Windows Hello face recognition bypassed.
getty
Hacking has never been in the news more than it is right now, what with the confirmation that Google has been hacked and user information stolen, further airline data breaches, and, of course, Windows users being warned about new cyberattacks employing JPEG images. And talking of hackers and Windows, both came together rather splendidly in Las Vegas at the Black Hat hacking conference where it was demonstrated how the Windows Hello facial recognition sign-in security could be bypassed by a threat actor injecting their own images into the process. Here’s what you need to know.
ForbesConfirmed: Google Has Been Hacked — User Data CompromisedBy Davey Winder
The Windows Hello Security Sign-In Bypass
The security researchers who demonstrated a Windows Hello security bypass at Black Hat in Las Vegas this week didn’t need to use a known camera vulnerability or a cleverly constructed deep fake image, in order to convince the computer in question to accept a totally different face from the registered user during the sign-in process.
Instead, Dr Baptiste David and Tillmann Osswald from ERNW Research, showed how, as The Register reported, the business version of Windows Hello can be compromised by someone with access to local admin credentials injecting “biometric information into a computer that would allow it to recognize any face or fingerprint.”
The problem, it would appear, sits with the way that Windows Hello uses a cryptographic key stored in a database linked to the Windows Biometric Service, allowing corporate users to connect Entra ID, for example, to provide server access. So, a key pairing is generated during provisioning, which is registered with Entra ID, or whatever identity provider is being employed by the organization.
ForbesCISA Issues Urgent Microsoft CVE-2025-53786 Security WarningBy Davey Winder
So far, so good. Until security researchers come along and find that they can break the encryption used to protect this database entry, providing they have local admin privileges, by whatever means. Microsoft’s Enhanced Sign-in Security would stop this kind of attack, but for many users it isn’t enabled, not least thanks to the hardware requirements needed.
The hacking duo said that to fix the issue would take “a significant code rewrite” on the part of Microsoft, and so recommended disabling biometrics and using an old-fashioned PIN if you are running Hello for Business without employing Enhanced Sign-in Security.
I have reached out to Microsoft for a statement regarding the latest Windows Hello security bypass issue and will update this article if any is forthcoming.