New Windows Hello “Faceplant” attack lets admins bypass facial recognition by injecting fake face templates
Less than two months after unveiling a “Face Swap” weakness, researchers have disclosed a more serious flaw affecting Windows Hello for Business. German security firm ERNW presented a new technique, dubbed Faceplant, at Black Hat USA 2025 that can completely sidestep another user’s facial recognition sign-in by manipulating biometric templates.
Here’s the high-level picture. When you enroll your face, Windows creates a biometric template—a compact, encrypted digital representation it uses to recognize you later. ERNW showed that an attacker with administrative privileges can enroll their own face on any machine to create a template, decrypt and extract that template, and then inject it into a victim’s biometric database on a target device. The result: the attacker logs in as the victim using their own face.
This is a notable escalation over the previously disclosed “Face Swap” method. The earlier technique required two users already enrolled on the same device and involved swapping identifiers that label existing templates. Faceplant zeroes in on the templates themselves, and crucially, the attacker can generate the malicious template on a different computer before moving it to the target.
Why this matters
– It undermines trust in biometric logins by showing that the stored template—not just the identifier—can be tampered with.
– While the attack requires administrative access, that’s a realistic condition in insider-threat scenarios or where privilege escalation is possible.
– Enterprise environments that rely on Windows Hello for Business are the primary target, given the focus on centralized biometric databases and managed devices.
What you can do now
– Minimize and monitor admin rights. Apply least-privilege policies and audit local and domain admin groups regularly.
– Enforce strong multi-factor authentication, especially for privileged accounts and remote access.
– Harden endpoints. Use device encryption, secure boot, and tamper protection to make offline extraction and database manipulation harder.
– Monitor for anomalies. Watch for unexpected biometric enrollments, changes to authentication databases, and unusual logon activity.
– Segment and protect domain controllers and management servers that can influence authentication flows.
– Stay current with security updates and guidance from Microsoft, and review any vendor advisories related to Windows Hello for Business.
The big takeaway is that biometrics aren’t a magic shield. They’re one factor in a layered defense strategy, and their protection relies on safeguarding the underlying templates and the systems that store them. Organizations should reassess their Windows Hello for Business hardening, tighten admin controls, and increase monitoring for signs of tampering while awaiting further mitigations.
