Geir OlsenPrincipal Program ManagerWindows Phone Security & Identity Team

Windows Phone 8.1 Security Features

2-531

Goals for WP 8.1Microsoft AccountWeb Authentication BrokerCredential LockerA surpriseThe filling of gaps

Agenda slide

Security Goals for Windows Phone 8.1

Minimize the amount of time users have to re-enter their credentials

Offer developers a rich (converged) security programming model

Move the dial forward on enabling use of phone as an authentication device

Goals

“I hate passwords”everyone 2013

Authentication -Microsoft Account

Primary Identity Provider for Windows Phone

Majority users signed in with MSA on their Windows Phone

New API and Single-Sign-On introduced Windows.Security.Authentication.OnlineId

is the namespace for the new API Converged with Windows

Microsoft Account

App data roaming is automatic between your apps on Windows and Windows Phone

User most likely will not have to enter their credentials again

MSA user experience and security evolves independent of OS platform updates

Frequently used code paths ensures reliability

Microsoft Account benefits

There are three options for using MSA: OnlineId– Preferred method - Connected Account Web Authentication Broker– Oauth, can be used for secondary MSA

accounts Live SDK – provides abstractions for easy access to OneDrive

Microsoft Account APIs

Demo – Microsoft Account using OnlineId

Authentication – Web Authentication Broker

Many apps connect to popular online services

Authentication is usually required Identity providers typically implement

OAuth for authentication and authorization

Web authentication broker

Typical Oauth flow

Online Service1. Authorization Request (Start URL)

2. Login page

3. Credentials

4. A

utho

rizat

ion

page

5. U

ser d

ecisio

n

6. Authorization token (Redirect URL)

7. Data access

User

App

No single sign-on No credential isolation Inconsistent user experience Will not work in low memory situations

Problems

Use WAB to authenticate to OAuth identity providers

Benefits Single sign-on Simple API Credential Isolation

Windows.Security.Authentication.Web API similar to Windows but optimized to

handle low memory situations

Web authentication broker

Demo – Web Authentication Broker

Credentials, Crypto, and Certs

Use Credential Locker to securely store credentials and roam across the user’s trusted devices

Windows.Security.Credentials PasswordVault (and related) are supported WebAccount* not supported on Phone

Benefits Roaming via Microsoft account Secure Storage Credential isolation (apps can only access their own credentials)

Storing credentials

Credential Locker sample code

void SaveCredential(string username, string password) { PasswordVault vault = new PasswordVault(); PasswordCredential cred = new PasswordCredential(“MyAppResource”, username, password); vault.Add(cred);}

IReadOnlyList<PasswordCredential> RetrieveCredential(string resource) { PasswordVault vault = new PasswordVault(); return vault.FindAllByResource(resource);}

WinRT platform convergence Support for the following namespaces

Windows.Security.Cryptography Windows.Security.Cryptography.Certificates Windows.Security.Cryptography.Core Windows.Security.Cryptography.DataProtection

Major features enabled Many common crypto algorithms supported by the platform Client certificate authentication Data protection API allows encrypting secrets in memory

Crypto and Certs

Virtual Smart Card

Enable hardware-based, two-factor authentication for S/MIME and Secure Browsing scenarios

Keys are bound to the hardware and can only be accessed when user PIN is provided

VSC is built on top of the Trusted Platform Module (TPM)

VSC Goals

VSC ArchitectureEnrollment Application

WinRT VSC Provisioning APIs(e.g. Create VSC)

CNG APIs

Email App(S/MIME) Browser

TPM KSP

WP SC KSPWP SC Provisioning

WP PIN Prompt, PIN Cache and SmartCard

infrastructure

TPM 2.0

Enrollment App creates a VSC and enrolls/imports certificates into the VSC App needs SharedUserCertificates

capability

WinRT APIs are largely converged. Caveats:

Change and Reset PIN are not supported

Only one VSC at a time

Windows.Devices.SmartCards

Demo – Virtual Smart Card

No APIs, but app developers can opt-out through setting

Encryption of app files on SD card (different keys for program and data folder)

Access control for FAT (!) for additional isolation

Apps on SD

Microsoft Account Scopes and Permissions Windows.Security.Authentication.OnlineId Windows.Security.Authentication.Web Windows.Security.Cryptography Windows.Security.Cryptography.Core Windows.Security.Cryptography.Certificates Windows.Devices.SmartCards

Resources

Your Feedback is Important

Fill out an evaluation of this session and help shape future events.

Scan the QR code to evaluate this session on your mobile device.

You’ll also be entered into a daily prize drawing!

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.