows 10 Version 2004 for 32-bit Systems

  • Windows 10 Version 2004 for ARM64-based Systems

  • Windows 10 Version 2004 for ARM-based Systems

  • Windows 10 Version 1909 for x64-based Systems

  • Windows 10 Version 1909 for 32-bit Systems

  • Windows 10 Version 1909 for ARM64-based Systems

  • Windows 10 Version 1909 for ARM-based Systems

  • Windows 10 Version 1809 for x64-based Systems

  • Windows 10 Version 1809 for 32-bit Systems

  • Windows 10 Version 1809 for ARM64-based Systems

  • Windows 10 Version 1809 for ARM-based Systems

  • Windows 10 Version 1803 for x64-based Systems

  • Windows 10 Version 1803 for 32-bit Systems

  • Windows 10 Version 1803 for ARM64-based Systems

  • Windows 10 Version 1803 for ARM-based Systems

Frequently Asked Questions

Q. I don’t have a device that is compatible with Windows Hello face authentication or I have not enabled facial recognition with Windows Hello. Do I have to worry about this vulnerability?

A. No. This vulnerability is only applicable to those users who have a device that is compatible with Windows Hello Face and have enrolled in facial recognition authentication.

Q. What should I do to protect my users from this vulnerability?

A. Download and install the above updates.

Q. Do I need to configure the optional registry setting to secure my devices from this vulnerability?

A. If you only use an internal or built-in Windows Hello Face camera, you don’t need to add the optional registry value. However, if you are a mobile user, your device might be at risk of being lost or stolen. Therefore, you can add the optional registry value to prevent the use of external Windows Hello Face cameras if you use an external camera. Please note that all external USB cameras will be blocked from being used with Windows Hello Face after you add the registry value. Users can continue using an external camera with other applications such as Microsoft Teams.

Q. Can this vulnerability be exploited remotely?

A. No. To exploit this vulnerability, the attacker must have full physical access to the victim’s device.

Q. Do I still need to install this update if my device supports Enhanced Sign-in Security?

A. Enhanced Sign-in Security mitigates this vulnerability, but only if the feature is enabled. Even if a device has the necessary hardware and software components, you still need the update mentioned above if the feature is not turned on. Regardless, you should still install this update to get other security fixes.

Q. Can I continue to use Windows Hello facial recognition without updating my system?

A. Windows Hello facial recognition will continue to work even if you do not update your system. We highly advise you to update your system, particularly if you are a mobile user.

Q. Can I disable Windows Hello facial recognition and continue to use Windows Hello Fingerprint?

A. Yes. You can remove Window Hello face authentication in Sign-in options>Windows Hello Face to turn off Windows Hello Face and continue to use Window Hello Fingerprint.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.