Critical Vulnerability in Windows Hello for Business Could Allow Unauthorized Device Access

For years, Microsoft has promoted passwordless authentication, urging Windows users to embrace secure options like Windows Hello. But new research suggests that the business version of Windows Hello may have a vulnerability, which leaves it open to sophisticated spoofing attacks.

At the Black Hat conference in Las Vegas (via The Register), German researchers Tillmann Osswald and Dr. Baptiste David demonstrated how Windows Hello for Business can be bypassed if an attacker has local admin access. The attack method involves exploiting the way Windows Hello stores and verifies biometric data.

How attackers can bypass Windows Hello for Business

Researchers demonstrated that if an attacker gains administrative access to a Windows device, they can add their own facial or fingerprint data to the system’s biometric database. Since Windows Hello matches logins against stored biometric templates, the system can be tricked into recognizing the attacker as the legitimate user. This allows unauthorized access without needing the actual user’s face or fingerprint.

Windows Hello for Business is an enterprise-grade authentication system that replaces passwords with multifactor credentials tied to a device. It uses a combination of biometric data (like facial recognition or fingerprints) and cryptographic keys stored securely on the device. Once Windows Hello for Business is configured, the system generates a public-private key pair. The private key is stored in the device’s Trusted Platform Module (TPM) or a secure enclave, and the public key is registered with the organization’s identity provider.

The Windows API CryptProtectData is designed to encrypt sensitive information, including the biometric templates used by Windows Hello for Business. However, researchers discovered that an attacker with local administrator access could decrypt this protected biometric database by analyzing the software and extracting the necessary key material or configuration data.

Recommendations for organizations

To address this issue, Microsoft has made the Enhanced Sign-in Security (ESS) feature a default setting in Windows 11. ESS adds extra verification steps to strengthen user authentication during sign-in. However, not all Windows PCs support it, as it requires specific hardware and software capabilities, including Secure Boot, TPM 2.0, and compatible biometric devices.

Researchers warn that fixing the Windows Hello for Business vulnerability will be complex, which will likely require a major code overhaul or moving biometric data storage directly into the TPM module. Until then, it’s recommended to disable biometrics and use PINs if ESS isn’t supported. ESS support for external devices is currently limited, with full compatibility expected by late 2025.