Bottom line: For Microsoft, which has promoted Windows Hello as part of its broader push to phase out passwords, new research highlights that biometric logins are only as secure as the systems that safeguard their data. As long as attackers with administrative access can tamper with stored templates, the promise of face- or fingerprint-based authentication remains vulnerable.
Two German security researchers have disclosed a technique that allows attackers with elevated system privileges to bypass Microsoft's Windows Hello for Business authentication. The findings, presented at the Black Hat USA conference in Las Vegas, expose a new vulnerability in Microsoft's enterprise-grade biometric login framework and mark the second major exploit targeting the technology in recent months.
The attack, dubbed Faceplant by ERNW researchers Baptiste David and Tillmann Osswald, doesn't rely on fooling a camera with fake images or exploiting hardware flaws. Instead, it targets Windows Hello at a deeper level by manipulating how biometric data is stored and verified.
The exploit unfolds in several stages. First, an attacker creates a biometric profile of their own face on any Windows device. This generates a biometric template – a digital representation of the user's face stored locally for authentication. By decrypting this file, extracting the data, and injecting it into the biometric database of a target system, the attacker can effectively replace the victim's facial scan with their own. Once the altered template is in place, the attacker can log into corporate accounts as the victim, using only their own face.
Osswald explained that Faceplant builds on a previous ERNW demonstration from July known as Face Swap, which required modifying identifiers between accounts already registered on the same device. By contrast, Faceplant is more versatile, since attackers can prepare their biometric template on any machine before injecting it into a victim's system.
"We can now generate the malicious template anywhere. The real difference is that we're no longer limited to swapping identifiers," Osswald told The Register.
At the core of the weakness is how Windows Hello for Business integrates with Microsoft identity platforms such as Entra ID and Active Directory. During setup, Windows Hello generates a cryptographic key tied to the biometric profile and stores it in a database linked to the Windows Biometric Service. Although this entry is protected by Microsoft's CryptProtectData mechanism, the ERNW team demonstrated that a local administrator can break the encryption and implant new biometric data.
The Black Hat demo left little doubt about the risk. On stage, one researcher enrolled his face on a separate laptop, decrypted and extracted the template, and then injected it into a colleague's machine. Within moments, the altered system accepted the fake credentials, granting access to the domain account without the legitimate user ever being involved.
Microsoft acknowledged the research and confirmed the vulnerability but stressed the conditions required for a successful exploit. "The scenarios described require an attacker to have obtained prior administrative access to a target system," a Microsoft spokesperson told Forbes. The company added that Enhanced Sign-In Security for Windows Hello offers protection against such risks by using hardware-backed safeguards to secure biometric data and prevent tampering with authentication components.
ESS runs in a virtualized security environment above the operating system and is designed to block database-level attacks. However, not all hardware supports it, and on many enterprise devices it is not enabled by default. Osswald noted that even relatively recent machines fail to meet ESS requirements when paired with certain AMD processors.
Fixing the flaw will not be simple. The researchers suggested that fully mitigating the issue could require either a major overhaul of Windows Hello's code or shifting more biometric processing into secure hardware such as a Trusted Platform Module. Until then, they recommend that organizations relying on Windows Hello for Business without ESS enabled reconsider biometric logins. A fallback to PIN-based authentication, while less convenient, would be more secure under current conditions.
Image credit: The Register