Enhanced Anti-Spoofing for Windows 10

Martin Brinkmann
Jun 20, 2016
Updated • May 22, 2018
Tutorials, Windows 10
|
9

Microsoft's Windows 10 operating system supports a whole array of biometric login and authentication options.

Instead of having to log in typing a username and password, Windows 10 users can use their fingerprint, face, or other biometric information to sign in.

Microsoft calls these biometric sign in options Windows Hello, and they are only available if the device's hardware supports them.

For instance, to sign in using facial recognition your device would need access to a (IR) camera, while a fingerprint reader would be needed to sign in using your fingerprint.

Configuring Windows Hello

You need to do the following to configure Windows Hello functionality on a device:

  1. Tap on the Windows-key, and select the Settings application link from the options displayed to you. Alternatively, use the shortcut Windows-I to open the Settings app directly.
  2. Navigate to Accounts > Sign-in Options.
  3. First thing you need to do is set a new PIN as it is used as a fallback option in case the biometric sign-in fails.
  4. Locate Windows Hello on the same page afterwards, and click on set up next to one of the available biometric authentication options.
  5. Follow the instructions on screen to complete the setup. For facial recognition, simply look at the camera when instructed to do so to complete the process.

Depending on your device's hardware capabilities, you may see none, one or multiple options to use biometric identification to authenticate on the device.

Please note that you can only enable Windows Hello if the device supports at least one option, and if the feature has not been disabled by a system administrator.

As far as what is happening in the background during the set up process: Windows creates a representation of the captured data, encrypts it, and stores it on the device. This data is not the photo of a user, the iris or the fingerprint, but data that is used to recognize it.

You can read more about Windows Hello and privacy on Microsoft's website.

Enhanced Anti-Spoofing for Windows 10

Enhanced Anti-Spoofing is an optional security feature that is not enabled by default. Facial recognition on Windows 10 uses algorithms to determine if what's in front of the camera is a photograph or a real human being.

You may improve the detection by enabling enhanced anti-spoofing options provided that the device supports those.

You have two options to improve the security of the biometric sign-in process: using the Group Policy or the Windows Registry.

Enable Enhanced Anti-Spoofing: Group Policy

You may enable the security feature using the Group Policy Editor.Please note that the Group Policy Editor is only available on professional or Enterprise versions of Windows 10. If you get an error message launching it, skip to the Registry method below.

The following steps are required:

  1. Tap on the Windows-key, type gpedit.msc and hit enter.
  2. Use the hierarchy on the left to navigate to the following folder: Computer Configuration > Administrative Templates > Windows Components > Biometrics > Facial Features
  3. Double-click on the policy "Use enhanced anti-spoofing when available".
  4. On the window that opens, switch the policy to enabled, and click on the ok button afterwards.

use enhanced-anti-spoofing when available

This enables the feature, and Windows will make use of it from that moment on provided that the device supports it. There is unfortunately no indication whether that is the case or not.

If you enable this policy setting, Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it.

If you disable this policy setting, enhanced anti-spoofing is turned off for all users on the device and they will be unable to turn it on.

To turn the feature off again, repeat the steps outlined above but switch the status of the policy to disabled, or not configured.

Enable Enhanced Anti-Spoofing: Windows Registry

anti-spoofing registry

The feature can be enabled using the Windows Registry as well.

  1. Tap on the Windows-key, type regedit.exe and hit the Enter-key.
  2. Confirm the UAC prompt that is displayed.
  3. Use the key structure on the left to navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures
  4. If Biometrics does not exist, right-click on Microsoft and select New > Key from the menu. Name the key Biometrics and hit enter.
  5. If FacialFeatures does not exist, right-click on Biometrics and select New > Key from the menu. Name the key FacialFeatures and hit enter.
  6. Right-click on FacialFeatures afterwards and select New > Dword (32-bit) Value.
  7. Name it EnhancedAntiSpoofing.
  8. Double-click the new preference afterwards, and set its value to 1.

This enables enhanced anti-spoofing using the Windows Registry. To undo the change, delete the key again or set its value to 0 instead of 1. (via Make Tech Easier)

Summary
Enhanced Anti-Spoofing for Windows 10
Article Name
Enhanced Anti-Spoofing for Windows 10
Description
Find out how to improve the security of signing in to Windows 10 devices using facial recognition by enabling enhanced anti-spoofing protection.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. No-Loverock Davidson said on June 21, 2016 at 10:49 am
    Reply

    How ’bout an “Enhanced Anti-Microsoft-Spying” for Windows 10…?!

  2. asd said on June 20, 2016 at 10:49 pm
    Reply

    Welcome to Big Brotha-ish Brave New World….

  3. Tronald Dump said on June 20, 2016 at 6:48 pm
    Reply

    I don’t think faces are secure enough. If I were sitting on my scanner in the most natural way, could I use that instead of my face?

  4. Croatoan said on June 20, 2016 at 1:24 pm
    Reply

    I already have fingerprint check on boot. In my country everyone (18+) already has gave fingerprint to police.

  5. Bush said on June 20, 2016 at 10:32 am
    Reply

    …ha…ha…ha…

  6. Just another MS Sockpuppet. said on June 20, 2016 at 9:18 am
    Reply

    So basically you exchange your personal bio-metric information with a Corporation who’s in bed with US gov/CIA/NSA for a bit more vague sense of security?

    No thanks!

    1. Jonathan said on June 21, 2016 at 4:08 am
      Reply

      Well, feel free to stop using anything by Google, or the Internet in general then. Don’t forget your Tinfoil hat and reality check on the way out.

    2. James Bond said on June 20, 2016 at 1:07 pm
      Reply

      Chyeah seriously. I’ve always looked at Windows Hello and Cortana as a way they encourage you to use your camera and microphone so they can spy on you in your own home. Creepy McCreeperville!

    3. Martin Brinkmann said on June 20, 2016 at 9:20 am
      Reply

      According to Microsoft, the data is only stored on the local device.
      “Your identification data—the representation of your face, iris, or fingerprint that’s created when you enroll—never leaves your device. “

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.