Ive discovered a bug with Windows Hello for Business and the multifactor device unlock feature that essentially allows a user to login with PIN only without fingerprint.
This is 100% reproduceable in our environment.
Environment:
- Hybrid azure AD joined computer
- not enrolled in intune, managed via GPO
- WHFB hybrid cloud trust deployment
- multifactor device unlock, both factor groups include PIN, fingerprint, and facial rec
- require smart card for interactive logon is enabled post-WHFB enrollment to not allow simple username/password logon
- PIN is set as the default credential provider
This only happens when the user is already signed in to a device, but it is locked so they are attempting to unlock the device.
Also, must be using an external fingerprint reader
1. User types in PIN
2. User is asked to provide fingerprint
3. User purposefully scans 3 failed fingerprints
4. User is prompted to use another method
5. User unplugs fingerprint reader
6. User is prompted for PIN a second time
7. The device successfully unlocks
As one can see, this effectively bypasses security requirements for the multifactor device unlock feature.
I know that PIN only or fingerprint only are still technically MFA, but our cyber team still requires this to prevent shoulder surfing for insider risk as we are a required to maintain CMMC compliance.
It seems that once the fingerprint credential provider goes into a locked state after 3 bad fingerprint reads, it totally glitches out the multifactor device unlock feature and effectively bypasses it altogether.
I currently have a ticket in that's getting escalated to the WHFB product team, but I'm wondering if any of you have seen this before or can reproduce it.
