Require fingerprint authentication to retrieve data? RRS feed

  • Question

  • I posted this question on microsoft.public.platformsdk.security, but since the newsgroups are getting phased out, I thought I would repost here:

    On Windows 7, I'd like to be able to store a piece of data that can only be retrieved if the user proves who they are using their fingerprint. I'd like the authentication to be required even if they are already logged in to their account.

    I know that the DPAPI would allow me to store a piece of data that requires a typed password to decrypt (using the PromptStruct). And I know that the WBF (Windows Biometric Framework) provides a way to verify/identify a user based on a fingerprint swipe. However, I can't figure out a way to use these two APIs in conjunction so that DPAPI can take a fingerprint instead of a typed password as input.

    Any ideas? Perhaps I need to take a completely different approach...

    Thanks in advance,

    Friday, May 28, 2010 2:58 PM

All replies

  • Create a credential provider that supports the CPUS_CREDUI usage scenario.  Have it load the WBF to prompt for fingerprint swipe and return a user's password once that user has been verified.

    Next, create an application that calls the Windows function CredUIPromptForWindowsCredentials() to invoke the credential provider and ultimately return the password that is unlocked by the user's fingerprint.  Now the application can use DPAPI and the password to decrypt and return the required data.

    The MS credential provider samples can get you started:  http://www.microsoft.com/downloads/details.aspx?familyid=B1B3CBD1-2D3A-4FAC-982F-289F4F4B9300&displaylang=en

    Choose the "CredUI" sample as your starting point.


    Credential Provider resources:



    http://code.msdn.microsoft.com/ShellRevealed/Release/ProjectReleases.aspx?ReleaseId=2871 (Click on "Credential Provider Technical Reference")


    Good luck,



    Thursday, June 3, 2010 7:36 PM