Windows Hello for Business Biometric Flaw Revealed

Published Date : 8/8/2025 

German cybersecurity researchers have discovered a significant vulnerability in Windows Hello for Business that could allow attackers to bypass biometric authentication, compromising face and fingerprint data. 

Organizations are increasingly turning to biometrics to secure their corporate networks and assets, but German cybersecurity researchers have found what they say is a flaw in the implementation of Windows Hello for Business that could make it vulnerable to bypass attacks.

Dr. Baptiste David and Tillmann Osswald of ERNW Research presented their findings at the Black Hat conference in Las Vegas. They demonstrated that a code injection attack can enable a biometric injection attack from another PC, potentially compromising biometric authentication and granting access to any face or fingerprint submitted.

Business users typically authenticate with Windows Hello to access company servers through digital identity and access management (IAM) platforms like Entra ID or Active Directory. The attack works by identifying information within the CryptProtectData software, which secures the database containing the cryptographic key linked to the Windows Biometric Service, to break the encryption.

Microsoft provides Enhanced Sign-in Security (ESS) software, which blocks the attack from its hypervisor virtual trust level (VTL1) by default. However, not all PCs support ESS. Tillmann Osswald noted that PCs that do not use Intel chips may not have a secure camera sensor, making them unable to use ESS.

Osswald provides a detailed explanation of the attack process in a recent blog post. A June post details how Hello authentication works, along with previously discovered attacks on Windows Hello for Business. Potential fixes could involve storing biometric data in the Trusted Platform Module (TPM) or a major code rewrite.

The findings come from a two-year research program called Windows Dissect, which is intended to uncover security flaws in the world’s most popular desktop OS. This program is supported by Germany’s Federal Office for Information Security (BSI).

Biometric authentication is becoming increasingly prevalent in corporate environments due to its perceived security and convenience. However, this research highlights the importance of continuous security assessments and updates to protect against emerging threats. 

Frequently Asked Questions (FAQS): 

Q: What is Windows Hello for Business?

A: Windows Hello for Business is a biometric authentication feature in Windows that allows users to log in using facial recognition, fingerprint, or iris scan, instead of a password.

Q: What is the vulnerability discovered by the researchers?

A: The vulnerability allows an attacker to perform a code injection attack, which can bypass biometric authentication and grant access to any face or fingerprint submitted.

Q: How does the attack work?

A: The attack works by identifying and exploiting information within the CryptProtectData software, which secures the database containing the cryptographic key linked to the Windows Biometric Service.

Q: What is Enhanced Sign-in Security (ESS) and how does it help?

A: Enhanced Sign-in Security (ESS) is a feature provided by Microsoft that blocks the attack from its hypervisor virtual trust level (VTL1) by default. However, not all PCs support ESS.

Q: What are some potential fixes for this vulnerability?

A: Potential fixes include storing biometric data in the Trusted Platform Module (TPM) or performing a major code rewrite to address the security flaw. 

More Related Topics :