Windows Hello is a computer security system released by Microsoft with Windows 10 and enhanced in Windows 11. It enables sign-in features in operating systems through authentication using biometric systems, infrared cameras with face recognition or fingerprint sensors. Login information is stored locally and protected using asymmetric encryption.

The tool can be used for logging into operating systems as well as for advanced functions such as computer locking (Dynamic Lock) that prevents third parties from using computers, but it also has other use cases (internal or external) such as It can connect with various applications, such as the support that Google has implemented for online shopping in its Chrome browser.

Windows Hello, hacked with permission from Microsoft

The Microsoft Offensive Research and Security Engineering (MORSE) team asked the security firm Blackwing’s intelligence that will evaluate the security of fingerprint sensors when connecting using Windows Hello. The team tested the most widely used fingerprint sensors on the laptop market, versions from Goodix, Synaptics and ELAN. And the test passed.

Specialists hacked three popular laptops, Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro managed to bypass Windows Hello security in all of them. It must be said that the security problem is not in the tool itself, but in the implementation done by the laptop manufacturers.

The investigation was detailed on their blog, but basically it consists of “convincing” the fingerprint scanner that a fingerprint other than the one authorized by the Windows Hello user was legitimate. To do this, the researchers disconnected the Windows sensors and used a Raspberry Pi 4 single-board computer running Linux to perform a “Man-in-the-Middle” attack, well known and used to intercept communication between two network devices.

Claiming that this is not the first time that Windows Hello’s security has been breached, Microsoft patched the authentication bypass vulnerability in 2021 after a proof of concept managed to spoof the victim’s infrared image to spoof it and gain access to the computer.

However, It is unclear whether it will now be able to fix the vulnerabilities discovered by this research. “Microsoft has done a good job of designing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately, device manufacturers seem to not understand some of the goals.”, the researchers described. Except, “SDCP only covers a very limited range of typical device operations, while most of them represent a highly exposed attack surface that SDCP doesn’t cover at all.”they assure.

Blackwing’s intelligence recommends that OEMs ensure that SDCP is enabled and that the fingerprint sensor implementation is audited by a qualified professional. The company is also researching memory corruption attacks on fingerprint scanner firmware and expanding the research to secure Linux, Android and Apple devices.

And it’s important to maintain and extend systems like Windows Hello, very useful so we can get rid of horrible passwords in the future.