Making Universal Windows Platform apps More Personal and More Secure with Windows Hello and Passport API
As part of a restricted group of innovators, with the willing of explore any cutting the edge technology with the main purpose of making the user experience on Windows even more personal, I was looking a way to test by myself the new Windows Hello technology.
You can find the full working sample on MSDN Code gallery.
What Windows Hello is and how it works
Window Hello “introduces native support for biometric authentication – using your face, iris, or fingerprint to unlock your devices – with technology that is much safer than traditional passwords” this is how Joe Belfiore, Vice President, PC-Tablet-Phone at Microsoft, describes the technology in a blog post on the official Windows Blog
This is how the technology was introduced to users. Actually, the technology behind the scenes is Windows Passport, Windows Hello is just the biometric part of all the architecture.
Passport API works by scanning user’s face, iris, or fingerprint, then the API stores the information and logs the user into his device.
When a user, with an IDentity Provider (IDP), logs in for the first time on a capable device.
Private key is stored (and encrypted) in the appropriate storage.
Passport API will store the generated keys into the appropriate TPM container (new generation TPM chips has different containers to store private and enterprise identities), if present it isn’t mandatory for the technology to work. Of course a TPM chip storage is the more secure place where to store it.
Access to the private key is controlled by the user’s PIN and/or face, iris, or fingerprint through the Passport API.
The Microsoft Passport API allows also a server/service side implementation so, if the site that we are browsing or the service we are accessing thought our Universal Windows Platform app, implements the Passport API will happen that previously generated public key, will be stored on the Microsoft Passport service online. In that way a trust relation can be established between the client and the service and this allows the user to instantly have access to online sites and services that require authentication.
The account can be a Microsoft Account, if we refer to end user customer or an Active Directory account if we refer to enterprise users.
This is way Microsoft Passport eliminates the need for web sites or services to store user password for authentication purposes.
An important aspect about Microsoft Passport is that it fully supports FIDO (Fast IDentity Online) alliance standards. This means that Windows Hello will work with many web site / app from the beginning.
This technology provide Enterprise-grade security that makes Microsoft Passport suitable for being used in environments with the highest security requirements such us defense, government, financial. The same security will be available to end user customers.
To reach such security level, Windows Hello / Microsoft Passport works in a similar way smart cards do.
A smart card has the user’s private key locked in itself so when an authentication message have to be sent this is possible only when the smart card is pugged in.
Microsoft Passport API works in the same way: the user’s private key can be accessed to generate the authentication message only if the user uses it’s own PIN and/or face, iris, or fingerprint to access the private key stored inside the TPM chip.
There are also anti-spoofing capabilities built into Microsoft Passport, for example, someone can’t use a photo of the user to log into his system.
Implementing Passport API in Universal Windows Platform App
As Kinect MVP I was interested in checking out the technology with face recognition.
Unfortunately, at the moment, Kinect sensors (both v1 and v2) are not supported, the only supported device, for the facial authentication, is the Intel RealSense camera F200.
For any information on how to setup the device in Windows 10, to get the Windows Hello feature enabled or how to get the device, please refer to the blog post of my friend MVP Marco Dal Pino.
Well, after configuring the device and test the Windows Hello biometric / Microsoft Passport API all we can do is to implement the API in our Universal Windows Platform apps.
Even if at the time of this post (July 19th 2015) MSDN documentation is a bit poor because all the ecosystem wasn’t yet released (I’m working on Visual Studio 2015 release candidate on Windows 10 build 10240) I tried to understand what is possible to do at the moment.
If you create a new Universal Windows App with Visual Studio 2015 you can:
Check if the Windows Hello feature is enabled
Try to open a previously stored (this works at application level) KeyCrediantial
KeyCredentialRetrievalResult result = await KeyCredentialManager.OpenAsync(KEY_CREDENTIAL);
If it is present, we can use it to request the Windows Hello authentication
KeyCredentialOperationResult signResult = await result.Credential.RequestSignAsync(CryptographicBuffer.ConvertStringToBinary(„LoginAuth“, BinaryStringEncoding.Utf8));
if the status of the signResult type is success the user was able to authenticate himself with Windows Hello.
Otherwise, if KeyCredential was not found we can create it. To create it the Windows Hello functionality is called
KeyCredentialRetrievalResult creationResult = await KeyCredentialManager.RequestCreateAsync(KEY_CREDENTIAL, KeyCredentialCreationOption.ReplaceExisting);
if the status of the creationResult type is success the user was able to authenticate himself with Windows Hello.
At the moment I’m writing I still dind’t find a way to deal with the user credential and to get the public key to share with the theoretical service supporting it, so stay turned because this is a work in progress sample.
As soon as I’ll get some new information I’ll update the sample.
You can find the full working sample on MSDN Code gallery.
Conclusion: Old technologies reinvented
I remember the time, in late 2006 at the time of Windows Vista, when the .Net Framework 3.0 was introduced, it brought a revolution on the dev world with all that innovative APIs: WPF, WCF, WF and… Card Space.
Windows CardSpace was developed to allow users the creation of digital identities to store personal information that can be requested and accessed by websites or other software applications .
When a website or an app was asking for users‘ information, the CardSpace UI would appear, user can select what identity to make available to it. Everything was made accordingly with the security standard of that time.
This tech was not so appealing so that in 2011 it was retired.
Now let’s look at the Microsoft Passport API: I’m sure it will be the next cutting the edge Microsoft’s technology that will bring a revolution on the authentication system. Card Space, of course is completely different, but, if in some way Microsoft Passport could be extended to incorporate the old Card Space functionality, today this will make even more personal the windows experience.