Exclusive Student Offer

Prime for Young Adults

Get a 6-month trial with premium college perks & fast delivery.

Start Free Trial
Listen Anywhere

Audible Standard Trial

Get 30 days of audiobooks free. Cancel anytime, keep your books.

Claim Free Books

### BSI Dissects Windows Hello: Where Microsoft’s Login Faces Limits

The German Federal Office for Information Security (BSI) has released a detailed analysis through its project “Windows Dissected.” This 169-page report dissects Windows Hello for Business (WHfB), Microsoft’s authentication method that utilizes PINs and biometrics within corporate environments. Unlike the official documentation, this analysis dives deeper, employing reverse engineering to reconstruct various internal processes, evaluating them from the perspective of attackers with local administrative rights.

### The Mechanics of Windows Hello for Business

Windows Hello for Business aims to replace traditional passwords with key-based authentication. Users authenticate locally using a PIN or biometric information such as facial recognition or fingerprints. The secret—cryptographic keys—is securely stored on the device, ideally safeguarded by the Trusted Platform Module (TPM). In contrast to Active Directory or Microsoft Entra ID, the device identifies itself to the servers using this cryptographic key rather than a password.

The BSI analysis confirms this foundational architecture but also highlights several limitations and potential attack vectors that Microsoft has addressed only superficially, if at all.

### TPM Does Not Protect All Biometric Data

One of the key findings relates to the role of the TPM. In official documentation, it is portrayed as a central protective component of Windows Hello. However, the BSI argues that this is not entirely accurate.

Without the Enhanced Sign-in Security (ESS) mode enabled, the TPM does not directly protect the biometric templates for facial recognition. Although these templates are encrypted and stored locally, the key for encryption remains accessible. The BSI suggests that local administrators could potentially decrypt both the databases and the stored templates.

Only with ESS activated does this security model undergo significant changes, moving critical biometric processing into a Virtualization-based Security (VBS) protected environment. The TPM then plays a crucial role in creating HMAC-based authorization tickets and replay protection.

Given these findings, the BSI strongly recommends activating ESS, provided appropriate hardware compatibility. However, only a limited number of sensors fully support this mode, as highlighted by ongoing security research that has compromised several fingerprint sensors used in Windows Hello.

### Biometric Authentication Lacks Additional Entropy

The report reviews the security assumptions surrounding biometric authentication critically. The BSI posits that unlike a PIN, biometric traits do not add extra entropy to the system. The distinction lies in the authentication process. A PIN adds new knowledge each time the user logs in, while biometrics merely unlock access to pre-existing key material. For attackers with administrative rights, all components necessary for authentication are already present on the machine.

Consequently, the BSI rates a sufficiently long PIN combined with TPM and its brute-force protection as being potentially more advantageous than biometric authentication without ESS. However, this applies specifically to threats posed by local administrative-level attackers. For common threats like phishing or password theft, Windows Hello for Business remains effective as the authentication secrets do not leave the device.

### Risks of Multiple Users on One Device

An unusual recommendation derived from the analysis stresses that ideally, only one user should be registered for Windows Hello per device. Due to the local management of the biometric database, if another domain user’s biometric template exists on the same computer, a local administrator could potentially manipulate it or assume their identity if that user has already registered on that device.

The BSI places this risk within a broader security context, noting that a local administrator already possesses numerous pathways for privilege escalation, such as through Pass-the-Hash or Pass-the-Ticket attacks. Windows Hello for Business does not introduce a new attack vector; instead, it expands upon existing threat models.

### Closing Documentation Gaps Through Reverse Engineering

Beyond the security assessment, the analysis reveals numerous previously undocumented technical details. The BSI reconstructs the entire authentication flow involving the FaceCredentialProvider, Windows Biometric Service, Microsoft Passport, LSASS, and Kerberos. It also details internal RPC interfaces, the structure of the biometric database, and the key hierarchy layout.

The authors highlight gaps in Microsoft’s developer documentation, noting that while fingerprint recognition is well-documented, there are significant documentation deficiencies regarding facial recognition, particularly concerning asynchronous API calls and internal interfaces within the Windows Biometric Framework.

Additionally, practical tests are part of the investigation. Poorly executed registrations—such as those performed while wearing scarves, hoods, or glasses—were found to increase error rates. The authors were even able to register face masks and later achieve recognition using the same mask in different colors. However, the BSI clarifies that these results pertain to the implementation of facial recognition rather than the cryptographic architecture of Windows Hello for Business.

The release of this analysis marks the beginning of the BSI’s “Windows Dissected” series, with further examinations on topics like Protected Process Light (PPL) and Control Flow Guard (CFG) slated for future publication.

Get Audible 30-Day Free Trial

As an Amazon Associate, we earn from qualifying purchases.