Skip to main content
Skip table of contents

Windows Biometric Foundation operation

We're excited to announce enhanced authentication capabilities with the integration of Windows Biometric Framework (WBF) support into our server platform! This update significantly improves the user experience by enabling seamless, secure, and passwordless or multi-factor authentication through WBF-compliant biometric devices like fingerprint readers on Windows systems.

WBF is a standardized API from Microsoft that simplifies biometric authentication across various devices. By integrating it, our server can now effortlessly process biometric authentication requests from your Windows desktop clients.

This document covers how WBF integration works, including its architecture, configuration, and usage.

What's New for Administrators

Managing WBF integration is straightforward. Here's what administrators need to know:

  • Policy Configuration: We've introduced a dedicated policy that lets administrators define whether biometric authentication is optional or required.

    image-20250604-134543.png

  • New Authentication Method: A new authentication method, simply named WBF, is now available.

    image-20250604-134618.png

    image-20250604-134658.png

  • Dedicated Authentication Command: The cmd_wbf is a new command specifically implemented to handle WBF-based authentication requests from Windows clients. Please note this command is restricted to desktop devices only.

    image-20250604-134817.png

  • Enhanced User Experience: A new selector called Windows Biometrics has been added to improve user engagement during the authentication process.

    image-20250604-134907.png

  • Improved Identity and Device Management: The Identity and Device sections in the administration interface have been enhanced.

    • The Identity view now provides detailed information about registered desktop devices and their associated authenticators.

      image-20250604-135002.png

    • The Device view now allows administrators to see a device's associated authenticators, including the WBF method, and the identity it's linked to.

      image-20250604-135049.png

Note that the WBF authenticator will have a single entry in Veridium, no matter how many fingers are actually enrolled.

Self-Service Portal Updates

The Identity view in the Self-Service Portal (SSP) now provides detailed information about registered desktop devices and their associated authenticators, offering users greater visibility into their biometric setup.

image-20250604-135213.png

Enrollment Process

Here's how users can enroll their biometric data:

Note that Windows Hello cannot be used at the same time with Veridium WBF integration (i.e. having a Windows Hello option (face, fingerprint, PIN) enrolled in both Windows - Settings - Sign-in options - and Veridium Windows Biometrics Manager active)

The easiest way to disable Windows Hello is to set the following key value in registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}]
"Disabled"=dword:00000001

  1. User Initiates Enrollment: The user taps the "Enroll" button within the native application named “Windows Biometrics Manager” installed automatically starting with Windows Credential Provider v3.8.1.
    The application allows registered fingerprint check, add or remove.

    image-20250604-135315.png
    image-20250604-140525.png
    image-20250605-130315.png

  2. Launch WebView with SSP: The native application launches a WebView that displays the Self-Service Portal (SSP) regular enrollment flow.

    image-20250604-140744.png

  3. Enrollment via SSP: The user completes the enrollment steps within the SSP. The native application monitors the currentStatus of the enrollment.

  4. Detect Enrollment Completion: Once currentStatus reaches ACTIVE, the native application closes the WebView and resumes control of the enrollment process.

  5. Continue Native Enrollment Workflow: The application continues with any additional native-side enrollment logic (e.g., secure credential storage, biometric linking).

    image-20250604-135518.png

  6. Finalize Enrollment: The native application completes the process by invoking the /SetAuthenticationMethod endpoint via BopsLogonService, supplying the necessary parameters to register the chosen authentication method with the backend.

Authentication Flow

The authentication process using Windows Biometric Framework (WBF) with VeridiumID works as follows:

  1. Authentication Request: The Credential Provider (CP) sends an AuthenticationRequest to VeridiumID to begin the authentication flow.

  2. Command Retrieval: The CP receives the available authentication commands.

  3. Choose Authentication Command: The CP sends the WBF command to VeridiumID via /ChooseAuthentication.

    image-20250604-135715.png

    If the user engagement selector is used instead, the interface will adapt accordingly:

    image-20250724-080706.png

  4. Session ID Assignment: VeridiumID responds with a SessionID, which uniquely identifies this authentication session.

  5. Biometric Matching and Private Key Use: The CP performs biometric matching (e.g., a fingerprint scan). If successful, it securely unlocks the user's PrivateKey stored on the device.

    image-20250604-135907.png
    image-20250604-135932.png

  6. Message Signing: The CP constructs an encrypted message (Message = profileId + SessionID) and signs it with the unlocked PrivateKey.

  7. Authentication Response: The signed message is sent to VeridiumID's /AuthenticationResponse endpoint for verification and session completion.

WBF Authenticator Status

To check the status of a WBF authenticator, you'll need to call the /GetAuthenticationMethodStatus API with the following parameters:

JSON 
{
  "deviceId": "string",
  "applicationVersion": "string",
  "ts": "string",
  "val1": "string",
  "val2": "string",
  "deviceFingerprint": "string",
  "profileId": "string",
  "name": "string"
}

MediaType = application/vnd.veridiumid.getauthenticationmethodstatus-v1+json

and the response will be:

JSON 
{
  "status": "string",
  "error": {
    "errorDescription": "string",
    "errorCode": 0
  }
}

Possible status values include:

  • ACTIVATED

  • DISABLED (by user)

  • EXPIRED (when LostMode expiration occurs)

  • LOST (when LostMode activation updates authenticator status)

  • EXPIRING (when it's about to expire)

  • BLOCKED (when a device is blocked, updating authenticator status)

  • BLOCKED_BY_ADMIN

  • NOT_FOUND

An errorCode of 0 indicates a successful operation.

Delete Authenticator

To remove a WBF authenticator, call the /DeleteAuthenticationMethod API with these parameters:

CODE 
{
  "profileId": "string",
  "name": "string" //authenticator name (WBF)
}

MediaType = application/vnd.veridiumid.deleteauthmethod-v1+json

and the response will be:

CODE 
{
  "error": {
    "errorDescription": "string",
    "errorCode": 0
  }
}

Again, an errorCode of 0 signifies a successful operation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close