In brief: Microsoft and other tech giants are encouraging a general pivot toward biometrics – generally considered more secure than typical passwords. However, research has repeatedly shown that biometrics aren't fool-proof, and a recent study demonstrates how a single weak link in a complex production chain can compromise an entire security system.
An intelligence company recently began sharing proofs of concept for circumventing Windows Hello fingerprint authentication on some of the most popular laptops. In each case, the primary flaw was the communication between the fingerprint reader and the rest of the system.
Microsoft asked researchers at Blackwing Intelligence to crack the Windows Hellow implementations in three leading laptop models with fingerprint sensors using the feature: A Dell Inspiron 15, a Lenovo ThinkPad T14, and an attachable keyboard with a fingerprint sensor for the Microsoft Surface Pro. Blackwing successfully compromised all three using various methods, none of which involved typical biometric hacking methods like using photos.
To prevent attackers from copying biometric data like fingerprints or facial scans, authenticators from companies like Microsoft and Apple keep the information on separate chips, inaccessible to a device's primary storage. However, those chips still must tell the operating system when they receive the correct signature. That signal is the weak point the researchers exploited.
Microsoft devised a system called Secure Device Connection Protocol (SDCP) to protect the connection between fingerprint sensors and their host devices. However, of the products Blackwing tested, only the Dell Inspiron used it, and its implementation wasn't perfect.
That device's weakness is its ability to dual-boot Windows and Linux, which certify fingerprints differently. Blackwing found that an attacker could register their fingerprint on Linux and match it to someone else's Windows ID, though the process is complex and requires additional hardware, including a Raspberry Pi 4.
Blackwing overcame the Thinkpad with a similar negotiation between Windows and Linux, but the researchers discovered that Lenovo ships the notebook with SDCP disabled. Instead, the company uses a custom system that decrypts the fingerprint data with a key based on each machine's product name and serial number.
Microsoft's Surface Pro accessory has particularly weak security for its fingerprint sensor. It also doesn't engage SDCP and communicates in cleartext without additional authentication layers. The researchers discovered they could spoof an ID using practically any USB device.
Blackwing plans to eventually release more details of its research. The group suggests that OEMs utilizing Windows Hello enable SDCP and test their implementations thoroughly. However, because the exploits require physical access to each device, biometric logins remain more secure than passwords.