A recently discovered vulnerability in Microsoft’s Windows Hello for Business (WHfB) authentication system allowed attackers to bypass the supposedly phishing-resistant login method, raising concerns about the security of this widely adopted passwordless solution.
This flaw allows attackers to bypass the system’s robust authentication mechanisms, posing a serious risk to organizations relying on this technology to protect sensitive data.
Security researcher Yehuda Smirnov uncovered a design flaw that enabled malicious actors to downgrade the authentication process from the more secure Windows Hello biometric or PIN-based login to less secure, phishable methods.
Windows Hello for Business is designed to enhance security by using biometric data or a PIN instead of traditional passwords. It leverages key-based or certificate-based authentication, which is inherently more secure than password-based systems because it eliminates the risk of password theft or phishing attacks.
However, a recent discovery by cybersecurity researchers has revealed a method to downgrade this secure authentication process to a less secure, phishable method.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Microsoft’s Windows Hello for Business Flaw
The attack involves intercepting and altering authentication requests. By modifying specific parameters in the POST request to the Microsoft online login service, attackers can force the system to revert to a traditional password-based authentication method.
This is achieved by changing the isFidoSupported parameter to false or altering the User-Agent header to an unsupported value, thus bypassing the intended secure authentication mechanism of Windows Hello for Business.
Smirnov demonstrated the exploit using a modified version of the EvilGinx phishing framework, showcasing how an attacker could automate the process of bypassing Windows Hello authentication. The proof-of-concept highlighted the potential risks for organizations relying on WHfB as a primary means of secure authentication
Technical Details
The attack process is relatively straightforward for skilled attackers. It involves the following steps:
- Intercepting the Authentication Request: Using tools like Burp Suite, attackers can intercept the POST request sent to
https://login.microsoftonline.com/common/GetCredentialType. - Modifying Request Parameters: The intercepted request is then altered to set the
isFidoSupportedparameter tofalseor change the User-Agent header to a non-supported value. - Downgrading Authentication: These modifications trick the system into downgrading the authentication method from Windows Hello for Business to a less secure method, such as a simple password or a non-phishable method.
This vulnerability highlights a critical oversight in the authentication process, where the system consistently fails to enforce phishing-resistant methods.
The ability to bypass Windows Hello for Business authentication poses significant risks, particularly for enterprises that rely on this system to secure access to sensitive information and critical systems. This flaw could allow attackers to gain unauthorized access to corporate networks, exfiltrate data, and perform further malicious activities if successfully exploited.
Mitigation Strategies
To mitigate this vulnerability, Microsoft recommends several measures:
- Implement Conditional Access Policies: Organizations should create conditional access policies that enforce the use of phishing-resistant authentication methods. This can be achieved by leveraging the newly added “authentication strength” feature in Microsoft Entra ID.
- Enable Strong, Phishing-Resistant Authentication: Ensure that all cloud applications require strong, phishing-resistant multi-factor authentication (MFA) methods.
- Audit and Monitor Authentication Requests: Regularly audit and monitor authentication requests to detect any anomalies or attempts to downgrade authentication methods.
The discovery of this vulnerability in Windows Hello for Business underscores the ongoing challenges in securing authentication systems. While Windows Hello for Business offers significant security advantages over traditional password-based systems, this flaw demonstrates the importance of continuous security assessments and the need for robust mitigation strategies to protect against evolving threats.
Organizations using Windows Hello for Business should promptly implement the recommended mitigation measures to safeguard their systems and data from potential exploitation.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo