UNCATEGORIZED

ACSAC 2025, Hawaii

2025/12/23

From December 8 to 12, JeongHo Lee and Professor Hyoung-Kee Choi attended and presented at ACSAC 2025 in Honolulu, Hawaii, USA

The research paper is titled False Promises of Passwordless: Defeating Windows Hello through TPM Misuses 

Summary: Passwordless authentication is increasingly being adopted as an alternative to traditional knowledge-based authentication, primarily because of its convenience and security advantages. There is a clear lack of research geared towards the integration of passwordless authentication with host security and operating systems. We bridge that gap by uncovering critical vulnerabilities in Windows' passwordless authentication. Specifically, we identify misconfigurations where hardware-backed protection is silently bypassed due to improper TPM integration, undermining Windows' intended security guarantees. Furthermore, we show that the use of biometrics weakens data protection. We present three practical attacks that exploit these vulnerabilities. (1) "Template Injection", bypasses biometrics by injecting forged templates into the system. (2) "Passkey Migration", extracts and reuses passwordless credentials across devices. (3) "Phishing", alters host authentication behavior to deceive users into exposing sensitive data. Our evaluation shows that these attacks work across diverse configurations, require no prior knowledge of the victim, and remain undetectable in practice. Among all tested cases, only systems with Enhanced Sign-in Security (ESS) prevented our attacks. Beyond Windows' native authentication, we examine third-party credential sync services, focusing on Google Password Manager (GPM). We find that GPM is vulnerable under certain misconfigurations, allowing abuse of synced credentials. Finally, we discuss the root causes of these issues and propose mitigation strategies. 

Please visit website for more information about ACSAC.