Windows Hello Flaw Lets Hackers Swap Faces and Access Admin Accounts

A newly disclosed Windows Hello flaw allows hackers to manipulate facial recognition templates and unlock sensitive systems using their own faces. Security researchers warn that Windows Hello for Business suffers from a core design flaw that makes it possible to “swap faces” and access privileged user accounts.

Researchers Reveal Critical Biometric Weakness

Researchers from cybersecurity firm ERNW discovered that biometric templates in Windows Hello can be altered if an attacker gains access to a compromised machine within an organization’s network.

Windows Hello for Business is designed to verify user identity through biometric data like face scans. However, researchers found that hackers with administrative privileges can tamper with the stored facial templates—essentially swapping one face for another.

Once done, attackers can log in as other users, including domain admins, using their own face.

“There is only a loose coupling between biometric identification and authentication,” researchers wrote in a detailed post on insinuator.net. “All the information needed to unlock the templates is stored locally.”

How the Face Swap Attack Works

To pull off the attack, hackers must first compromise a device in the corporate network. They must then escalate privileges to become a local administrator.

With those conditions met, they can decrypt and alter the biometric database, which contains:

• An encrypted header holding the keys for biometric templates
• Version metadata
• The encrypted facial templates themselves

The biometric service that stores this data runs under the NT SYSTEM\AUTHORITY account. This setup makes it possible for an attacker to derive the decryption key from the same system, without needing external secrets.

ERNW’s proof-of-concept shows two users enrolled with Windows Hello—one a domain user, the other a local admin. By swapping security identifiers, the local admin’s face can now unlock the domain user’s account.

Microsoft Aware, But Fix Unlikely

The researchers notified Microsoft but don’t expect the flaw to be addressed. They say that fixing the issue would require a major architectural overhaul of Windows Hello’s biometric system. Similar vulnerabilities in the past reportedly went unresolved.

This vulnerability is not just a theoretical risk. ERNW used standard Windows tools to demonstrate the exploit in action. With access to one compromised device, attackers can move laterally through the network, stealing sensitive data or hijacking user sessions.

Conclusion

The Windows Hello flaw proves that even advanced biometric systems can be exploited with the right level of access. By storing critical decryption data locally and offering weak coupling between identity and authentication, Windows Hello opens the door to face-swapping attacks that can compromise entire networks. Without a structural redesign, businesses may need to rethink their trust in facial recognition for securing admin-level systems.