If the same Windows Hello companion device app is used to manage multiple versions of the same companion device and those capabilities change and requires a device query to decide , we recommend this queries occurs before first API call is made. The first call for registration will launch the PIN prompt to make sure user is present.
If no PIN is set up, this call will fail. IsSupportedAsync call as well. RequestStartRegisteringDeviceAsync call can also fail if policy has disabled the usage of the Windows Hello companion device.
The second call FinishRegisteringDeviceAsync finishes the registration. As part of registration process, the Windows Hello companion device app can store companion device configuration data with Companion Authentication Service. There is a 4K size limit for this data.
This data will be available to the Windows Hello companion device app at authentication time. This data can be used, as an example, to connect to the Windows Hello companion device like a MAC address, or if the Windows Hello companion device does not have storage and companion device wants to use PC for storage, then configuration data can be used.
Note that any sensitive data stored as part of configuration data must be encrypted with a key that only the Windows Hello companion device knows.
Also, given that configuration data is stored by a Windows service, it is available to the Windows Hello companion device app across user profiles. The Windows Hello companion device app can call AbortRegisteringDeviceAsync to cancel the registration and pass in an error code.
The Companion Authentication Service will log the error in the telemetry data. A good example for this call would be when something went wrong with the Windows Hello companion device and it could not finish registration for example, it cannot store HMAC keys or BT connection was lost.
The Windows Hello companion device app must provide an option for the user to de-register their Windows Hello companion device from their Windows 10 desktop for example, if they lost their companion device or bought a newer version.
When the user selects that option, then the Windows Hello companion device app must call UnregisterDeviceAsync. This call by the Windows Hello companion device app will trigger the companion device authentication service to delete all data including HMAC keys corresponding to the specific device Id and AppId of the caller app from PC side. That is left for the Windows Hello companion device app to implement.
The Windows Hello companion device app is responsible for showing any error messages that happen in registration and de-registration phase. The first call returns, among other things, a nonce that — once concatenated with other things - needs to be HMAC'ed with the device key stored on the Windows Hello companion device.
The second call returns the results of HMAC with device key and can potentially end in successful authentication i. It can also fail if an unregistered companion device app calls it. The second API call FinishAuthencationAsync can fail if the nonce that was provided in the first call is expired 20 seconds. For example, the second call must not be submitted until intent signal is available. In other words, the PC should not unlock if the user has not expressed intent for it.
To make this more clear, assume that Bluetooth proximity is used for PC unlock, then an explicit intent signal must be collected, otherwise, as soon as user walks by his PC on the way to kitchen, the PC will unlock.
Also, the nonce returned from the first call is time bound 20 seconds and will expire after certain period. As a result, the first call only should be made when the Windows Hello companion device app has good indication of companion device presence, for example, the companion device is inserted into USB port, or tapped on NFC reader.
With Bluetooth, care must be taken to avoid affecting battery on PC side or affecting other Bluetooth activities going on at that point when checking for Windows Hello companion device presence. Also, if a user presence signal needs to be provided for example, by typing in PIN , it is recommended that the first authentication call is only made after that signal is collected.
The Windows Hello companion device framework helps the Windows Hello companion device app to make informed decision on when to make above two calls by providing a complete picture of where user is in authentication flow.
Windows Hello companion device framework provides this functionality by providing lock state change notification to app background task. Windows Hello companion device apps should only call the two authentication APIs in the first two states. Windows Hello companion device apps should check for what scenario this event is being fired. There are two possibilities: unlock or post unlock. Currently, only unlock is supported.
In upcoming releases, post unlock scenarios may be supported. When the Windows Hello companion device app registers the first companion device, it should also register its background task component which will pass authentication information between device and companion device authentication service.
The Windows Hello companion device framework is responsible for providing feedback to the user about success or failure of signing in. The Windows Hello companion device framework will provide a stock of localized text and error messages for the Windows Hello companion device app to choose from.
These will be displayed in the logon UI. Call this API when an intent signal is available. Note that an intent signal must always be collected on the Windows Hello companion device side. Guidance messages are designed to show the user how to start the unlock process. These messages are only shown to the user once on the lock screen, upon first device registration, and never shown there again. These messages will continue to be shown under the lock screen. Error messages are always shown and will be shown after an intent signal is provided.
Given that an intent signal must be collected before showing messages to the user, and the user will provide that intent only using one of the Windows Hello companion devices, there must not be a situation where multiple Windows Hello companion devices race for showing error messages.
As a result, the Windows Hello companion device framework does not maintain any queue. When a caller asks for an error message, it will be shown for 5 seconds and all other requests for showing an error message in that 5 seconds are dropped. Once 5 seconds has passed, then the opportunity arises for another caller to show an error message. We prohibit any caller from jamming the error channel.
Guidance and error messages are as follows. Device name is a parameter passed by the companion device app as part of ShowNotificationMessageAsync. The first scope returns the list of devices for the logged on user. The second one returns the list for all users on that PC. The first scope must be used at un-registration time to avoid un-registering another user's Windows Hello companion device. The second one must be used at authentication or registration time: at registration time, this enumeration can help the app avoid trying to register the same Windows Hello companion device twice.
Note that even if the app does not perform this check, the PC does and will reject the same Windows Hello companion device from being registered more than once. At authentication time, using the AllUsers scope helps the Windows Hello companion device app support switch user flow: log on user A when user B is logged in this requires that both users have installed the Windows Hello companion device app and user A has registered their companion devices with the PC and the PC is sitting on lock screen or logon screen.
The key to achieve the security protections enumerated above is to protect HMAC keys from unauthorized access and also verifying user presence. More specifically, it must satisfy these requirements:.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note The Windows Hello companion device framework is a specialized feature that's not available to all app developers. Submit and view feedback for This product This page.
View all page feedback. In this article. We recommend not to request any error messages relating to having difficulty finding a device in this state. In general, we recommend to only show messages when intent signal is available. The Windows Hello companion device app should make the first API call for authentication in this state if the companion device collects the intent signal for example, tapping on NFC reader, press of a button on the companion device or a specific gesture, like clapping , and the Windows Hello companion device app background task receives indication from the companion device that intent signal was detected.
Otherwise, if the Windows Hello companion device app relies on the PC to start authentication flow by having user swipe up the unlock screen or hitting space bar , then the Windows Hello companion device app needs to wait for the next state CollectingCredential. This state change notification event is fired when the user either opens their laptop lid, hits any key on their keyboard, or swipes up to the unlock screen.
If the Windows Hello companion device relies on the above actions to start collecting the intent signal, then the Windows Hello companion device app should start collecting it for example, via a pop up on the companion device asking whether user wants to unlock the PC. This would be a good time to provide error cases if the Windows Hello companion device app needs the user to provide a user presence signal on the companion device like typing in PIN on the Windows Hello companion device.
When the Windows Hello companion device app receives this state, it means that the Companion Authentication Service has stopped accepting authentication requests. This means that another Windows Hello companion device app has called the second API and that the Companion Authentication Service is verifying what was submitted. At this point, the Companion Authentication Service is not accepting any other authentication requests unless the currently submitted one does not pass verification.
Once the Companion is installed, you can open projects in App Inventor on the web , open the companion on your device, and you can test your apps as you build them:. Open you the Apple App Store or Google Play Store on your device, or use the buttons below to open the corresponding store page. After downloading, step though the the instructions to install the Companion app on your device.
Note 1: There are some differences between the iOS and Android versions. Please review this page for more details. To find this setting on versions of Android prior to 4.
For devices running Android 4. App Inventor will automatically show you the app you are building, but only if your computer running App Inventor and your device running the Companion are connected to the same WiFi Network. See a more detailed explanation of this here. A dialog with a QR code will appear on your PC screen.
0コメント