Download Windows Hello Fingerprint
Linda Fetter
Windows Hello is a more personal, more secure way to get instant access to your Windows 11 devices using a PIN, facial recognition, or fingerprint. You'll need to set up a PIN as part of setting up fingerprint or facial recognition sign-in, but you can also sign in with just your PIN.
Windows Hello is a more personal, more secure way to get instant access to your Windows 10 devices using a PIN, facial recognition, or fingerprint. You'll need to set up a PIN as part of setting up fingerprint or facial recognition sign-in, but you can also sign in with just your PIN.
I frequently have the fingerprint reader stop working. My workaround is to open the device manager as administrator, uninstall the device (without deleting the driver) and scan for hardware changes.
It seems to be a driver issue, that the driver crashes.
Is there a fix planned?
I have been having this recurring issue since purchasing my Spectre x360 just a couple months ago: I use Windows Hello to set up my PIN and fingerprint. I shutdown my computer. I logon using my fingerprint, and it works great. I do this maybe one or two more times without any issues. Then, the next time, it says that my fingerprint is not recognized and that I must use my PIN. I continue to experience this problem until I go back into Windows Hello and remove and re-add my fingerprint. Then, same thing. I can logon using with my fingerprint without issues the next couple times, but then after the third time or so, my fingerprint is no longer recognized. I contacted HP Support in October and the tech updated my BIOS driver. After that, same thing. The fingerprint scanner worked for about a day, and then it no longer recognized my fingerprint. I have contacted HP Support again and they are telling me that I must either do a factory reset or send my computer back for repair or replacement. Neither of these options appeals to me, so I'm checking to see if anyone else out there has experienced this issue and found a solution?
What does break, can break, and has likely broken is the relationship between the fingerprint data (Windows) and the ability of Windows to manage, save, and use the fingerprint data.
Thanks, Dragon. I agree that this issue is not with the hardware, which is why I was frustrated when HP tech support asked that I send my computer back to have the fingerprint scanner repaired. There obviously is something going on with Windows. The other thing I've noticed is that after I install any Windows updates, fingerprint logon starts to work again, but only temporarily. After the third time or so, my fingerprint no longer is recognized. While I do sometimes have issues with cold fingers that fingerprint scanners cannot read (this happens occasionally when I try to unlock my Android phone), that is not the problem that I'm describing here. If anyone has any other suggestions short of sending my computer back to HP or doing a factory reset, I'd appreciate hearing them. Thanks again.
Thanks again. After my last post I became obsessed with finding a better solution. After literally reading everything on the Internet and Windows Hello fingerprint scanner issues, I found a solution on Reddit that so far has worked for me. Under the "power management" tab of the properties for the relevant biometric driver, there is an option to "allow the computer to turn off this device to save power." The box for this option was checked, so I unchecked it. For good measure, I also went ahead and removed and re-added my Windows Hello PIN and fingerprints. Then, I followed another person's advice and shutdown my computer and logged back on using my Microsoft account password. I then shutdown again and logged back on with my fingerprint. So far this has worked! I am hopeful that the solution sticks.
All three sensors featured Match-on-Chip (MoC) technology which is designed to provide extra security by ensuring fingerprint matching is done on the processor. Microsoft created the Secure Device Connection Protocol (SDCP) as an added layer of protection. The protocol is meant to prevent a compromised OS from authorizing use of user keys when the user is not present.
The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices.
All the three fingerprint sensors are a type of sensor called "match on chip" (MoC), which integrates the matching and other biometric management functions directly into the sensor's integrated circuit.
"While MoC prevents replaying stored fingerprint data to the host for matching, it does not, in itself, prevent a malicious sensor from spoofing a legitimate sensor's communication with the host and falsely claiming that an authorized user has successfully authenticated," researchers Jesse D'Aguanno and Timo Teräs said.
Specifically, the ELAN sensor was found to be vulnerable to a combination of sensor spoofing stemming from the lack of SDCP support and cleartext transmission of security identifiers (SIDs), thereby allowing any USB device to masquerade as the fingerprint sensor and claim that an authorized user is logging in.
It's worth pointing out that while the Goodix sensor has separate fingerprint template databases for Windows and non-Windows systems, the attack is possible owing to the fact that the host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.
The Secure Device Connection Protocol (SDCP) was created by Microsoft to enable secure biometrics with fingerprint sensors. It consists of a set of standards and a secure communications protocol with the following goals:
What if we boot the target device into Linux and use the Linux side to enroll an attacker fingerprint into the template database, specifying the same ID as a legitimate user enrolled on the Windows side?
The first problem is determining a valid ID. How would we know the ID value of a legitimate Windows user? Fortunately, enumerating enrolled fingerprints is a built-in feature of the protocol. This enables the Windows login screen to show the option for fingerprint authentication (see screenshot). The host queries the sensor for known fingerprints and IDs, and shows the login with fingerprint option if the sensor has an ID that matches that of a local user. This operation is unauthenticated. Infoleak by design.
It turns out that the respective drivers send a configuration packet to the sensor when the sensor is initialized. Along with several configuration options, like how sensitive to be about fingerprint matching, etc., it also tells the sensor which database to use. This configuration persists until the sensor receives a new configuration packet. And this packet is unauthenticated!!
First we needed to rehost the embedded fingerprint sensor from internal embedded USB to external USB so we could more easily MitM the connection. After some hardware RE and some quick soldering, we had a rig we could plug the sensor into to connect it to the external USB ports.
I'm testing WebAuthn ( ) with the intent to implement it in a web portal. However, I need Windows users to be able to use Fingerprint sign in, not just USB Security Key.When testing from Windows 10/Chrome (latest) I only get the option to use USB Security Key, even though the laptop has a built-in fingerprint reader that is connected to Windows Hello (I can sign into Windows with the fingerprint reader). Also PIN and Password are enabled in Windows hello.
Since the fingerprint reader and PIN/Password are integrated into Windows Hello, and actively working, why won't it let me choose any of those options instead of the physical USB Security Key? Is there a parameter in the WebAuthn request that I'm missing or possibly a registry change that needs to be made?
Thanks for any explanation of why Windows would hide the Fingerprint/PIN/Password options and only allow USB Security Key when Windows Hello already knows about the fingerprint reader, PIN and Password as legitimate ways to authenticate the user.
To fix this issue, you basically just need to the delete the existing files and re-register your face or fingerprint (it works the same for both). Please note, this will reset Windows Hello (face scan, fingerprint scan, and iris scan) for all users registered on the computer:
5. Register your face/fingerprint again. Go to your account settings, then Sign-in options and go through the registration process again to re-register your biometrics. If this machine has multiple users, everyone will need to re-register.
For users and administrators: be aware your laptop hardware may be physically insecure and allow fingerprint authentication to be bypassed if the equipment falls into the wrong hands. We're not sure how that can be fixed without replacing the electronics or perhaps updating the drivers and/or firmware within the fingerprint sensors. One of the researchers told us: "It's my understanding from Microsoft that the issues were addressed by the vendors." So check for updates or errata. We've asked the manufacturers named below for comment, and we will keep you updated.
The research focuses on bypassing Windows Hello's fingerprint authentication on three laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and a Microsoft Surface Pro 8/X, which were using fingerprint sensors from Goodix, Synaptics, and ELAN, respectively. All three were vulnerable in different ways. As far as we can tell, this isn't so much a problem with Windows Hello or using fingerprints. It's more due to shortcomings or oversights with the communications between the software side and the hardware.
Windows Hello allows users to log into the OS using their fingerprint. This fingerprint is stored within the sensor chipset. What's supposed to happen, simply put, is that when you want to set up your laptop to use your print, the OS generates an ID and passes that to the sensor chip. The chip reads the user's fingerprint, and stores the print internally, associating it with the ID number. The OS then links that ID with your user account.
df19127ead