2

I'm implementing a V2 Credential Provider which invoke Windows Biometric Framework API to verify user fingerprint.

Now V2 CP is built and could be load by LogonUI, but i don't know how to organize the serialized data for GetSerialization after a fingerprint verification, or maybe the biometric auth data is not submit by GetSerialization ?

Please help, thanks very much.

James Westgate
  • 11,306
  • 8
  • 61
  • 68
Charles.W
  • 43
  • 6
  • 2
    you need pass serialization in form, which understand *ulAuthenticationPackage* authentication package. for instance MSV1_0 understand only login/password. in `MSV1_0_INTERACTIVE_LOGON` . kerberos undertand also certificat/smartcard logon format. – RbMm Jun 03 '21 at 00:48
  • @RbMm thanks very much for reply. i checked on MSDN, but did not find authentication package type about fingerprint verify, i understand the data form in `pcpcs->rgbSerialization` buffer about the type you mentioned, but i don't know the form about fingerprint verification because there is no pwd/cert/csp/pin infomation in that scenario o(╥﹏╥)o – Charles.W Jun 03 '21 at 03:34
  • 2
    you must or pass some standard data in *rgbSerialization* , which understanded by some built-in package/sub package, or write own authentication package, which use your private data and return info about user (so implement *LsaApLogonUserEx2* ) or say encrypt user well known credential (like name/password) with your bio data, decrypt by self in provider and pass it (login/password) to lsass – RbMm Jun 03 '21 at 10:15
  • @RbMm, i will try sub package direction. thank you for the guiding. – Charles.W Jun 08 '21 at 02:29
  • 1
    I have tried the sub package authentication approach, and the package is only called once a valid credential has been provided. I believe sub authentication packages are used to filter or screen authentication after the fact. My understanding is that you will need to replay a password or use a virtual smart card or certificate. Please let me know if this is not the case though. – James Westgate Jun 22 '21 at 15:35
  • 1
    @JamesWestgate, thank you for reply. i tried on sub package direction, but so far as i know, this way is still need a password o(╥﹏╥)o . like you mentioned, after a smart card authentication finish, AD server return a ticket to client for logon windows, so i figure maybe there is a ticket for fingerprint too, i'm looking for the document about ticket at the mean time. i'll let you know if i found something^_^ – Charles.W Jun 25 '21 at 01:52
  • 1
    @JamesWestgate, i found a text describe like this ......**Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics.** ......----i think that means windows hello(not for business) also need username and password after fingerprint verified, so do us. link is https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#what-s-the-difference-between-windows-hello-and-windows-hello-for-business – Charles.W Jun 25 '21 at 09:13
  • 1
    Hi Charles,I thought this was the case. If you can encrypt and store the password, it’s not too much of a problem. What language are you using? I can show you some resources to perform serialisation. – James Westgate Jun 25 '21 at 19:23
  • @JamesWestgate ,I use C++, thanks in advance. – Charles.W Jun 28 '21 at 06:10
  • 1
    @Charles.W - source code to perform serialization can be viewed here: https://github.com/pgina/pgina/blob/master/pGina/src/CredentialProvider/SerializationHelpers.cpp. With all the talk of Windows 11 and TPM requirements, I found out this weekend it is also possible to use a TPM to store things like credentials. You could store a password using a key managed by a TPM for those who have it. – James Westgate Jun 28 '21 at 08:29

0 Answers0