In May, Microsoft initiated a significant shift towards a passwordless future by defaulting new account setups to utilize alternatives such as passkeys and Windows Hello. This move is part of a broader trend aiming to enhance security while simplifying user access.
However, recent findings from German researchers Tillmann Osswald and Dr. Baptiste David, presented at the Black Hat conference in Las Vegas, have unveiled vulnerabilities in the business version of Windows Hello. Their demonstration illustrated a method to compromise the system’s biometric security.
During the event, Dr. David successfully logged into his device using facial recognition, only for Osswald, acting as an attacker with local administrator privileges, to exploit a series of commands. He injected a facial scan captured on a different computer into the target system’s biometric database. Astonishingly, the device unlocked without hesitation upon the attacker leaning in, recognizing him as Dr. David.
Understanding the Vulnerability
The core of the issue lies in the internal workings of Windows Hello’s business framework. When the system is initially set up, it generates a public/private key pair, with the public key registered through an organization’s ID provider such as Entra ID. While biometric data is stored within an encrypted database governed by the Windows Biometric Service (WBS), the current encryption methods sometimes fail to thwart an attacker with local admin rights, enabling them to decrypt this critical data.
Enhanced Sign-in Security as a Solution
To address these vulnerabilities, Microsoft has introduced the Enhanced Sign-in Security (ESS). This feature effectively isolates the biometric authentication process within a secure environment managed by the system’s hypervisor. However, the implementation of ESS requires specific hardware: a modern 64-bit CPU that supports hardware virtualization, a TPM 2.0 chip, Secure Boot in the firmware, and properly certified biometric sensors.
ESS is very effective at blocking this attack, but not everyone can use it. For example, we bought ThinkPads around one and a half years ago, but sadly they do not have a secure sensor for the camera because they use AMD chips and not Intel’s.
The Challenge Ahead
Despite the effectiveness of ESS, a comprehensive patch for the existing vulnerabilities in non-ESS systems poses a significant challenge. According to Osswald and David, correcting the underlying architectural issues without a complete redesign is not feasible. Thus, businesses using Windows Hello without ESS need to consider disabling biometric authentication altogether, opting instead for alternatives such as a PIN.
How to Verify ESS Compatibility
To determine if your system supports ESS, navigate to your settings and check the “Sign-in options”under your account. Look for a toggle labeled “Sign in with an external camera or fingerprint reader.”If this switch is off, ESS is active, meaning your USB fingerprint reader will be inoperable for logins. Turning it on disables the ESS feature, allowing external devices to function, albeit at the risk of reduced security.
According to Microsoft, some peripherals compatible with Windows Hello may enable ESS. While this feature does not inherently present a security issue, it complicates device usage. Microsoft recommends keeping any compatible peripheral connected at all times, with full support for external devices under ESS anticipated not until late 2025.
Related Articles:
Time-Saving Windows Shortcuts That Boost Productivity Every Week
19:06
KB5064093: Major Update Enhances Windows 11 Phone Connection Features in New Build
17:42
Microsoft SQL Server 2025 Release Candidate 0 Announcement
17:20
Leave a Reply ▼