Researchers discovered vulnerabilities in several fingerprint scanners for Windows laptops. It even turns out that it’s possible to ignore Windows Hello entirely.

Microsoft is proud to say that nearly nine out of 10 Windows users, a number that dates back to 2020, use Windows Hello to log in without a password. But how secure is biometric identification really? Microsoft itself commissioned Blackwing to examine the fingerprint scanners in laptops from Dell, Lenovo and its own Surface series. The test shows that Windows Hello is not entirely error-free either.

First, a brief explanation of exactly how a fingerprint scanner works. There are different colors and flavors, but laptops usually use one Match on ChipScanner used. This term means that your fingerprint is stored on the chip in the scanner and not on Microsoft’s servers. When you place your finger on the scanner, it searches its database for a match. If there is a positive match, your scanner tells Windows that it is indeed you via an internal USB connection.

Windows Hello has been disabled

Fingerprint scanners are not developed by Microsoft, but by third-party manufacturers. Blackwing has put scanners from Goodix, Synaptics and ELAN online. All three appeared to be vulnerable to man-in-the-middle attacks, one more vulnerable than the other, where the signal between the scanner and Windows can be intercepted.

Luckily, it didn’t happen without a fight. The researchers had to reverse engineer the software and hardware in the scanner while also re-encoding business protocols. A cryptographic implementation flaw was also discovered in Synaptics’ sensor. The end result was that the researchers were able to completely bypass Windows Hello once biometric identification was enabled on the device. You can read a detailed analysis and description of the methodology in a blog.

This is not the first time that researchers have uncovered vulnerabilities in Windows Hello. Face recognition can also be bypassed. Using an infrared image of a person, you can trick a laptop’s webcam into thinking the rightful owner is in front of the camera. You can read more about this in this Cyberark blog.

Microsoft is not to blame for the vulnerabilities. The software giant developed it Secure Device Connection Protocol net to prevent your access key from being used by other people. However, this protocol was actually only activated on one of the three devices examined.

More secure than a password

Although cracking Windows Hello requires advanced technical skills, the conclusions of these studies should not be dismissed. Finally, hackers are proving to be increasingly sophisticated. Microsoft also plans to fully invest in biometric identification to replace passwords. Windows 11 recently added support for passkeys for logging into websites using Windows Hello.

Biometric identification is considered more secure than passwords. That’s 99 percent true, but it now appears that it’s not 100 percent waterproof yet. Attackers will increasingly focus their methods on this form of authentication in the coming years. Therefore, it remains important to incorporate multiple levels of verification (MFA) to ensure your digital identity remains protected.