(Windows) Hello from the other side

Windows Hello for Business is a passwordless authentication feature that uses a combination of device identity and biometrics or PIN to authenticate to Windows and (Azure) Active Directory. It is advertised as a strong multi-factor authentication method with hardware protected keys. In this talk we will dive into the internal workings of Windows Hello in Azure AD and hybrid scenarios. We will look into the protection of keys, the usage of hardware protection, the provisioning and storage of those keys and how attackers could interact with them. During the research into the protocols and externals, various vulnerabilities were discovered that could allow attackers to abuse Windows Hello to persist access to accounts, move laterally between identities and bypass Multi Factor Authentication. Vulnerabilities were also discovered that enable attackers to bypass the hardware protection of secrets which allow the Windows Hello credentials to be used on different devices than they were provisioned on. The talk will show why these flaws were present, how they could be abused and provide tools to interact with Windows Hello and Azure AD.

Windows Hello for Business is a passwordless authentication feature that uses a combination of device identity and biometrics or PIN to authenticate to Windows and (Azure) Active Directory. It is advertised as a strong multi-factor authentication method with hardware protected keys. In this talk we will dive into the internal workings of Windows Hello in Azure AD and hybrid scenarios. We will look into the protection of keys, the usage of hardware protection, the provisioning and storage of those keys and how attackers could interact with them. During the research into the protocols and externals, various vulnerabilities were discovered that could allow attackers to abuse Windows Hello to persist access to accounts, move laterally between identities and bypass Multi Factor Authentication. Vulnerabilities were also discovered that enable attackers to bypass the hardware protection of secrets which allow the Windows Hello credentials to be used on different devices than they were provisioned on. The talk will show why these flaws were present, how they could be abused and provide tools to interact with Windows Hello and Azure AD.

About the Speaker