Give your app's users a security experience that doesn’t feel like a hassle, and keep pace with the latest authentication techniques. Windows 8.1 offers new ways to authenticate and manage users, expanded support for signatures and certificates, and new capabilities for stored credentials.

New or updated in Windows 8.1

Fingerprint authentication

[Get the UserConsentVerifier sample now.]

Your app can now use a fingerprint scan to authenticate a user. Use biometric authentication to help protect an app from unauthorized use or to control access to specific pages or resources. To do this, use the UserConsentVerifier class in the Windows.Security.Credentials.UI namespace.

Your app should first verify that fingerprint authentication is an option on the user's device. To find out whether the device has a fingerprint reader, call the UserConsentVerifier.CheckAvailabilityAsync method. Even if a device supports fingerprint authentication, your app should still provide users with an option in Settings to enable or disable it. For more info about creating this setting, see Adding app settings.

If fingerprint verification is available, and the user has enabled it, you can call the UserConsentVerifier.RequestVerificationAsync method and continue app operations if this method returns a result of Verified.

WebAuthenticationBroker updates

[Get the Web authentication broker sample now.]

The web authentication broker (represented by the WebAuthenticationBroker class) has been updated to automatically fill in existing credentials based on user consent. The credentials are stored in the Credential Locker. When an app needs to sign in to a resource using web authentication broker, if the broker finds an existing credential in the Credential Locker and the user has consented, the existing credential is used and the user is automatically signed in to the resource. For more information, see Web authentication broker.

Smart cards and Virtual Smart Cards

[Get the Smart card sample now.]

Your app can now communicate with smart card readers and authenticate with smart cards using APIs defined in the Windows.Devices.SmartCards namespace. The following classes drive the core usage scenarios for this feature:

This code example shows how to create a TPM Virtual Smart Card by calling the RequestVirtualSmartCardCreationAsync method of the SmartCardProvisioning class. The method call specifies a friendly name, an admin key, and a PIN policy.

function createTpmVirtualSmartCard(adminKey) {
    var pinPolicy = new Windows.Devices.SmartCards.SmartCardPinPolicy();
    pinPolicy.minLength = 4;
    pinPolicy.lowercaseLetters = Windows.Devices.SmartCards.SmartCardPinCharacterPolicyOption.allow;
    pinPolicy.uppercaseLetters = Windows.Devices.SmartCards.SmartCardPinCharacterPolicyOption.requireAtLeastOne;
    pinPolicy.digits = Windows.Devices.SmartCards.SmartCardPinCharacterPolicyOption.allow;
    pinPolicy.specialCharacters = Windows.Devices.SmartCards.SmartCardPinCharacterPolicyOption.disallow;

        "Contoso Virtual Smart Card", 
    .done(function (cardProvision) {
        if (cardProvision == null) {
            // The request is canceled.

For more info about these and other related scenarios and APIs, see Windows.Devices.SmartCards.

Credential Locker updates

[Get the Credential Locker sample now.]

We've updated the Credential Locker to improve your ability to store user credentials and then automatically supply them for the user when needed. Windows 8.1 includes these changes to the Credential Locker.

  • Identify a default credential when multiple credentials exist for a resource. The PasswordCredential.Properties collection now includes a Default property.

  • Determine when a credential was last used, in order to retire unused credentials. The PasswordCredential.Properties collection now includes a LastAccessed property.

App account settings

[Get the Credential locker and Web authentication broker samples now.]

In Windows 8.1, the Settings contract has been updated to include account management. Now you can implement the Settings contract and enable your users to manage multiple account credentials.

For example, you may have an email client that manages emails from multiple servers. Likewise, you may have a social media app that aggregates content from numerous social media sites and services. You can use the Settings contract to simplify user access to credentials for all of these sites and services. Read more about the Settings contract at Adding app settings.

The SettingsCommand object now includes an AccountsCommand property. You can add an instance of CredentialCommand or WebAccountCommand to the ApplicationCommands collection to enable app account settings, and populate the AccountsCommand property.

The Windows Runtime now offers these classes for managing accounts with app account settings:


Manages information and metadata for an online authentication provider.


Represents an instance of an account from an online authentication provider.


Represents an instance of an account shown by the accounts flyout. When multiple accounts are managed, each account is represented by a WebAccountCommand instance.


Represents an instance of a credential from the Credential Locker.


Trust management and certificates

[Get the Cryptography and Certificate sample now.]

Windows 8.1 includes expanded support for using certificates and signatures to help increase the security and trust of resources used by your app. These scenarios are now supported:

This code example shows how to sign a document by using a detached signature.

// Define aliases for the cryptography namespaces.
var WindowsCerts = Windows.Security.Cryptography.Certificates;
var WindowsCryptCore = Windows.Security.Cryptography.Core;

// Verify a signed PDF file. The CMS signature is an attachment to the PDF file.

function signPDF(inputStream) {
    // Get a certificate for computing the signature.
    var query = new WindowsCerts.CertificateQuery();
    query.issuerName = "Sample Trusted Third Party";

    var certificates;
    WindowsCerts.findAllAsync(query).then(function(certificates) {
        var certificateList;
        // Build the certificate chain for first certificate returned.
            function(chain) {
                certificateList = chain.getCertificates(true); 

        // Build signer info.
        var signer = new WindowsCerts.CmsSignerInfo();
        signer.certificate = certificates[0];
        signer.hashAlgorithm = WinCryptoCore.HashAlgorithmNames.sha256;
        var signers;
        signers[0] = signer;

        // Sign the PDF document.       
            inputStream, signers, certificateList).then(
                function(result) {
                    return result;

    // Document not signed. 
    return null;

Selective wipe

[Get the File Revocation Manager sample now.]

Windows 8.1 introduces support for selective wipe, which enables you to identify folders and files on a user’s PC that can be revoked (and thereafter deleted) by a command from a server. This scenario is especially relevant for businesses and enterprises in cases when an employee’s PC is lost or stolen, or when an employee who kept company files on a personal device has left the company.

When adding a new file as app data, you can call the FileRevocationManager.ProtectAsync method to enroll the file in selective wipe. Selective wipe identifies the file by using an enterprise identity—typically a domain name. Here's a code example.

var appRootFolder = Windows.Storage.ApplicationData.current;
var enterpriseIdentity = "";

function addNewFolderButtonClick() {
  var folderName = document.getElementById("folderName");
    function (folder) {
      var status = addItemProtected(folder, enterpriseIdentity);

// Protect a folder or a file.
function addItemProtected(item, enterpriseId) {
    itemPath, enterpriseId).then(
      function (itemProtectionStatus) {
        return itemProtectionStatus;

When accessing a file or folder protected by selective wipe, call the FileRevocationManager.GetStatusAsync method to retrieve the protection status for the item each time it is accessed. If the item status value returned is Revoked, delete the file.

// Open a file. If access to the file is denied, check to see if the file is revoked.
function readFile(file) {
  try {
      function (fileStream) {
        return fileStream;
  catch (e) {
    if (e.message == "Access Denied") {
        function (itemProtectionStatus) {
          if (itemProtectionStatus == 
            Windows.Security.EnterpriseData.FileProtectionStatus.revoked) {
            item.deleteAsync().then(function () { return null; });

For more information, see the Windows.Security.EnterpriseData namespace and the File Revocation Manager sample.

Windows To Go updates

Windows 8 introduced the ability to create a Windows To Go workspace that is booted from a USB-connected external drive on PCs that meet the Windows 7 or Windows 8 certification requirements. A workspace can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Windows 8.1 updates this feature to enable booting from a USB composite device with a storage and a smart card function.



© 2015 Microsoft