2023-05-19, 10:00–10:30, Ville-Marie
Windows Hello for Business is a passwordless authentication feature that uses a combination of device identity and biometrics or PIN to authenticate to Windows and (Azure) Active Directory. It is advertised as a strong multi-factor authentication method with hardware protected keys. In this talk we will dive into the internal workings of Windows Hello in Azure AD and hybrid scenarios. We will look into the protection of keys, the usage of hardware protection, the provisioning and storage of those keys and how attackers could interact with them. During the research into the protocols and externals, various vulnerabilities were discovered that could allow attackers to abuse Windows Hello to persist access to accounts, move laterally between identities and bypass Multi Factor Authentication. Vulnerabilities were also discovered that enable attackers to bypass the hardware protection of secrets which allow the Windows Hello credentials to be used on different devices than they were provisioned on. The talk will show why these flaws were present, how they could be abused and provide tools to interact with Windows Hello and Azure AD.
Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.