Since last May, Microsoft accounts newly created, by default, They do not use passwords. Instead, the company prefers to configure them with options such as Passkeys and Windows Hello. Despite looking for greater security with these decisions, Windows’s biometric identification is hackeableas German researchers have demonstrated Tillmann Osswald and Dr. Baptiste Davidat the conference Black Hat of Las Vegas, with the business version of Windows Hello.
Osswald and David made a live demonstration of hacking. After David started session on his team with his own face, Osswald, acting as an attacker with local administrator privileges, executed a few lines of code. Next, injected his own facial scan -Capitatured on another computer- in the biometric database of the target machine. Then he put in front of the camera and The team unlocked instantlyaccepting his face as if he were David’s, they report from The Register.
To understand it, you have to look at internal functioning. In business environments, when Windows Hello is configured for the first time, a Pair of keys, public and private. The public key is recorded with the organization’s identity provider, such as Enter id.
Biometric data, however, are stored in a database managed by the Windows Biometric Service (WBS)which is encrypted. By authentication, the system compares the scan in real time with the stored template.
The problem is that, in some implementations, the encryption that protects that database It cannot prevent an attacker with local administrator privileges and access biometric data.
There it enters Enhanced Sign-in Security (Ess, improved login security)the Microsoft solution that isolates the entire biometric authentication process within a safe environment managed by the system hypervisor. Ess is very effectiveTo block this attack, But not everyone can use it.
For ESS to work, the team must have A very specific hardware: 64 -bit CPU with hardware virtualization support (ESS is based on virtualization safety), TPM 2.0 chip, secure boot activated in the firmware and certified biometric sensors. Microsoft demands this level of protection in its new line of COPILOT+ PCSbut, as Osswald points out, Many current computers do not meet these requirements.
The problem is serious. According to Osswald and David, applying a definitive patch is very difficult or even impossibleWithout a deep redesignbecause it affects the fundamental architecture of how systems without ESS store biometric data.
For now, if you use a business team with Windows Hello without EsS, They recommend completely deactivating biometric authentication and using a pin or other method.
The easiest way to check if your equipment is compatible with Ess is to go to the system configuration. In the Login options of your account, in the section Additional configurationlook for a parameter called ‘Log in with a camera or external fingerprint reader’.
If the slider indicates that it is off, Ess is activewhich also means that a External USB Footprint Reader that Compres will not work to log in to Windows. If you activate it, Disabled Ess And you can use external peripherals, but with less security.
Microsoft states that some peripherals ‘Compatible with Windows Hello’ They can activate Ess on your device. Although this does not imply a safety risk, it creates limitations: the company advises to connect them before the first start and never disconnect them. Complete support for external devices with Ess is not expected before the end of 2025.