Microsoft recently asked cybersecurity researchers at Blackwing Intelligence to put Windows Hello biometric authentication to the test. After three months of research, the company has now published its findings (via The Verge) and revealed that three fingerprint sensors in Dell, Lenovo, and Microsoft devices have security flaws.
The vulnerabilities allowed the researchers to bypass Windows Hello authentication on all three devices. And the embedded fingerprint sensor in Microsoft’s Surface Type Cover, which you would believe has top-notch security protections, turned out to be one of the easiest to bypass.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
The security researchers carried out their tests on a Dell Inspiron 15 with a fingerprint sensor from Goodix, a Lenovo Thinkpad with a sensor from Synaptics, and an ARM-based Surface Pro X with a sensor (in the Type Cover) from ELAN. Their initial analysis pointed out that the Lenovo Thinkpad was the only device to offer encrypted host-to-sensor communication and overall better code quality than the other two devices. However, the researchers had to find unique methods to bypass the security of these three fingerprint sensors.
In their conclusions, the security researchers urged vendors of biometric sensors to make sure that Microsoft’s Secure Device Connection Protocol (SDCP) is enabled to enable secure communications with fingerprint sensors. Indeed, two of the fingerprint sensors that they analyzed came with SDCP disabled.
“Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all,” the researchers explained.
It’s still worth reminding that using Windows Hello biometric authentication remains more secure than using a password. It’s just not as secure as we thought, but that’s why having cybersecurity experts analyze how these systems are implemented is good for improving security.