What if Microsoft’s fingerprint authentication isn’t so secure?

The fingerprint is no longer a guarantee of security. Researchers commissioned by Microsoft have revealed vulnerabilities in three fingerprint sensors integrated into computers. The modus operandi was revealed in a report published this fall.

The team of experts looked at three models: the Microsoft Surface Pro chip stores fingerprint data. It is therefore necessary to attack the component to bypass authentication. The operations were carried out by connecting a hacking device to each laptop, via USB, or with a Raspberry Pi 4 device programmed for this purpose. The process is quite complicated since it requires decoding and reimplementation of proprietary protocols.

How hackers managed to deceive Windows

In the case of Dell and Lenovo models, Windows Hello fingerprint authentication was bypassed by enumerating valid credentials associated with the user’s fingerprint. The attackers then recorded their own fingerprint by spoofing the computer owner’s ID.

For the Windows Surface, the hacker must first disconnect the Type Cover from the screen, since it contains the chip. Researchers connected a USB device to it that spoofs the fingerprint sensor and tells the system that an authorized user is logging in. The report offers more details on the process for copying Windows protocols.

“ Microsoft did a good job designing the protocol to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers misunderstand its value, since not all protection filters were enabled “, indicate the researchers in the report.

Microsoft said three years ago that the number of users signing into their Windows 10 devices using Windows Hello instead of using a password increased from 69.4% in 2019 to 84.7%.

Do you want to know everything about the mobility of tomorrow, from electric cars to e-bikes? Subscribe now to our Watt Else newsletter!