Changes to the GINA (Graphical Identification and Authentication Interface) RRS feed

  • Question

  • This is a section from a White paper (from MS) but talks to smart card and changes to the Graphical Identification and Authentication (GINA) interface.

    New Logon Architecture

    Many organizations and software vendors are choosing to supplement passwords or smart cards with additional authentication factors such as biometrics or one-time password tokens. In previous versions of Windows, implementing these factors often required developers to rewrite the Graphical Identification and Authentication (GINA) interface. This sometimes made it unduly difficult and expensive for companies using these methods. In addition, it was not possible to use multiple GINAs simultaneously.


    Although passwords are still supported, the primary focus for strong authentication in Windows Vista is smart cards. That said, the logon architecture has been completely rewritten to make it easier to extend for new credential types. Supporting new credential types requires creating a new Credential Provider, and the Windows logon user interface can interact simultaneously with multiple Credential Providers to make use of different authentication methods, including biometrics and tokens from third-party credential providers. This not only makes it possible for customers to enhance their security by choosing the right combination of available authentication methods, but it also enables developers to easily implement future authentication methods into the existing architecture.


    The new architecture also enables Credential Providers to be event-driven and integrated throughout the user experience. For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource. The same prompt also can be used by applications that use the new credential user interface API.


    In addition to the security benefits noted above, the new architecture improves overall system reliability and stability because functions that were not essential to the logon process have been moved to separate processes in the Windows Vista system.


    Easier Smart Card Deployments

    Many organizations are further enhancing security by using smart cards as their preferred two-factor authentication method in place of passwords. Microsoft has provided native operating system support for smart cards since Windows 2000. However, previous versions of Windows required IT administrators to deploy and maintain additional components to support their smart card infrastructure, such as cryptography modules and communications support for card readers.


    To make it simpler to deploy and maintain smart cards, Windows Vista includes new advances in its smart card infrastructure that enable a model that is dramatically simplified, more secure and less error-prone. A common cryptographic service provider (CSP) implements all the standard back-end cryptographic functions that hardware and software developers need. In addition, integrated third-party Card Modules make it easier to rapidly deploy a smart card solution and enable secure, predictable communications between the CSP and other components of the smart card infrastructure.


    In addition to these infrastructure changes, Microsoft also is working with the partner community to ensure that most of the major smart card vendors are familiar with this new architecture and are developing card modules for Windows Vista. This effort includes a process to certify card modules to validate quality and ultimately to make these card modules available via Windows Update. This initiative will provide customers with better quality and ease of use for their smart card deployments.


    These enhancements complement other improvements to the smart card infrastructure in Windows Vista, including improvements to the Kerberos authentication protocol that reduces the need for smart card users to sometimes re-enter their password when accessing certain resources.


    Monday, July 24, 2006 1:05 PM


  • Please post links to content rather than repeating resources.
    Tuesday, August 1, 2006 5:42 PM