If you have a fingerprint-supported Windows laptop, you know about Windows Hello. It is a biometric login that lets you feed facial, iris, or fingerprint scans. If you are using the fingerprint scan on your Microsoft laptop, you should be warned because researchers have bypassed Microsoft's Windows Hello fingerprint authentication.
Cybersecurity firm Blackwing Intelligence researchers bypassed Windows Hello on three laptops from Dell, Lenovo, and even Microsoft. Speaking at Microsoft’s BlueHat conference in Redmond, Washington, Jesse D'Aguanno and Timo Teräs showcased how they were able to go past fingerprint authentication. The laptops that were used during the demonstration were the Dell Inspiron 15, Lenovo ThinkPad T14s, and the Microsoft Surface Pro Type Cover with Fingerprint ID (for Surface Pro 8/X).
This is a serious issue because, by bypassing Windows Hello fingerprint authentication, researchers were able to get access to user accounts and user data as if they were actual users. Moreover, the vulnerability was found on fingerprint sensors from Goodix, Synaptics, and ELAN, respectively, meaning the security issue is not limited to a particular fingerprint scanner manufacturer or laptop OEM.
In a newly published blog, the researcher's team also detailed an in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. This is again a very serious matter, as this could provide access to anyone over an unattended device. While bypassing Windows Hello fingerprint authentication was achieved, the process involved decoding and reimplementing proprietary protocols. The security threat becomes more severe because Microsoft revealed three years ago that more than 85% of consumers were using Windows Hello to sign in.
