[German]Microsoft offers biometric authentication via Windows Hello on Windows 10 and Windows 11. Logging in securely using facial recognition or fingerprints instead of passwords? Not really, according to German security researchers, who warn against using Windows Hello in corporate environments.
Microsoft is urging Windows users to use its biometric Windows Hello feature instead of passwords for authentication.
What is Windows Hello?
is a Windows feature that allows users to log in to their device using biometric data (face, fingerprint, or iris) or a PIN instead of a traditional password. According to Microsoft, it offers a more personal and secure way to log in to Windows, apps, and online services.
Hello supports authentication for business users, allowing corporate PCs to connect to platforms such as Entra ID or Active Directory to enable access to servers. To do this, a cryptographic key is stored in a database connected to Microsoft's Windows Biometric Service.
Windows Hello is a crazy idea!
However, using Windows Hello in a business environment is an absolutely crazy idea, as German security researchers Dr. Baptiste David and Tillmann Osswald from ERNW Research have discovered. The security researchers have uncovered a serious vulnerability.
Security researchers at Black Hat 2025 in Las Vegas
The Register reports in the article German security researchers say 'Windows Hell No' to Microsoft biometrics for biz on their appearance at the Black Hat conference in Las Vegas. There, they demonstrated how the Hello system can be cracked and how a local administrator or someone who has access to login data via malware or other means can feed biometric information into a computer so that it recognizes any face or fingerprint.
Dr. Baptiste David logged in with a facial scan. Tillmann Osswald then used a few lines of code to add a hello facial scan, which he had created on another computer, to the database and was able to unlock David's computer. The hack was demonstrated live on stage at the Black Hat conference.
The crux of data protection
The Windows API function CryptProtectData protects the database containing the biometric information for Hello login. However, security researchers discovered that someone with local administrator rights could crack the encryption using information from the software.
Microsoft also has Enhanced Sign-in Security (ESS), which operates at a higher hypervisor trust level (VTL1). This should block the attack, especially since ESS is enabled by default. Unfortunately, not all PCs support this feature, according to the security researchers.
The Register quotes Osswald: "ESS is very effective in defending against this attack, but not everyone can use it. For example, we bought ThinkPads about a year and a half ago. Unfortunately, they don't have a secure sensor for the camera because they use AMD chips instead of Intel chips."
Slides from presentations by the two security researchers and some information about them can be found on the web page Authenticating through Windows Hello for Business, a reverse engineering story.
Tillmann Oßwald already disclosed the details of this attack on Windows Hello for Business (WHfB) facial recognition in his blog post Windows Hello for Business – The Face Swap.
Microsoft will not fix it
Microsoft has been informed about this vulnerability. However, due to the technical requirements that must be met for the attack to be successful, security researchers do not expect this problem to be fixed. The security researchers also told The Register that it will be difficult to fix the problem. A fix would require extensive reprogramming of the code or an attempt to use the TPM module to store the biometric data. This may not be possible.
The security researchers' recommendation was therefore to disable the biometric function of the devices, use Hello for Business without ESS, and allow users to continue logging in with a PIN.
