Windows Hello fingerprint login bypassed by security researchers

Security researchers have managed to bypass the Windows Hello fingerprint authentication measure. Researchers at New York-based Blackwing Intelligence were apparently able to circumvent fingerprint authentication on Dell, Lenovo and Microsoft laptops by exploiting a flaw in fingerprint sensors, particularly those from top manufacturers Goodix, Synaptics and ELAN.

Over on its site Blackwing Intelligence published a post detailing how it was able to employ a USB-based MitM (“Man in the Middle”) attack to bypass Windows Hello authentication and gain access to a device. The findings were presented at last month’s Microsoft BlueHat conference. At present it’s unclear how Microsoft will go about fixing the issue.

Microsoft has been pushing biometric authentication measures for some time, and reported in 2020 that as many as almost 85 percent of laptop users on Windows were using Windows Hello to sign in to Windows 10 (taking into account simple PIN-authenticated logins).

Though touted as a more secure way to protect Windows devices, biometric login measures like fingerprint scanning and facial recognition are not foolproof, as Blackwing Intelligence’s BlueHat presentation displayed. A few years back Cyberark Labs was able to provide a proof of concept showing how Windows Hello face recognition technology could be bypassed, again with the use of a custom USB loaded with a photo of the target’s face. Microsoft was later able to fix this vulnerability.

Still, biometric authentication features are becoming more prevalent, including on Windows devices.