Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild

Windows Hello is a Fast IDentity Online- (FIDO-) based new login system for Windows 10, which provides a single sign-on (SSO) service to diverse online applications. Hardware protection is essential for Window Hello’s security. This paper aims to examine the security of Windows Hello on a device whe...

Full description

Saved in:
Bibliographic Details
Published inSecurity and communication networks Vol. 2021; pp. 1 - 13
Main Authors Kim, Ejin, Choi, Hyoung-Kee
Format Journal Article
LanguageEnglish
Published London Hindawi 23.07.2021
Hindawi Limited
Subjects
Access control
Adaptation
Authentication
Biometrics
Hardware
Internet service providers
Operating systems
Passwords
Personal identification numbers
Protocol
Security
Security management
Servers
Universal Serial Bus
Windows operating system
Online AccessGet full text

Cover

More Information
Summary:Windows Hello is a Fast IDentity Online- (FIDO-) based new login system for Windows 10, which provides a single sign-on (SSO) service to diverse online applications. Hardware protection is essential for Window Hello’s security. This paper aims to examine the security of Windows Hello on a device where hardware protection is unavailable. We present the first detailed analysis of Windows Hello’s security. The results show that, on a hardware-unsupported device, the authentication data for Windows Hello is not properly protected. We propose a migration attack to compromise Windows Hello’s security. In the proposed attack, an attacker extracts authentication data from a device to impersonate a victim in his or her Microsoft online account. We consider the possibility of such an attack to be serious and harmful to our society and demand immediate attention for remediation.
ISSN:1939-0114
1939-0122
DOI:10.1155/2021/6245306