2

I'd like to use a USB fingerprint reader to authenticate with bitlocker - i.e. unlock my machine when bitlocker password request screen is shown when booting into Windows.

Something like a tiny rectangular USB fingerprint dongle from:

...All available on amazon, for example.

Assuming I could, then of course, for setting up I'd have to log in with my bitlocker password to get into Windows to then do the setup for next time I boot Windows.

Is it possible to setup Windows bitlocker to recognise my fingerprint using a USB finger print reader?

I have Windows 10 Pro 64bit on 3 machines that I'd like to use this fingerprint unlocking on:

  • Panasonic Toughpad MkIII Intel x86-64 i5 vPro, Windows 10 Pro 64bit (which I think has the TPM module - though I don't know if this is necessary to fulfil my question)
  • MacBook Air 11" 2015, 8Gb i7 2.2GHz (for Windows 10 Pro 64 bit on BootCamp)
  • MacBook Pro 2016 15" retina/touchbar/thunderbolt 3 port x 4, 16Gb i7 quad core. (for Windows 10 Pro 64 bit on BootCamp)

It would appear that these work with Windows Hello. But I don't know if Windows Hello includes Bitlocker - i.e. Bitlocker is a part of Windows Hello or if they are 2 separate things.

Thank you for reading. I've already searched here and am perhaps surprised that the question had not already been asked, it would appear.

therobyouknow
  • 4,016
  • 17
  • 59
  • 88

2 Answers2

1

Windows Hello is irrelevant to Bitlocker, since Bitlocker operates before Windows is even loaded. So without Windows, there is no Hello working,

Some products exist for that, such as Secure Disk for BitLocker. I don't have any experience with this, but its description is a bit frightening when imagining all that can go wrong with it:

small security operating system that is loaded prior the start of Windows. It offers additional boot features and full management of the underlaying Windows encryption.

With a compatible BIOS, there might be such an option. I have seen descriptions of doing that (example), which I will summarize below:

  • Turn on 'Power on password'
  • In Fingerprint, set the security mode to NORMAL (not HIGH)
  • Ensure Pre-desktop authentication is On

For the person answering, this meant authenticating once with his fingerprint at boot for both Bitlocker and Windows, but he had all these above options in his BIOS, which yours might not have.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • +1 upvote on your answer and thank you for your answer, harrymc, useful information there. I agree - I don't fancy using the Secure Disk For BitLocker for the reason you give. I'll leave the question open for a little while longer, but I would think I'd like to accept your answer, at the moment. Thanks again! – therobyouknow Jul 29 '19 at 08:43
1

Lots of MCUs these days can operate in "keyboard mode" (send keypresses over USB) and are smaller than the USB slot itself (fit invisibly inside)... all that's needed is the fingerprint hardware with that and the solution is done.

Not sure if anyone has manufactured such a thing yet though.

cnd
  • 371
  • 2
  • 3
  • Interesting idea, but it's exploitable: the secret could be extracted. Proper solutions are designed to make this impossible. – gronostaj Aug 14 '22 at 06:45
  • True, but the correct fingerprint would be needed to extract it (note that all contemporary MCUs now include anti-tamper and anti-fuzzing circuitry), and keep in mind that the logic of *all* fingerprint reading hardware comes down to a simple 1-bit binary output - "yes" or "no" - to bypass almost all of them, you simply need to invert the output (requires hardware tampering) and use a wrong finger. You can also "Extract" the secret of all bitlocker keys with nothing more than a microphone (keypress reconstruction AI is easy these days) – cnd Aug 15 '22 at 00:18