Hackers showed at Black Hat that Windows Hello for Business can be fooled into accepting an attacker’s face by swapping biometric templates on a compromised PC—an attack that works stunningly fast if the intruder already has local admin privileges. In a live demo, German researchers Tillmann Osswald and Dr. Baptiste David injected their own facial data into the target’s biometric database and unlocked the machine instantly; Microsoft’s Enhanced Sign‑in Security (ESS) blocks the technique, but many enterprise devices still can’t run ESS today. (theregister.com, neowin.net)
Microsoft has been pressing toward a passwordless future, making new Microsoft accounts “passwordless by default” and steering users to passkeys and Windows Hello since May 1, 2025. That shift reduces phishing risk—but it also puts a bigger spotlight on how Windows Hello is implemented on the device side. (microsoft.com)
Under Windows Hello for Business, enrollment creates a device‑bound asymmetric key pair; the public key is registered with the identity provider (typically Microsoft Entra ID), while the private key is protected by the device’s security modules. Crucially, the biometric templates used to unlock those keys are stored locally in an encrypted database managed by the Windows Biometric Service (WBS). (learn.microsoft.com)
There’s a catch: ESS requires specific hardware and firmware support—TPM 2.0, Secure Boot, VBS, OEM‑configured Secure Devices (SDEV) tables, and ESS‑capable cameras or match‑on‑sensor fingerprint readers. Microsoft says Copilot+ PCs ship with ESS enabled by default, but older fleets are a mixed bag. (learn.microsoft.com, support.microsoft.com)
Compatibility remains a sticking point. ESS blocks external (USB) biometric peripherals from being used for Windows sign‑in today, and full ESS support for peripherals isn’t expected until late 2025. Microsoft exposes a user‑facing toggle—“Sign in with an external camera or fingerprint reader”—to temporarily disable ESS if you must use third‑party gear, with the explicit trade‑off of reduced security. (support.microsoft.com)
Notably, the researchers told The Register that even relatively new business laptops lacked the “secure camera” required for ESS; they cited ThinkPads purchased ~18 months prior that used AMD chips and didn’t meet the camera sensor requirement. That highlights a broader supply‑chain reality: ESS capability depends on specific camera modules and firmware, not just CPU class. (theregister.com)
Viewed alongside past research that tricked Hello’s camera input, the message is consistent: authentication pipelines that start in untrusted hardware need stronger attestations and isolation at every hop. Microsoft’s move to passwordless by default and its ESS stack are steps in that direction; the onus is now on IT to align fleet hardware with those protections and to disable biometrics where that alignment isn’t yet possible. (wired.com, microsoft.com)
In short, the “face swap” attack is a wake‑up call, not a cause for panic: enforce least privilege on endpoints, audit ESS readiness, and plan for hardware that supports Windows Hello the way it was meant to run—inside a secure, hypervisor‑protected envelope. (learn.microsoft.com)
Source: Neowin Here's how hackers can trick Windows Hello into thinking it's you and break into your PC
Background
Microsoft has been pressing toward a passwordless future, making new Microsoft accounts “passwordless by default” and steering users to passkeys and Windows Hello since May 1, 2025. That shift reduces phishing risk—but it also puts a bigger spotlight on how Windows Hello is implemented on the device side. (microsoft.com)Under Windows Hello for Business, enrollment creates a device‑bound asymmetric key pair; the public key is registered with the identity provider (typically Microsoft Entra ID), while the private key is protected by the device’s security modules. Crucially, the biometric templates used to unlock those keys are stored locally in an encrypted database managed by the Windows Biometric Service (WBS). (learn.microsoft.com)
What the researchers actually broke
- The team demonstrated that a local administrator—whether a malicious insider or malware that escalated privileges—can inject or swap biometric templates inside the WBS database, effectively “teaching” a victim’s PC to recognize the attacker’s face. The unlock then proceeds as if nothing were amiss. (theregister.com)
- The Register reports that the database is protected by CryptProtectData, but those protections can be bypassed by an admin using information available on the system—so the flaw is architectural, not a single patchable bug. The researchers warned that a “significant rewrite” would be required to fix non‑ESS systems. (theregister.com)
Why Enhanced Sign‑in Security holds the line
ESS isolates Windows Hello’s biometric processing inside a hypervisor‑protected environment (Virtualization‑based Security) and uses the TPM to authorize key usage, shutting down injection, replay, and tampering attacks against biometric data paths. On ESS systems, only “secure” sensors that can prove their identity to Windows are allowed to participate. (learn.microsoft.com)There’s a catch: ESS requires specific hardware and firmware support—TPM 2.0, Secure Boot, VBS, OEM‑configured Secure Devices (SDEV) tables, and ESS‑capable cameras or match‑on‑sensor fingerprint readers. Microsoft says Copilot+ PCs ship with ESS enabled by default, but older fleets are a mixed bag. (learn.microsoft.com, support.microsoft.com)
Compatibility remains a sticking point. ESS blocks external (USB) biometric peripherals from being used for Windows sign‑in today, and full ESS support for peripherals isn’t expected until late 2025. Microsoft exposes a user‑facing toggle—“Sign in with an external camera or fingerprint reader”—to temporarily disable ESS if you must use third‑party gear, with the explicit trade‑off of reduced security. (support.microsoft.com)
Notably, the researchers told The Register that even relatively new business laptops lacked the “secure camera” required for ESS; they cited ThinkPads purchased ~18 months prior that used AMD chips and didn’t meet the camera sensor requirement. That highlights a broader supply‑chain reality: ESS capability depends on specific camera modules and firmware, not just CPU class. (theregister.com)
What’s at risk—and what isn’t
- The attacker must already have local admin. That’s a high bar, but not unrealistic in real‑world intrusions, where endpoint compromise often precedes identity attacks and lateral movement. This research shows that on non‑ESS systems, admin access can translate directly into Hello bypass. (theregister.com)
- The architectural split still holds: Hello’s cryptographic keys are device‑bound and the biometric templates never leave the device. The danger is that, without ESS isolation, a powerful local attacker can tamper with the local template store and thereby misuse those keys. (learn.microsoft.com)
How to check if your PC uses ESS
- Open Settings > Accounts > Sign‑in options.
- Under “Additional settings,” find “Sign in with an external camera or fingerprint reader.”
- If the toggle is Off, ESS is enabled (and external biometric sign‑in won’t work).
- If the toggle is On, ESS is disabled. (support.microsoft.com)
Practical guidance for Windows admins
Immediate risk reduction (non‑ESS devices)
- Disable Windows Hello biometrics and enforce PIN‑only sign‑in on vulnerable business machines until ESS can be deployed. The researchers explicitly recommend this posture for Windows Hello for Business without ESS. (theregister.com)
- Minimize local admin exposure using just‑in‑time elevation and LAPS‑managed local credentials; monitor for tooling that manipulates biometric stores. While ESS is the long‑term fix, stopping admin‑level tampering remains foundational. (theregister.com)
Medium‑term hardening
- Prioritize ESS‑capable hardware in refresh cycles. Require TPM 2.0, Secure Boot, and ESS‑certified cameras or match‑on‑sensor fingerprint readers; verify OEM support for SDEV and ESS in firmware release notes. (learn.microsoft.com)
- Standardize on Copilot+ PCs where feasible; these systems ship with ESS enabled by default and are designed for Windows Hello’s hardened path. (support.microsoft.com)
- Avoid external biometric peripherals for sign‑in on ESS devices until Microsoft’s promised late‑2025 support lands; if peripherals are unavoidable on non‑ESS systems, treat them as a security trade‑off and document the risk. (support.microsoft.com)
Policy and identity hygiene
- Keep pushing passwordless—but pair it with strong endpoint isolation. Windows Hello for Business still anchors authentication to asymmetric keys registered with Entra ID, which is robust when the local biometric path is protected. (learn.microsoft.com)
- Where ESS is not possible, consider FIDO2 security keys as a phishing‑resistant alternative to biometrics for high‑risk roles and admin accounts. (learn.microsoft.com)
What this means for Windows users and enterprises
The Black Hat demo doesn’t invalidate Windows Hello as a technology; it exposes the limits of protecting biometrics on commodity PCs without hardware‑enforced isolation. ESS—by design—solves the class of attacks the researchers showcased, but ESS availability and device compatibility remain the roadblocks enterprises must now tackle head‑on. (learn.microsoft.com, theregister.com)Viewed alongside past research that tricked Hello’s camera input, the message is consistent: authentication pipelines that start in untrusted hardware need stronger attestations and isolation at every hop. Microsoft’s move to passwordless by default and its ESS stack are steps in that direction; the onus is now on IT to align fleet hardware with those protections and to disable biometrics where that alignment isn’t yet possible. (wired.com, microsoft.com)
In short, the “face swap” attack is a wake‑up call, not a cause for panic: enforce least privilege on endpoints, audit ESS readiness, and plan for hardware that supports Windows Hello the way it was meant to run—inside a secure, hypervisor‑protected envelope. (learn.microsoft.com)
Source: Neowin Here's how hackers can trick Windows Hello into thinking it's you and break into your PC
