Passkeys / FIDO2 / W3C Web Authentication .NET Library for Windows Desktop and CLI Applications
The DSInternals.Win32.WebAuthn
library allows .NET applications to directly interact with Passkeys (e.g. Windows Hello, Microsoft Authnticator, YubiKey, Feitian, or Crayonic) on Windows.
It provides a managed wrapper of the low-level Windows 10+ WebAuthn API
(defined in the webauthn.h
header file and implemented in the webauthn.dll
system library). This API is mainly used by browsers
(see the source code of Chromium
and Firefox) to implement passwordless web authentication,
but it can also be used by any .NET desktop or CLI application.
The DSInternals.Win32.WebAuthn.Adapter
library additionally uses classes defined in the Fido2.Models package as its front-end, which it then translates to native C structures. See the project site for more details.
The DSInternals.Passkeys PowerShell module uses the DSInternals.Win32.WebAuthn
library together with the Microsoft Graph API to provide Microsoft Entra ID administrators the capability of registering Passkeys on behalf of other users:
See Yubico's blog for more details on the API.
The project also contains a simple Windows GUI tool called FIDO2 UI
, which is built on top of the DSInternals.Win32.WebAuthn
library:
The only purpose of this tool is to demonstrate the usage of the WebAuthn API.
- The
DSInternals.Passkeys
PowerShell module is published in the PowerShell Gallery. - The latest version of the
FIDO2 UI
can be downloaded from the Releases section. - The
DSInternals.Win32.WebAuthn
library is published in the NuGet Gallery.
The WebAuthn API is only supported on Windows 10 1903 and newer. It is exposed in the DSInternals.Win32.WebAuthn namespace, with the WebAuthnApi class being the main entry point.
Following are code samples that mimic the behavior of login.microsoftonline.com.
The samples are not ready for production use, as they are missing validation and contain many hardcoded values. Especially the challenge
must be randomly generated in a cryptographically safe way.
Credential registration is performed by calling the AuthenticatorMakeCredential or AuthenticatorMakeCredentialAsync method:
var rp = new RelyingPartyInformation()
{
Id = "login.microsoft.com",
Name = "Microsoft"
};
var user = new UserInformation()
{
Name = "john.doe@outlook.com",
DisplayName = "John Doe",
Id = Base64UrlConverter.FromBase64UrlString("TUY65dH-Otl4jMdTRvlFQ1aApACYsuqGKSPQDQc1Bd4WVyw")
};
var challenge = new byte[] { 0, 1, 2, 3 };
var api = new WebAuthnApi();
var response = api.AuthenticatorMakeCredential(rp, user, challenge, UserVerificationRequirement.Required, AuthenticatorAttachment.Any);
Authentication using a previously registered credential is performed by calling the AuthenticatorGetAssertion or AuthenticatorGetAssertionAsync method:
var api = new WebAuthnApi();
var challenge = new byte[] { 0, 1, 2, 3 };
var response = api.AuthenticatorGetAssertion("login.microsoft.com", challenge, UserVerificationRequirement.Required, AuthenticatorAttachment.CrossPlatform);
Rohitab API Monitor can be used to analyze WebAuthn API calls made by browsers:
Windows 10 creates very detailed logs of WebAuthn API calls and CTAP commands. The logs can be displayed in the built-in Event Viewer console under Applications and Services Logs → Microsoft → Windows → WebAuthN → Operational:
- WebAuthn APIs for password-less authentication on Windows 10
- C header file
- Graph API Create fido2AuthenticationMethod
- This project uses the FIDO2 .NET Library. Huge thanks to its contributors, mainly @abergs and @aseigler.
- There are at least 2 similar projects, in various stages of completeness: