Enhanced Anti-Spoofing for Windows 10

Microsoft's Windows 10 operating system supports a whole array of biometric login and authentication options.

Instead of having to log in typing a username and password, Windows 10 users can use their fingerprint, face, or other biometric information to sign in.

Microsoft calls these biometric sign in options Windows Hello, and they are only available if the device's hardware supports them.

For instance, to sign in using facial recognition your device would need access to a (IR) camera, while a fingerprint reader would be needed to sign in using your fingerprint.

Configuring Windows Hello

You need to do the following to configure Windows Hello functionality on a device:

1. Tap on the Windows-key, and select the Settings application link from the options displayed to you. Alternatively, use the shortcut Windows-I to open the Settings app directly.
2. Navigate to Accounts > Sign-in Options.
3. First thing you need to do is set a new PIN as it is used as a fallback option in case the biometric sign-in fails.
4. Locate Windows Hello on the same page afterwards, and click on set up next to one of the available biometric authentication options.
5. Follow the instructions on screen to complete the setup. For facial recognition, simply look at the camera when instructed to do so to complete the process.

Depending on your device's hardware capabilities, you may see none, one or multiple options to use biometric identification to authenticate on the device.

Please note that you can only enable Windows Hello if the device supports at least one option, and if the feature has not been disabled by a system administrator.

As far as what is happening in the background during the set up process: Windows creates a representation of the captured data, encrypts it, and stores it on the device. This data is not the photo of a user, the iris or the fingerprint, but data that is used to recognize it.

You can read more about Windows Hello and privacy on Microsoft's website.

Enhanced Anti-Spoofing for Windows 10

Enhanced Anti-Spoofing is an optional security feature that is not enabled by default. Facial recognition on Windows 10 uses algorithms to determine if what's in front of the camera is a photograph or a real human being.

You may improve the detection by enabling enhanced anti-spoofing options provided that the device supports those.

You have two options to improve the security of the biometric sign-in process: using the Group Policy or the Windows Registry.

Enable Enhanced Anti-Spoofing: Group Policy

You may enable the security feature using the Group Policy Editor.Please note that the Group Policy Editor is only available on professional or Enterprise versions of Windows 10. If you get an error message launching it, skip to the Registry method below.

The following steps are required:

1. Tap on the Windows-key, type gpedit.msc and hit enter.
2. Use the hierarchy on the left to navigate to the following folder: Computer Configuration > Administrative Templates > Windows Components > Biometrics > Facial Features
3. Double-click on the policy "Use enhanced anti-spoofing when available".
4. On the window that opens, switch the policy to enabled, and click on the ok button afterwards.

This enables the feature, and Windows will make use of it from that moment on provided that the device supports it. There is unfortunately no indication whether that is the case or not.

If you enable this policy setting, Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it.

If you disable this policy setting, enhanced anti-spoofing is turned off for all users on the device and they will be unable to turn it on.

To turn the feature off again, repeat the steps outlined above but switch the status of the policy to disabled, or not configured.

Enable Enhanced Anti-Spoofing: Windows Registry

The feature can be enabled using the Windows Registry as well.

1. Tap on the Windows-key, type regedit.exe and hit the Enter-key.
2. Confirm the UAC prompt that is displayed.
3. Use the key structure on the left to navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures
4. If Biometrics does not exist, right-click on Microsoft and select New > Key from the menu. Name the key Biometrics and hit enter.
5. If FacialFeatures does not exist, right-click on Biometrics and select New > Key from the menu. Name the key FacialFeatures and hit enter.
6. Right-click on FacialFeatures afterwards and select New > Dword (32-bit) Value.
7. Name it EnhancedAntiSpoofing.
8. Double-click the new preference afterwards, and set its value to 1.

This enables enhanced anti-spoofing using the Windows Registry. To undo the change, delete the key again or set its value to 0 instead of 1.