Microsoft itself turned to experts for verification
Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in three common fingerprint scanners that are built into laptops and are widely used by enterprises for Windows Hello security.
Microsoft Windows Hello fingerprint authentication has been bypassed on Dell, Lenovo and even Microsoft laptops. The team chose popular fingerprint sensors from Goodix, Synaptics and ELAN for evaluation.
A recent blog post by researchers details the process of creating a USB device that can be used for an attack. As a result, you can gain access to a laptop that is stolen or even simply left unattended. The hack was successfully performed on Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X.
Fingerprint scanners are now widely used by Windows laptop users thanks to Microsoft's push for a “passwordless future.” Three years ago, Microsoft reported that nearly 85% of consumers used Windows Hello to sign in to Windows 10 devices instead of using a password.
However, it is unclear whether Microsoft will be able to fix the discovered flaws alone. The researchers noted in the report:
Microsoft has done a good job of developing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately, device manufacturers seem to have some of the challenges misunderstood.
The researchers found that Microsoft SDCP protection was not enabled on two of the three devices. Blackwing Intelligence now recommends that OEMs ensure SDCP is enabled and have the fingerprint sensor tested by a qualified expert.