Windows Hello has vulnerabilities
Security researchers at Blackwing Intelligence have found that laptops manufactured by Dell, Lenovo, and Microsoft can relatively easily bypass Windows Hello fingerprint authentication due to vulnerabilities in sensors, allowing them to be compromised by bad actors at the system level. Most laptop brands use fingerprint sensors from Goodix, Synaptics and ELAN, and all have been reported to have flaws.
Blackwing Intelligence researchers tested Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X devices, and all of these devices failed due to security vulnerabilities. While the researchers said that the bypass process required reverse engineering of the hardware and software in the laptops, they specifically found flaws in the security layer of the Synaptics sensor. Of course, bypassing Windows Hello is not a simple task, but ultimately, research has shown that this can be done by a competent hacker.
However, this isn’t the first time Windows Hello biometrics-based authentication has been bypassed. We have previously seen that facial recognition can be bypassed by using infrared image. Although Microsoft has fixed this in recent years, it is not clear whether the company can fix these latest vulnerabilities on its own. While the researchers say Microsoft did a good job designing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, they highlight that SDCP protection was not enabled on two of the three devices tested.