Microsoft Windows Hello can be bypassed, using a single infrared image of a user s face planted on a tampered clone of an external USB-based webcam. The vulnerability, tracked as (CVE-2021-34466, CVSS score: 5.7), was patched by Microsoft in July. Attacker Omer Tsarfati, with CyberArk Labs, outlined his research (dubbed Pass-the-PRT attack) that leveraged a custom-made USB device containing a spoofed image.
Source: https://threatpost.com/microsofts-patch-windows-hello-faulty/168392/