"Windows Hello uses the two IR emitters to generate a 3D image of your face, and is much more secure. To do this Hello lights up your face with the left emitter on even frames, and uses the right emitter on odd frames. This lights up your face in slightly different angles, which is not possible to be faked by simply printing a 2D photo.
Unfortunately Howdy does not have control over these IR emitters and can't use this process"
Ah yeah, that's interesting. I was looking at the actual recognition code in howdy (basically leans on dlib's face detection), which doesn't seem to have any "3D" checker built in, but if it is just based on differential illumination, maybe it won't be so hard to simply make sure there are sufficient differences in the odd/even frames to distinguish a face as 3D.
I suppose it could be weak to a "mask" attack, but you could add something like drishti to make sure you can real eyes in addition to a face.
Multi-spectral processing might help in that case, but honestly, if this sort of attack is a real security threat, then you probably shouldn't be running biometric logins in the first place (and you should probably actually be using MFA).
Of course, this is all about authentication convenience and keeping the attacker bar high. The mask attack is a lot more expensive/difficult than printing out a photo (too easy).
"Windows Hello uses the two IR emitters to generate a 3D image of your face, and is much more secure. To do this Hello lights up your face with the left emitter on even frames, and uses the right emitter on odd frames. This lights up your face in slightly different angles, which is not possible to be faked by simply printing a 2D photo.
Unfortunately Howdy does not have control over these IR emitters and can't use this process"