It may not be a data breach, but Windows users have nevertheless been warned of a major new security vulnerability affecting Windows Hello fingerprint authentication.
Security researchers from Blackwing Intelligence have revealed how they were able to bypass Windows Hello fingerprint authentication on three laptops: a Dell Inspiron 15, Lenovo ThinkPad T14, and one of Microsoft’s own Surface Pro X devices.
Microsoft states that Windows Hello is now used by 85% of all Windows 10 users to log-in to their PCs. It makes the vulnerability a serious concern, both for the company and anyone who uses fingerprint authentication instead of relying on more traditional password security measures.
Windows Hello Fingerprint Authentication Bypass Explained
In the least complicated terms possible, Blackwing Intelligence was able to hack Windows Hello fingerprint authentication by reverse engineering its software and hardware components to reveal critical flaws in its implementation. This was then able to be exploited to bypass the sensor entirely.
The researchers did this at Microsoft’s request and published their findings in a blog post, as well as demonstrating the exploit at Microsoft’s BlueHat Conference back in October.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.
Microsoft hasn’t confirmed if it has patched the vulnerability, but given the time lapse between BlueHat and the findings being shared this week, it seems likely that it has.
Windows Hello’s Rap Sheet Gets Longer
It’s not the first time that Microsoft’s supposedly more advanced Windows Hello security measures have been hacked, either.
Back in 2021, Windows Hello’s facial recognition tech was discovered to have a serious flaw in its biometric security architecture that allowed users to bypass the feature.
At the time, Microsoft pushed out an urgent update to the feature after researchers demonstrated people with face masks and plastic surgery effectively duping Windows Hello into letting them access systems they shouldn’t.
Could Apple MacBooks Also be Flawed?
Much of the responsibility for addressing the latest Windows Hello authentication flaw lies with Microsoft’s hardware partners, as enabling the full suite of security features offered by the tech giant was found to effectively address the vulnerability in most cases.
Blackwing revealed that two out of the three devices it was able to bypass did not have Microsoft’s Secure Device Connection Protocol (SDCP) enabled, which is an additional security measure that ensures a secure connection between host and biometric hardware.
The firm recommends that manufacturers ensure SDCP is not only enabled on devices going forward, but that its biometric security hardware is independently audited on a case-by-case basis.
Blackwing is also understood to be exploring similar fingerprint authentication exploits on Apple MacBook laptops, so watch this space as Windows Hello could be only the tip of the iceberg.
