Table of Contents
Should You Trust Windows Hello with Your Business Data? The Definitive Answer You Need.
Microsoft encourages you to use your face or fingerprint to log into your computer with Windows Hello. This feature, available on Windows 10 and 11, is meant to be a secure and easy replacement for passwords. For many people, it is a simple way to get into their devices, apps, and websites. Businesses can also use it to let employees access company servers and platforms like Entra ID or Active Directory.
However, some security experts are warning that relying on Windows Hello in a business setting could be a mistake. Researchers from the German security firm ERNW Research, Dr. Baptiste David and Tillmann Osswald, have found a major security weakness. They showed that it is possible for an attacker to fool the system, raising serious questions about its safety for protecting important company information.
A Troubling Discovery Uncovered
At the Black Hat security conference in Las Vegas, the two researchers demonstrated a live hack on stage. They showed how someone with administrator access to a computer, or someone who has gained access through malware, can manipulate the system. The attacker can add new biometric data—like a face scan—to the computer’s protected database. Once this is done, the computer can be unlocked using the fake data, granting the attacker full access.
This works because the system that stores your face or fingerprint data can be compromised. The researchers discovered that if an attacker has local administrator rights, they can break the encryption that is supposed to protect your biometric information. This means they can essentially add an unauthorized key to a lock, allowing any face or fingerprint they choose to unlock the device.
Microsoft’s Built-in Shield and Its Critical Flaw
Microsoft has a feature designed to prevent this exact type of attack. It is called Enhanced Sign-in Security (ESS). This security measure creates a highly protected, isolated area on your computer to store and process your biometric data, using technologies like Virtualization-Based Security (VBS) and the Trusted Platform Module 2.0 (TPM). When ESS is active, it effectively blocks the researchers’ attack method.
However, there is a significant problem: not all computers can use ESS. This advanced security feature has strict hardware requirements. Many devices, especially older ones or those that do not use specific Intel chips, may lack the secure camera sensors or other components needed for ESS to work. The researchers noted that even relatively new ThinkPads they purchased could not use ESS for the camera because they were equipped with AMD chips instead of the required Intel ones. This creates a dangerous gap in security for many businesses. Furthermore, ESS does not support external cameras or fingerprint readers, which can be an issue for users with docking stations.
Why a Fix Is Unlikely
After discovering the vulnerability, the researchers informed Microsoft. Despite the seriousness of the issue, a fix is not expected. The attack requires an intruder to already have high-level administrator access to the device, making it a complex attack to carry out. Fixing the core problem would require a massive overhaul of the Windows Hello code or redesigning it to store biometric data in the TPM module, which may not be feasible. Because of these challenges, Microsoft has not issued a security update to address this specific method of attack.
What Experts Recommend You Do
Given these findings, security professionals have clear advice for businesses. Your course of action depends entirely on whether your computers support Enhanced Sign-in Security.
Check Your Hardware
First, determine if your company’s devices are compatible with ESS. This feature is the most effective defense against this vulnerability.
For Devices With ESS
If your computers support Enhanced Sign-in Security, you should enable it. This will protect your biometric data in a secure, virtualized environment.
For Devices Without ESS
If your computers do not support ESS, the researchers strongly recommend that you disable biometric logins (both facial recognition and fingerprint scanning). In this situation, the risk of a bypass attack is too high for a secure business environment. Instead, you should rely on a strong PIN for logging in through Windows Hello for Business.