Upload
melanie-thornton
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Geir OlsenPrincipal Program ManagerWindows Phone Security & Identity Team
Windows Phone 8.1 Security Features
2-531
Goals for WP 8.1Microsoft AccountWeb Authentication BrokerCredential LockerA surpriseThe filling of gaps
Agenda slide
Security Goals for Windows Phone 8.1
Minimize the amount of time users have to re-enter their credentials
Offer developers a rich (converged) security programming model
Move the dial forward on enabling use of phone as an authentication device
Goals
“I hate passwords”everyone 2013
Authentication -Microsoft Account
Primary Identity Provider for Windows Phone
Majority users signed in with MSA on their Windows Phone
New API and Single-Sign-On introduced Windows.Security.Authentication.OnlineId
is the namespace for the new API Converged with Windows
Microsoft Account
App data roaming is automatic between your apps on Windows and Windows Phone
User most likely will not have to enter their credentials again
MSA user experience and security evolves independent of OS platform updates
Frequently used code paths ensures reliability
Microsoft Account benefits
There are three options for using MSA: OnlineId– Preferred method - Connected Account Web Authentication Broker– Oauth, can be used for secondary MSA
accounts Live SDK – provides abstractions for easy access to OneDrive
Microsoft Account APIs
Demo – Microsoft Account using OnlineId
Authentication – Web Authentication Broker
Many apps connect to popular online services
Authentication is usually required Identity providers typically implement
OAuth for authentication and authorization
Web authentication broker
Typical Oauth flow
Online Service1. Authorization Request (Start URL)
2. Login page
3. Credentials
4. A
utho
rizat
ion
page
5. U
ser d
ecisio
n
6. Authorization token (Redirect URL)
7. Data access
User
App
No single sign-on No credential isolation Inconsistent user experience Will not work in low memory situations
Problems
Use WAB to authenticate to OAuth identity providers
Benefits Single sign-on Simple API Credential Isolation
Windows.Security.Authentication.Web API similar to Windows but optimized to
handle low memory situations
Web authentication broker
Demo – Web Authentication Broker
Credentials, Crypto, and Certs
Use Credential Locker to securely store credentials and roam across the user’s trusted devices
Windows.Security.Credentials PasswordVault (and related) are supported WebAccount* not supported on Phone
Benefits Roaming via Microsoft account Secure Storage Credential isolation (apps can only access their own credentials)
Storing credentials
Credential Locker sample code
void SaveCredential(string username, string password) { PasswordVault vault = new PasswordVault(); PasswordCredential cred = new PasswordCredential(“MyAppResource”, username, password); vault.Add(cred);}
IReadOnlyList<PasswordCredential> RetrieveCredential(string resource) { PasswordVault vault = new PasswordVault(); return vault.FindAllByResource(resource);}
WinRT platform convergence Support for the following namespaces
Windows.Security.Cryptography Windows.Security.Cryptography.Certificates Windows.Security.Cryptography.Core Windows.Security.Cryptography.DataProtection
Major features enabled Many common crypto algorithms supported by the platform Client certificate authentication Data protection API allows encrypting secrets in memory
Crypto and Certs
Virtual Smart Card
Enable hardware-based, two-factor authentication for S/MIME and Secure Browsing scenarios
Keys are bound to the hardware and can only be accessed when user PIN is provided
VSC is built on top of the Trusted Platform Module (TPM)
VSC Goals
VSC ArchitectureEnrollment Application
WinRT VSC Provisioning APIs(e.g. Create VSC)
CNG APIs
Email App(S/MIME) Browser
TPM KSP
WP SC KSPWP SC Provisioning
WP PIN Prompt, PIN Cache and SmartCard
infrastructure
TPM 2.0
Enrollment App creates a VSC and enrolls/imports certificates into the VSC App needs SharedUserCertificates
capability
WinRT APIs are largely converged. Caveats:
Change and Reset PIN are not supported
Only one VSC at a time
Windows.Devices.SmartCards
Demo – Virtual Smart Card
No APIs, but app developers can opt-out through setting
Encryption of app files on SD card (different keys for program and data folder)
Access control for FAT (!) for additional isolation
Apps on SD
Microsoft Account Scopes and Permissions Windows.Security.Authentication.OnlineId Windows.Security.Authentication.Web Windows.Security.Cryptography Windows.Security.Cryptography.Core Windows.Security.Cryptography.Certificates Windows.Devices.SmartCards
Resources
Your Feedback is Important
Fill out an evaluation of this session and help shape future events.
Scan the QR code to evaluate this session on your mobile device.
You’ll also be entered into a daily prize drawing!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.