Microsoft’s Windows Hello for Business (WHfB) default phishing-resistant authentication model was recently discovered to be vulnerable to downgrade attacks, allowing threat actors to infiltrate even biometrically protected PCs and laptops.
The WHfB authentication relies on cryptographic keys stored in a computer’s Trusted Platform Module (TPM) and is activated through biometric or PIN-based verification. However, this security measure can be compromised by manipulating the parameters in an authentication request.
Accenture red-team security researcher Yehuda Smirnov uncovered this vulnerability late last year and promptly informed Microsoft. In response, Microsoft has released a fix for this issue. Smirnov will provide a demonstration of the attack and recommendations on how to address this loophole at Black Hat USA 2024 in Las Vegas on Aug. 8.
WHfB has been an available option for commercial and enterprise versions of Windows 10 since 2016. It was specifically designed to combat phishing attacks by utilizing device-based biometric or PIN authentication, which is inherently more secure than traditional password or SMS-based verification methods.
This is not the first time that vulnerabilities in WHfB’s secure authentication model have been exposed. In 2019, researchers investigated various attack vectors in WHfB, including a persistent Active Directory backdoor that could evade security measures. Additionally, recent demonstrations showcased how passkey redaction attacks could lead to authentication downgrades for Microsoft and other services.
Smirnov detailed how attackers could intercept and modify POST requests to Microsoft’s authentication services, downgrading WHfB to less secure authentication methods like passwords or OTPs. By leveraging the Evilginx adversary-in-the-middle reverse-proxy attack framework, attackers could bypass multifactor authentication and exploit the vulnerable authentication system.
The discovery made by Smirnov does not imply that WHfB is inherently insecure. Instead, he emphasized that the issue lies in how organizations implement strong authentication measures. By downgrading to less secure authentication methods like passwords and SMS-OTP, the effectiveness of the phishing-resistant authentication is compromised.
When users initially enroll in Windows Hello, a private key credential is generated and stored in the computer’s TPM. This private key is isolated within the TPM, making it inaccessible to attackers. To authenticate with cloud applications using WHfB, Microsoft issues a challenge through the WebAuthn API, interacting with Windows Hello to perform the verification.
Microsoft introduced a new Conditional Access capability named “authentication strength” in March, allowing administrators to enforce phishing-resistant authentication exclusively. This feature empowers organizations to mandate the use of secure authentication methods and mitigate potential vulnerabilities like the one identified by Smirnov.
The new authentication strength capability is integrated with Microsoft’s Entra ID federated applications, enabling organizations to adjust authentication levels based on factors such as resource sensitivity, user risk, compliance requirements, and location. By implementing these conditional access policies, administrators can ensure that users only authenticate through phishing-resistant methods and prevent authentication downgrades.
In conclusion, Smirnov stressed the importance of configuring these new policies to safeguard against unauthorized access and maintain the integrity of the authentication system. With the deployment of Microsoft’s remediation measures, organizations can strengthen their security posture and effectively combat potential threats associated with authentication downgrades. Microsoft’s proactive approach towards addressing vulnerabilities demonstrates their commitment to enhancing security measures and protecting user data.