Researchers tricked Windows Hello, the passwordless authentication system built into Windows 10 and Windows 11, using a single infrared image accompanied by an all-black frame.

Windows Hello encompasses three authentication methods: a user-generated PIN, a fingerprint scanner, and a facial recognition tool.

The facial recognition feature requires a camera with both RGB and infrared sensors on-board. Researchers discovered that only frames captured by the infrared sensor are used during the authentication process, however, which is where their exploit comes in.

This flaw “allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host.”

The exploit only requires two frames to function: One valid infrared frame of the target and at least one RGB frame containing seemingly anything else. The researchers said that during one test “the RGB frames we sent were images of SpongeBob, and to our surprise, it worked!”

The company didn’t reveal what percentage of those Windows Hello users rely on facial recognition compared to the amount using a fingerprint scanner or only using a PIN, but with 1.3 billion Windows 10 users, even a relatively small share could affect millions of devices. Microsoft released a patch related to this vulnerability on July 13.