Windows Hello Fingerprint Security Hacked on These Laptops

A major flaw has been discovered in Windows Hello fingerprint authentication that may affect 85% of all Microsoft users.

It may not be a data breach, but Windows users have nevertheless been warned of a major new security vulnerability affecting Windows Hello fingerprint authentication.

Security researchers from Blackwing Intelligence have revealed how they were able to bypass Windows Hello fingerprint authentication on three laptops: a Dell Inspiron 15, Lenovo ThinkPad T14, and one of Microsoft's own Surface Pro X devices.

Microsoft states that Windows Hello is now used by 85% of all Windows 10 users to log-in to their PCs. It makes the vulnerability a serious concern, both for the company and anyone who uses fingerprint authentication instead of relying on more traditional password security measures.

Windows Hello Fingerprint Authentication Bypass Explained

In the least complicated terms possible, Blackwing Intelligence was able to hack Windows Hello fingerprint authentication by reverse engineering its software and hardware components to reveal critical flaws in its implementation. This was then able to be exploited to bypass the sensor entirely.

The researchers did this at Microsoft’s request and published their findings in a blog post, as well as demonstrating the exploit at Microsoft’s BlueHat Conference back in October. 

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

Microsoft hasn’t confirmed if it has patched the vulnerability, but given the time lapse between BlueHat and the findings being shared this week, it seems likely that it has. 

Windows Hello's Rap Sheet Gets Longer

It’s not the first time that Microsoft’s supposedly more advanced Windows Hello security measures have been hacked, either.

Back in 2021, Windows Hello’s facial recognition tech was discovered to have a serious flaw in its biometric security architecture that allowed users to bypass the feature.

At the time, Microsoft pushed out an urgent update to the feature after researchers demonstrated people with face masks and plastic surgery effectively duping Windows Hello into letting them access systems they shouldn't.

Could Apple MacBooks Also be Flawed?

Much of the responsibility for addressing the latest Windows Hello authentication flaw lies with Microsoft’s hardware partners, as enabling the full suite of security features offered by the tech giant was found to effectively address the vulnerability in most cases.

Blackwing revealed that two out of the three devices it was able to bypass did not have Microsoft’s Secure Device Connection Protocol (SDCP) enabled, which is an additional security measure that ensures a secure connection between host and biometric hardware.

The firm recommends that manufacturers ensure SDCP is not only enabled on devices going forward, but that its biometric security hardware is independently audited on a case-by-case basis.

Blackwing is also understood to be exploring similar fingerprint authentication exploits on Apple MacBook laptops, so watch this space as Windows Hello could be only the tip of the iceberg.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
James Laird is a technology journalist with 10+ years experience working on some of the world's biggest websites. These include TechRadar, Trusted Reviews, Lifehacker, Gizmodo and The Sun, as well as industry-specific titles such as ITProPortal. His particular areas of interest and expertise are cyber security, VPNs and general hardware.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals