Skip to content

Passkeys/FIDO2/WebAuthn .NET Library for Windows Desktop and CLI Applications

License

Notifications You must be signed in to change notification settings

MichaelGrafnetter/webauthn-interop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

WebAuthn Interop Assembly Project

MIT License Windows 10 1903+ .NET Framework 4.8+ .NET Core 3+ Continuous Integration Status

Passkeys / FIDO2 / W3C Web Authentication .NET Library for Windows Desktop and CLI Applications

Interop Assembly

The DSInternals.Win32.WebAuthn library allows .NET applications to directly interact with Passkeys (e.g. Windows Hello, Microsoft Authnticator, YubiKey, Feitian, or Crayonic) on Windows. It provides a managed wrapper of the low-level Windows 10+ WebAuthn API (defined in the webauthn.h header file and implemented in the webauthn.dll system library). This API is mainly used by browsers (see the source code of Chromium and Firefox) to implement passwordless web authentication, but it can also be used by any .NET desktop or CLI application.

The DSInternals.Win32.WebAuthn.Adapter library additionally uses classes defined in the Fido2.Models package as its front-end, which it then translates to native C structures. See the project site for more details.

PowerShell Module

The DSInternals.Passkeys PowerShell module uses the DSInternals.Win32.WebAuthn library together with the Microsoft Graph API to provide Microsoft Entra ID administrators the capability of registering Passkeys on behalf of other users:

PowerShell Passkey Registration Screenshot

See Yubico's blog for more details on the API.

FIDO2 UI

The project also contains a simple Windows GUI tool called FIDO2 UI, which is built on top of the DSInternals.Win32.WebAuthn library:

FIDO2 UI Screenshot

The only purpose of this tool is to demonstrate the usage of the WebAuthn API.

Downloads

GitHub Downloads PowerShell Gallery Downloads NuGet Gallery Downloads

  • The DSInternals.Passkeys PowerShell module is published in the PowerShell Gallery.
  • The latest version of the FIDO2 UI can be downloaded from the Releases section.
  • The DSInternals.Win32.WebAuthn library is published in the NuGet Gallery.

.NET API Usage

Overview

The WebAuthn API is only supported on Windows 10 1903 and newer. It is exposed in the DSInternals.Win32.WebAuthn namespace, with the WebAuthnApi class being the main entry point.

Following are code samples that mimic the behavior of login.microsoftonline.com. The samples are not ready for production use, as they are missing validation and contain many hardcoded values. Especially the challenge must be randomly generated in a cryptographically safe way.

Registration (Attestation)

Credential registration is performed by calling the AuthenticatorMakeCredential or AuthenticatorMakeCredentialAsync method:

var rp = new RelyingPartyInformation()
{
    Id = "login.microsoft.com",
    Name = "Microsoft"
};

var user = new UserInformation()
{
    Name = "john.doe@outlook.com",
    DisplayName = "John Doe",
    Id = Base64UrlConverter.FromBase64UrlString("TUY65dH-Otl4jMdTRvlFQ1aApACYsuqGKSPQDQc1Bd4WVyw")
};

var challenge = new byte[] { 0, 1, 2, 3 };
var api = new WebAuthnApi();

var response = api.AuthenticatorMakeCredential(rp, user, challenge, UserVerificationRequirement.Required, AuthenticatorAttachment.Any);

Authentication (Assertion)

Authentication using a previously registered credential is performed by calling the AuthenticatorGetAssertion or AuthenticatorGetAssertionAsync method:

var api = new WebAuthnApi();
var challenge = new byte[] { 0, 1, 2, 3 };
var response = api.AuthenticatorGetAssertion("login.microsoft.com", challenge, UserVerificationRequirement.Required, AuthenticatorAttachment.CrossPlatform);

Troubleshooting

Rohitab API Monitor

Rohitab API Monitor can be used to analyze WebAuthn API calls made by browsers:

API Monitor Screenshot

Windows Event Viewer

Windows 10 creates very detailed logs of WebAuthn API calls and CTAP commands. The logs can be displayed in the built-in Event Viewer console under Applications and Services Logs → Microsoft → Windows → WebAuthN → Operational:

WebAuthn Event Viewer Screenshot

Microsoft's Documentation

Acknowledgements