Microsoft Releases Security Advisory for Windows Hello for Business – 3rd Dec 2019

How Windows Hello for Business works? It lets Windows 10 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition.

Use cases: Client systems which joined to Kerberos based domains like Active Directory (AD) can use Windows Hello for Business authentication to replace password based authentication and still get full single-sign-on (SSO) access to the resources of the domain.

Vulnerability details: An authenticated attacker could obtain orphaned keys created on TPMs of the design vulnerability.The attacker pretend a user by using stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT).

Remark: PKINIT would provide a method to use Kerberos for authentication and get a Kerberos Ticket Granting Ticket (TGT) during the authentication so that network resources can be accessed with Kerberos/GSSAPI.

Official details: