Biometric Authentication with Microsoft Passport

Information security is hard. Managing user authentication and authorization in apps/services usually gives developers an additional layer of headache on top of making applications actually work. Windows Hello and Microsoft Passport promise to be solid options for solving these issues.

Windows Hello offers easy biometric authentication that is integrated into Windows 10, taking away much of the pain around managing user credentials. But user authentication is just the first step of the problem. How do developers leverage biometrics to authorize users to apps/services?

That responsibility falls on Microsoft Passport – a seamless 2 Factor Authentication (2FA) system using device and user biometrics. Reusable user credentials can finally be replaced by biometrics and hardware-level security, thus enabling apps/services to offer robust built-in security.

This article unpacks Microsoft Passport and offers a walkthrough of how to utilize Microsoft Passport to power your apps. Seamless biometric security is wonderful, especially when you have the ability to leverage it in your apps. Let’s dive in.

All about Microsoft Passport

What is it?

Microsoft released a detailed video to unveil Microsoft Passport. I suggest you take a few minutes and watch it. And no, the new Microsoft Passport has absolutely nothing to do with the ill-fated and much hated .NET Passport.

How does it work?

Microsoft Passport works in conjunction with Windows Hello – the integrated biometric authentication system in Windows 10 devices. There are three types of Hello authenticators available – PIN, Facial Recognition and FingerPrint Recognition.

When the user sets up Windows Hello on his or her device, Microsoft Passport starts up in the background and generates a new public–private key pair. This is the same as the Asymmetric Key technology that is used in smart cards. On-device, tamper-resistant TPM hardware generates and protects the private key. If the device does not have a TPM, the private key is encrypted and protected programmatically by Windows.

Once the keys are generated, Microsoft Passport allows the user to sign in seamlessly to third party apps or services. User biometric information never leaves the device; instead it ‘releases’ the keys on the device so that Microsoft Passport APIs could be then used to authorize the user.

Any app, leveraging Microsoft Passport, can never use the keys from another app, nor can someone ever use the keys from another user. Applications can use Passport APIs to have the keys sign requests/responses that are exchanged with the Identity Provider or IDP, seeking user access to specified resources.

Which IDPs does Microsoft Passport support? Turns out, a lot – Passport works with Microsoft Account, Active Directory accounts, any Azure AD or any IDP under the FIDO Alliance banner.

Microsoft Passport in Action

Authorization through Keys

So, how do you leverage Microsoft Passport in your app? Quite simply actually, if you follow the recommended pattern:

  1. Check if the user’s device supports biometric credentials;
  2. If not, prompt user to set up Windows Hello or fail graciously;
  3. If Windows Hello is set up, authenticate user and enroll for app/service;
  4. Then, check if Passport keys exist for given app;
  5. If keys exist, let user in and sign server communication with key;
  6. If no keys exist, create Passport keys for given app;
  7. Optionally, send and store public Passport key on server for future authorizations.

PassportFlow

Image courtesy of Microsoft

Create or Utilize Keys

Say, you want to leverage Microsoft Passport in your new UWP app and corresponding web service. Let’s start a new app to put it all together and write some code to follow the steps, like below:

NewUWP

using Windows.Security.Credentials;
using Windows.Security.Cryptography;

private async void DoPassportStuff()
{
    // Does device support biometric credentials?
    var bioCredentialsAvailable = await KeyCredentialManager.IsSupportedAsync();

    if (!bioCredentialsAvailable)
    {
        // User has not set up Windows Hello PIN.
        var messageDialog = new MessageDialog("Please set up your Windows Hello PIN.");
        await messageDialog.ShowAsync();
    }
    else
    {
        // User has Windows Hello set up. Check if credentials exist for App.
        KeyCredentialRetrievalResult credentialCheckResult = await KeyCredentialManager.OpenAsync("PassportDemoKey");

  if (credentialCheckResult.Credential != null)
  {
    // If credentials exist, sign service requests/responses with Key.  
      KeyCredentialOperationResult signResult = await credentialCheckResult.Credential.
                                                    RequestSignAsync(CryptographicBuffer.ConvertStringToBinary("PassportDemoKey", BinaryStringEncoding.Utf8));
      if (signResult.Status == KeyCredentialStatus.Success)
      {
          // All set.
      }
  }
  else
  {
    // No credentials. Go ahead with Key creation for App.
          var keyCreationResult = await KeyCredentialManager.RequestCreateAsync("PassportDemoKey", KeyCredentialCreationOption.ReplaceExisting);

          if (keyCreationResult.Status == KeyCredentialStatus.Success)
          {
            // All set. Retrieve the Public Key, if desired.
              var userKey = keyCreationResult.Credential;
              IBuffer publicKeyBuffer = userKey.RetrievePublicKey();

              DataReader keyDataReader = DataReader.FromBuffer(publicKeyBuffer);
              byte[] KeyBytes = new byte[publicKeyBuffer.Length];
              keyDataReader.ReadBytes(KeyBytes);
              string publicKey = System.Text.Encoding.UTF8.GetString(KeyBytes);
          }
        }
    }
}

KeyCredentialManager.RequestCreateAsync creates the public and private Passport keys for the given app on the given device. If the device has a TPM chip, the APIs will request the TPM chip to create and store the keys; if there is no TPM chip available, the OS will create the key pair in code. There is no way for the app to access the created private keys directly, but programmatically, developers can read the public keys, as shown in the code.

Signed Communication for Authorization

When the app attempts to access a protected cloud/backend resource, the service sends a challenge to the app, in an attempt to authorize the user. The app uses the Passport key from the user to sign the challenge and sends it back to the server. With the public key for that user already on the server, standard crypto APIs can be used to make sure the message was indeed signed with the correct private key. All is good once a match is in place.

These steps are best depicted through the following flow diagram:

ServerFlow

Image courtesy Microsoft

KeyCredentialManager.OpenAsync asks the OS to open the key handle. If that is done successfully, the developer can sign the server challenge message with the KeyCredentialRetrievalResult.RequestSignAsync method. Windows may request user’s PIN or biometrics before this signing happens, but the private keys are always locked up behind the APIs.

In all honestly, the cloud or backend service sending the challenge to the app and verifying message signing through crypto APIs is not for the faint hearted. The server must validate the message signature using Crypt32 functions and hash algorithms; the process however is well documented from Microsoft – both in theory and in code. Once the message signature matches the stored public RSA key on the server, the user and the corresponding client app is authorized for further requests.

Authenticate On-Demand

At any point from your app, you may also trigger a re-checking of user biometrics. This can be especially helpful for sensitive operations, like In-App Purchases or actions that modify a user’s subscription within your service. If the user is already set up with Windows Hello and Microsoft Passport keys, the re-authentication is easy. Here’s the code:

public async void TriggerBiometricAuthentication()
{
    try
    {
        // Check the availability of biometric authentication.
        var bioAvailability = await Windows.Security.Credentials.UI.UserConsentVerifier.CheckAvailabilityAsync();

        switch (bioAvailability)
        {
            case Windows.Security.Credentials.UI.UserConsentVerifierAvailability.Available:

                // Biometric device is available and ready.
                // Ask for user authentication.

                var consentResult = await Windows.Security.Credentials.UI.UserConsentVerifier.RequestVerificationAsync("Please provide biometric verification.");

                if (consentResult == Windows.Security.Credentials.UI.UserConsentVerificationResult.Verified)
                {
                    // All good to go.
                }
              break;          
            case Windows.Security.Credentials.UI.UserConsentVerifierAvailability.DeviceBusy:
                // Biometric device is available, but busy.
              break;
            case Windows.Security.Credentials.UI.UserConsentVerifierAvailability.DeviceNotPresent:
                // No biometric device found. Fail gracefully.
              break;
        }
    }
    catch (Exception ex)
    {
        // Do exception handling.
    }
}

Once a biometric input device is available, a simple UserConsentVerifier.RequestVerificationAsync method call triggers Windows to prompt the user for entering his/her biometrics again. From a UWP app, you can trigger this re-authentication at will – the user gets prompted for their PIN or biometric data, as shown below.

BiometricAuth

Polished UI for UWP Apps

Microsoft Passport authorization works seamlessly from 3rd party apps/services, as long as Microsoft Passport APIs are used from the Windows 10 SDK that matches the OS the app will be used on. For practical purposes, most Windows Hello authentication and Microsoft Passport authorization usage will come from UWP apps.

If you are building your dream UWP app to run on any Windows device, don’t re-invent the wheel – use polished UI controls out-of-the-box. Telerik UI for UWP suite gets you performant UI that is responsive on any Windows device and has a consistent XAML API stack.

Telerik UI for UWP suite offers a lot of benefits out of the box. For example, if you need data visualization controls, it comes with polished Charts, Gauges and BulletGraphs, including a wide range of output types and robust data binding. There are also must-have controls like the ListView, DataForm, Map and a variety of visual input elements to light up your apps.

Dataviz

No matter which UI controls you use, it is nice that your UWP apps do not ever have to manage user security – that is a problem best outsourced to Windows and established IDPs. Windows Hello and Microsoft Passport are wonderful ammunition in the UWP developer’s arsenal.

Conclusion

Windows Hello offers easy biometric authentication that is integrated into Windows 10, taking away much of the pain around managing user credentials. And Microsoft Passport makes user authorization easy for 3rd party apps/services. This is done by leveraging a combination of specific device keys and user biometrics. Developers are relieved from the stresses of managing user credentials and Microsoft Passport makes sure to carefully orchestrate user privacy through top notch security measures. Happiness all around.

Header image courtesy of Damian Bariexca

Comments