Microsoft Windows 10 biometric user authentication systems Windows Hello can be bypassed, using a single infrared image of a user’s face planted on a tampered clone of an external USB-based webcam.

The vulnerability, tracked as (CVE-2021-34466, CVSS score: 5.7), was patched by Microsoft in July. However, according to research disclosed here at Black Hat USA 2021, the flaw still allows attackers – in some scenarios – to bypass Windows Hello and Windows Hello for Business, used for single-sign-on access to a user’s computer and a host of Windows services and associated data.