Attacking Windows Hello for Business: Is It What We Were Promised?
-
Published:2023-02-14
Issue:1
Volume:7
Page:9
-
ISSN:2410-387X
-
Container-title:Cryptography
-
language:en
-
Short-container-title:Cryptography
Author:
Haddad Joseph1, Pitropakis Nikolaos1ORCID, Chrysoulas Christos1ORCID, Lemoudden Mouad1ORCID, Buchanan William J.1ORCID
Affiliation:
1. School of Computing, Engineering & the Build Environment, Edinburgh Napier University, Edinburgh EH10 5DT, UK
Abstract
Traditional password authentication methods have raised many issues in the past, including insecure practices, so it comes as no surprise that the evolution of authentication should arrive in the form of password-less solutions. This research aims to explore the problems that password authentication and password policies present and aims to deploy Windows Hello for Business (WHFB) on-premises. This includes creating three virtual machines (VMs) and evaluating WHFB as a password-less solution and showing how an attacker with privileged access may retrieve the end user’s domain password from the computer’s memory using Mimikatz and describing the possible results. The conducted research tests are in the form of two attack methods. This was feasible by the creation of three VMs operating in the following way. The first VM will act as a domain controller (DC) and certificate authority server (CA server). The second VM will act as an Active Directory Federation Service (ADFS). The third VM will act as the end-user device. The test findings research summarized that password-less authentication is far more secure than the traditional authentication method; this is evidenced throughout the author’s tests. Within the first test, it was possible to retrieve the password from an enrolled device for WHFB while it was still in the second phase of the deployment. The second test was a brute-force attack on the PIN of WHFB; since WHFB has measures to prevent such attacks, the attack was unsuccessful. However, even though the retrieval of the password was successful, there are several obstacles to achieving this outcome. It was concluded that many organizations still use password authentication as their primary authentication method for accessing devices and applications. Larger organizations such as Microsoft and Google support the adoption of password-less authentication for end-users, and the current usage of password-less authentication shared by both organizations is encouraged. This usually leads organizations to adopt this new solution for their IT infrastructure. This is because it has been used and tested by millions of people and has proven to be safe. This supports the findings of increased usage and the need for password-less authentication by today’s users.
Funder
Horizon Europe Project Trust
Subject
Applied Mathematics,Computational Theory and Mathematics,Computer Networks and Communications,Computer Science Applications,Software
Reference27 articles.
1. Goldberg, J., Hagman, J., and Sazawal, V. (2002). CHI ‘02 Extended Abstracts on Human Factors in Computing Systems (CHI EA ‘02), Association for Computing Machinery. 2. Farke, F.M., Lassak, L., Pinter, J., and Dürmuth, M. (2022, January 7–9). Exploring User Authentication with Windows Hello in a Small Business Environment. Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), Boston, MA, USA. 3. Detection and Prevention of Attacks on Active Directory Using SIEM;Muthuraj;Smart Innov. Syst. Technol.,2021 4. Chen, S., Choo, K.K., Fu, X., Lou, W., and Mohaisen, A. (2019). Security and Privacy in Communication Networks, Springer. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. 5. Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild;Kim;Secur. Commun. Netw.,2021
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
|
|