How we at Tinkoff used Windows Hello to authenticate the user

Windows Hello is a user biometric authentication technology based on fingerprint, retina, 3D face scanning and even the venous palm pattern.

In the provision of financial services, error-free and secure user authentication is important. For authorization, we use a two-factor system from a bunch of login and password, or a phone number and password with confirmation by the code sent to the associated mobile phone number. To further simplify access to an authorized zone, a 4-digit PIN code is used.

After authorization and creating a PIN code, user authentication can be passed on to Windows Hello. The general sequence of necessary actions is as follows:

• Check the possibility of using Windows Hello.
• User verification using Windows Hello, which allows you to associate an authorized Windows user with our client.
• Caching a previously created PIN by user ID in a protected area.
• On subsequent launches of the application with an authorized user, the user authentication procedure by means of Windows Hello is automatically launched. If authentication is successful, the cached PIN is requested from the protected area.

Let's take a closer look at each step in the code examples.

The minimum condition for using Windows Hello is a configured PIN to access the system. If the user does not have certified equipment for biometric authentication, PIN code will be used.

We do it like this:

public async Task<WindowsHelloStatus> CheckHelloStatusAsync() { var checkAvailabilityAsyncOperation = UserConsentVerifier.CheckAvailabilityAsync(); var checkAvailabilityTask = checkAvailabilityAsyncOperation.AsTask(); var completedTask = await Task.WhenAny(checkAvailabilityTask, Task.Delay(TimeSpan.FromSeconds(1))); if(completedTask == checkAvailabilityTask) { var availability = checkAvailabilityTask.Result; switch (availability) { case UserConsentVerifierAvailability.Available: return WindowsHelloStatus.Available; case UserConsentVerifierAvailability.DeviceBusy: return WindowsHelloStatus.Busy; case UserConsentVerifierAvailability.DisabledByPolicy: return WindowsHelloStatus.DisabledByPolicy; case UserConsentVerifierAvailability.NotConfiguredForUser: return WindowsHelloStatus.NotConfiguredForUser; default: return WindowsHelloStatus.Unavailable; } } checkAvailabilityAsyncOperation.Cancel(); return WindowsHelloStatus.Unavailable; } 

')
This code should not cause questions, it checks the status of the Windows Hello service. UserConsentVerifierAvailability contains slightly more options for the status of the service, but for our purposes, the ones listed in the example above will suffice.

After installing the Tinkoff pin code and successfully verifying the availability of Windows Hello, we suggest the user connect this service:


If the user agrees, you need to authenticate him, for this we use the following code:

 public async Task<bool> VerifyUserAsync() { if (await CheckHelloStatusAsync() != WindowsHelloStatus.Available) return false; var result = await UserConsentVerifier.RequestVerificationAsync(requestMessage); return result == UserConsentVerificationResult.Verified; } 

In this example, we verify that the user currently using the device is the same person as the account owner. How to do it: UserConsentVerifier.RequestVerificationAsync is a method that takes the user to check using the available check option, whether it is fingerprint authentication, retina authentication, or any other method. Convenience is that we don’t have to take care with what and how it happens, the main thing is that this option meets our security requirements.

Without using the Windows Hello service, we ask for the input of a PIN code every time the application is launched and the user is inactive. This code is used to verify requests while the user is working with the application. In the case of Windows Hello, the user does not need to enter this code every time and the question arises about the safe storage of this code. For this, the PasswordVault service comes to the rescue, it allows you to store data that requires special attention to security. This service does not store data in clear text. On devices equipped with a special encryption chip, the service uses this chip for protection, on devices without an encryption chip, protection is achieved by software.

 /// <summary> ///        /// </summary> /// <param name="userId"> </param> /// <param name="pin">- </param> public void AddCredentials(string userId, string pin) { var vault = new PasswordVault(); vault.Add(new PasswordCredential(«  », userId, pin)); } 

This example shows how easy it is to add data to PasswordVault for storage:

In the case of a user changing or leaving the application, it is necessary to remove the user data from the password store:

 public void RemoveCredentials(string userId) { var vault = new PasswordVault(); var credentials = vault.Retrieve(«  », userId); if (credentials != null) vault.Remove(credentials); } 

The following example shows the method we use after starting the application:

 public async Task<string> SignInAsync(string userId) { if (await CheckHelloStatusAsync() != WindowsHelloStatus.Available) return null; var result = await UserConsentVerifier.RequestVerificationAsync(requestMessage); if (result != UserConsentVerificationResult.Verified) return null; var vault = new PasswordVault(); var credentials = vault.Retrieve(appCredentialsName, userId); return credentials?.Password; } 

First we check that the Windows Hello service is available. Then we ask the service to confirm that the application is being used by the user, the owner of the account. If the user passed the test, then we extract the PIN for this user, which was saved there when setting the Tinkoff pin code.

And now, with the help of 5 small methods, we integrated Windows Hello into the application.