This topic for the user, IT professional, hardware and software developers describes the enhancements made to the Windows Biometrics Framework in Windows 8.1, scenarios that leverage biometrics authentication using built-in features for user enrollment, and new APIs exposed to Windows Store App developers to integrate biometric authentication into apps for user consent. Fingerprints are the only biometric factor supported by the Windows Biometric Framework at this time.
For a demonstration of some of the enhancements referenced in this topic, see Additional resources.
The Windows Biometrics Framework (WBF) Win32 client API, driver specification and adapter specification have not changed for Windows 8.1.
The Biometric Input Device (BID) class driver for USB fingerprint readers is no longer part of WBF.
The biometrics Control Panel that was present in Windows 7 and Windows 8 is no longer part of Windows 8.1. It has been removed from the operating system. Users will find new ways to access fingerprint management applications.
For more information, see the following section in this topic: Fingerprint registration experience and fingerprint management application.
New WinRT APIs are exposed for Windows Store apps to leverage the power of biometric authentication.
For more information, see the following section in this topic: New WinRT APIs for biometrics.
Windows 8.1 includes a fingerprint registration application, thereby removing the need for a hardware manufacturer to provide such an application. This application is integrated with the account settings page in PC settings. Users can access it by doing one of the following:
Type “Fingerprint” at the Start screen
Navigate to PC Settings, select Accounts, and select Sign-in options
The fingerprint option will always be visible if there is a WBF-supported fingerprint reader (and its associated driver) installed on the PC. However, it is possible to prevent users from starting the registration program by disabling the use of biometrics with Group Policy.
Figure 1 Fingerprint registration application
Users must supply Microsoft Account (MSA) credentials to purchase apps from the Windows Store. In Windows 8.1, a user can give his or her consent with a fingerprint if the Microsoft Account authorizing the purchase meets both of the following requirements:
The MSA account is registered as a Windows user on the PC
The MSA account is registered for fingerprint sign-in on the PC
|The Microsoft Account that is authorizing the purchase does not need to be the currently signed-in user. If the MSA account is connected to the PC and has enrolled for fingerprint sign-in, the fingerprint option will work for purchasing apps from the store.|
Figure 2 Purchasing apps from the Windows Store
If there is a custom credential provider that filters out the inbox Biometrics credential provider, then this scenario will not work, because the interfaces for Windows Store integration are not public.
Connected domain accounts are different from connected accounts for fingerprint-based authentication. During fingerprint registration, Windows only enables fingerprint sign-in for the domain account and not the connected Microsoft account.
When such a user attempts to purchase an app from the Windows Store, the Windows Biometrics credential provider detects that the user who can authorize the purchase is connected to the domain user via a connected domain account. This triggers a one-time collection of the user’s Microsoft account credentials to authorize the app purchase. The credential is stored in the user-vault, Credential Locker. Subsequent attempts to purchase apps from the Windows Store can then be authenticated by fingerprints alone without requesting the user to enter a password.
Windows music and video purchase works the same way as Windows Store app purchases for authenticating with fingerprints.
Fingerprint-based authentication is also available as an alternative to many Windows password prompts. Biometrics credential provider appears as an option when an application wants to authenticate a Windows user for applications such as Remote Desktop Connection.
If a specific user is required to authenticate and that user has a fingerprint registration on the PC and there is a working WBF-compatible fingerprint reader with drivers available, the biometrics credential provider tile will appear in Credential UI (CredUI). If that user does not have a fingerprint registration, the biometrics credential provider tile will not appear in CredUI.
In cases where CredUI will accept any user, the biometrics tile will appear if any user on the system has registered for biometric sign-in.
Figure 3 CredUI displayed when launching Remote Desktop App
Windows 8.1 exposes two WinRT APIs that make it easy for a Windows Store app to guarantee that the person running the app is the currently signed-in user. These APIs call CredUI to collect a fingerprint scan, and then verify that the scan matches the signed-in user. This gives app developers a simple way to perform point-of-use identity checks before granting someone access to a high-value resource.
Figure 4 A Windows Store app requesting fingerprint-based consent
For more information, see Windows.Security.Credentials.UI namespace.
During sign-in to Windows, if Windows receives too many consecutive fingerprint scans that do not match any of the registered users, the fingerprint sign-in option is disabled until the user signs in with an alternate credential or the system reboots.
If Exchange Active Sync (EAS) policies are deployed that disable convenience sign-in methods on a system, the fingerprint registration application still allows the user to register, but the user’s password is not stored in Credential Locker if the PC is not encrypted. Furthermore, when the EAS policy is deployed and there is an existing fingerprint registration on the PC, the user’s password is removed from Credential Locker. However, if the PC is encrypted by using BitLocker or any non-Microsoft encryption solution provider, users can use fingerprints to sign in to Windows.
If biometric sign in is disabled for the user through Group Policy, the user is still allowed to register fingerprints. During registration, a message is displayed to the user indicating that fingerprint sign-in will not work, but certain applications may still be able to use fingerprints to authenticate the user. After the enrollment is completed, the user’s password is not saved in Credential Locker. Only the fingerprint templates are stored in the system. Certain applications can still use such an enrollment to identify the user and perform their own credential management.
By default, the biometric sign-in Group Policy setting for domain accounts is Not Configured, which is treated as if biometric sign-in is not enabled for domain accounts. A system administrator can also explicitly disable biometric sign-in for domain accounts with Group Policy.
If the policy is set to disable domain accounts from biometric sign-in, the inbox fingerprint registration experience allows the user to still register fingerprints; however, the user’s password is not stored in the system, thereby disallowing biometric sign-in for domain accounts. Applications can still use fingerprint-based identification and perform credential management for app-specific credentials and resources.
If the policy is left as Not Configured, the inbox fingerprint registration application warns the user that continuing with fingerprint registration will enable the policy, thereby allowing all domain users to use biometric sign-in on that PC. The policy is changed only after the user successfully completes the registration.
From the 2013 BUILD conference: Biometrics-Fingerprints for Apps
From the 2013 TechEd North America conference: What’s New in Windows 8.1 Security: Modern Access Control Deep Dive
Management and configuration
EAS policies - Use Exchange ActiveSync Policies for Device Management
Group Policy Settings – Policy settings are located in Administrative Templates\Windows Components\Biometrics. Use the Group Policy Management Console or the Local Group Policy Editor to access these settings/