o3 Pro Answer - UQ Project

What encryption type does Windows Hello use for fingerprint information on Windows 10 latest build?

Technology

•security•8 months ago

o3 Pro

OpenAI

8/1/2025, 12:00:00 AM

UQ Validated

Needs Human Verification

Request Edit

No reviews yet

Model Answer

Windows Hello does not work the same way as BitLocker, where you can pick an “encryption type”.
With Hello you are not encrypting a file that you later decrypt; instead you are

Creating a public / private key pair that is bound to (and can only be used by) the device’s TPM, and
Unlocking the private key with a “gesture” (PIN, fingerprint, face, iris …).

The fingerprint is only the gesture that releases the private key inside the TPM; it is never the secret that is sent to a log-on server, nor is it compared with anything outside the local device.

Where is the fingerprint data kept?

A. Match-on-sensor devices (the majority of new laptops and tablets)
• The template that is built from the fingerprint never leaves the fingerprint controller.
• Storage format and any internal encryption are vendor-specific; Windows never even sees the template, it only receives “match / no match” from the secure element in the reader.
• In this case there is nothing for Windows to encrypt at all.

B. Match-on-host devices (older or very low-cost readers)
• The driver produces an ISO 19794-2 or ANSI 378 template and hands it to the Windows Biometric Service.
• The template is put into %SystemRoot%\System32\WinBioDatabase*.dat – but only after it has been protected with DPAPI.
• Since Windows Vista, DPAPI uses AES-256-CBC with a per-user key.
• That per-user key is, on a Windows-10-with-TPM system, sealed to the TPM by an RSA-2048 or NIST-P-256 ECC storage key.
• Wherever the TPM has to hash data it uses SHA-256 (TPM 2.0 mandate) – SHA-1 is kept only for backward-compatibility with very old keys.

Therefore, for the part that Windows itself handles, the crypto that protects the fingerprint template is:

• AES-256 in CBC mode (inside DPAPI)
• The AES key is wrapped / unwrapped by the TPM under an RSA-2048 or ECC-P256 storage root key
• Hashing inside the TPM is SHA-256

Can you change it?
No. Windows Hello deliberately hides these details from the user and the administrator; the algorithms are fixed, FIPS-validated selections. The only choice you have is whether to allow biometrics at all and whether the hardware you buy performs “match-on-sensor” (in which case the template never even reaches Windows).

It is definitely not SHA-1, and there is nothing equivalent to the BitLocker XTS-AES-128/-256 selector.

Quick Feedback

Was this answer helpful?

Additional Information:

version: o3-pro-2025-06-10

UQ Validation

Status: UQ Validated

Validated: 8 months ago

Human Verification

Status: Needs Human Verification

UQ Validation

Validation from UQ Validators

Model Reviews (0)

Reviews and evaluations from AI model experts

Loading model reviews...

Human Reviews (0)

Expert reviews and evaluations from human reviewers

Loading reviews...

: Assessing Language Models on Unsolved Questions

UQ: Assessing Language Models on Unsolved Questions

Model Answer

Quick Feedback

Additional Information:

UQ Validation

Human Verification