Researchers Uncover Critical Flaws in Windows Hello for Business at Black Hat 2024

The Black Hat 2024 presentation by researchers from ERNW, funded by the German Federal Office for IT Security, examines security vulnerabilities in Windows Hello for Business (WHfB), Microsoft’s biometric authentication system introduced in 2015. The talk details how WHfB operates, including its reliance on asymmetric cryptography (public/private key pairs), biometric templates stored in an encrypted database, and the role of the Windows Biometric Service (WBS) and Trusted Platform Module (TPM). Researchers demonstrated a critical flaw: local administrators can decrypt the biometric database, extract or replace templates, and impersonate enrolled users—enabling domain authentication as another user. The encryption of the database, secured via CryptProtectData functions, was shown to be vulnerable due to its reliance on system-stored keys, allowing attackers to bypass integrity checks and manipulate SID (Security Identifier)-linked records. The presentation also highlighted limitations in Enhanced Security Services (ESS) mode, which requires hardware support (e.g., Intel vs. AMD chips) and Virtualization-Based Security (VBS) to isolate biometric processing. A live demo illustrated template injection, where an attacker replaced a victim’s biometric data to authenticate as them. The researchers emphasized that while WHfB is central to Microsoft’s passwordless strategy (e.g., Windows Recall, passkeys), its security depends on hardware capabilities and proper configuration.