A vulnerability has been identified in the Windows Hello for Business (WHfB) authentication system that allows attackers to bypass the biometric protection of computers and laptops. WHfB was susceptible to attacks using a method of reducing the level of security, despite the use of cryptographic keys, reports the Dark Reading portal.
WHfB is a feature available in commercial and enterprise editions of Windows 10 since 2016. It uses cryptographic keys stored in the computer’s Trusted Platform Module (TPM) and is activated using biometric or PIN authentication. The feature was supposed to provide a higher level of security compared to passwords or one-time passwords (OTP) sent via SMS.
The vulnerability allows hackers to lower the level of authentication security, allowing access to user accounts. An attacker can intercept and modify POST requests to the Microsoft authentication service, downgrading the WHfB security level to less secure verification levels such as passwords or OTP.
Microsoft created a patch to address the vulnerability in March, adding a new conditional access feature called Authentication strength that administrators can now enable in the Azure Portal. The new update allows you to force only phishing-resistant authentication methods to be used, leaving no room for security compromises.
Experts emphasize that the WHfB system itself remains secure, but organizations need to properly configure conditional access policies to prevent the possibility of downgrading authentication security.