Hidden flaw in Windows systems lets hackers log in with their own face

ERNW has demonstrated a new attack against Microsoft's Windows Hello for Business. They presented this attack at the Black Hat USA 2025 conference. This new exploit follows a closely related one the firm shared in July.

This new attack — dubbed "Faceplant" — allows an attacker with administrative privileges to completely bypass another user's facial recognition login. The researchers explained that the attacker can first enroll his/her face on any computer to generate a biometric template. For the layman, a biometric template is like a digital representation of your face, which the computer creates and saves when you enroll your face or fingerprint on it. This is what the computer then uses to identify your face or fingerprint whenever you try using them to unlock your computer.

For the next step, the attacker decrypts and extracts the template. For the final step, the attacker injects this template into a victim's biometric database on the target computer. This allows the attacker to log in as the victim using their own face. This represents a significant deviation from the Face Swap attack ERNW reported in July.

The previous attack required an attacker to swap identifiers (these are basically the tags that identify templates) between two user accounts already enrolled on the same device. This new attack takes it a step higher; it targets the templates rather than the identifiers, and the attacker can generate the malicious template on any computer.