We’re in the research phase for the Secure Purchase Order System code sample (aka Bio Approval Workflow). A question came up regarding the use of the built-in Windows Credential UI, aka CredUI.

Namely, we’re considering using CredUIPromptForWindowsCredentials with the CREDUIWIN_SECURE_PROMPT flag on Win 7 in order to gather a user fingerprint biometric credential. The trick is, for this demo, we want to ensure not only that the user provides a valid Windows credential, but that it’s specifically a fingerprint.

Unfortunately, that doesn’t seem to be possible using CredUI. For one thing, Win 7 Bio doesn’t use its own authentication package, so we can’t use the auth package filtering feature of CredUI. And for another thing, it appears that unmarshaling the returned credential would require being in a system context.

Technically, we shouldn’t be relying on the user application to enforce fingerprint usage anyway, since the user could write his or her own client and bypass that check. But I don’t really want to add an NT service to the code sample just to handle prompting, and it doesn’t appear that there’s another good option. Stay tuned as we work this one out …

No Comments »