How to avoid the Windows Hello vulnerability

In light of a recently discovered issue related to using Windows Hello to unlock NordPass vaults, we are here to provide you with more information about this vulnerability and help you mitigate any risks.

What is the issue with using Windows Hello to open a NordPass vault?


The security concern in the integration between NordPass and Windows Hello involves a vulnerability that, under specific circumstances, could allow attackers to get unauthorized access to a user’s NordPass vault without providing their Master Password.


The problem lies in the implementation and reliance on the Windows credentials manager and backup keys, which, when combined with compromised domain admin privileges or a local threat actor, may allow cybercriminals to bypass intended security measures.

What steps should you take to avoid this?


Our developers are already working on solving this problem by changing the derived keys control system. Until a solution is fully implemented, we advise Windows Hello users to follow one of two methods to address the issue at this time:

  • Switch to the NordPass standalone extension

  • Temporarily disable the Unlock with Windows Hello feature in the NordPass desktop application (as pictured below). This feature can be found in your NordPass application settings.
    Screenshot 2024-01-11 at 15.29.54.png

Note: If you decide to choose the second option, be sure you know your Master Password or Recovery Key. Otherwise, you will not be able to access your vault.


To all Windows Hello users, we hope that this issue will not cause you any major inconvenience.