Secure Windows App Development Authentication Secure data in

Secure Windows App Development

Authentication Secure data in flight Secure data at rest

Authentication

Challenges username ****

OAuth provider support “Outsourcing” authentication User confidence

Benefits username **** Challenges

https: //channel 9. msdn. com/Events/ Microsoft-Azure/Azure. Con-2015/ACON 312 Identity and Access management Microsoft Azure Active Directory Apps 1 Users sign in from any device using their existing username/password. User 2 Multi-Factor Authentication Server Users must also authenticate using their phone or mobile device before access is granted.

Introducing Microsoft Passport and Windows Hello

Convenient multi-factor authentication Microsoft Passport Windows Hello Enterprise credential protection using Virtual Secure Mode (VSM)

During OOBE setup

1. Validate if the user has set up a PIN, and optionally Windows Hello, on their device Key. Credential. Manager. Is. Supported. Async 2. Create Credential. Key and attestation Key. Credential. Manager. Request. Create. Async 3. Register public key, attestation and user information with the server for validation on login

3 7 4 5 1

Microsoft Passport and Windows Hello

Securing data in flight

Client/server Web services

Using hashes with Windows. Security. Cryptography. Core. Hash. Algorithm. Provider Digital signatures with Cryptographic. Engine SSL pinning Ensures message has been sent by the authorized server by verifying the server’s certificate Easiest implementation is the evaluate of the certs the server returns in response to an HTTP request This should be done before sending sensitive information in a request

More control over validation Can validate certificate chain Custom logic for multiple domains/root CAs

SSL Pinning

https: //channel 9. msdn. com/events/ Microsoft-Azure/Azure. Con-2015/ACON 313 API

Securing data at rest

Credential locker vault = new Windows. Security. Credentials. Password. Vault(); vault. Add(new Windows. Security. Credentials. Password. Credential("My App", username, password));

Support for symmetric and asymmetric encryption Windows. Security. Cryptography. Core. Cyptographic. Engine supports encryption, decryption, and signing of content, as well as verification of digital signatures Windows. Security. Cryptography. Data. Protection. Provider supports encryption and decryption of data by using device and user information

wait File. Protection. Manager. Protect. Async(m_file, “contoso. com”); Protection. Policy. Manager. Protected. Content. Revoked += Protected. Content. Revoked; resource. Identity = await Protection. Policy. Manager. Get. Primary. Managed. Identity. For. Network. Endpoint. Async(new Host. Name(resource. Uri. Host)); // if resource. Identity is empty or null, then it is considered personal if (!string. Is. Null. Or. Empty(resource. Identity)) { context = Protection. Policy. Manager. Create. Current. Thread. Network. Context(resource. Identity); }

</ > Additional Resources http: //dev. windows. com/ rajenki@microsoft. com

© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.