MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 15 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 15 additions & 0 deletions
diff --git a/‎hub/apps/develop/security/credential-locker.md
Lines changed: 137 additions & 0 deletions b/‎hub/apps/develop/security/credential-locker.md
Lines changed: 137 additions & 0 deletions
diff --git a/‎uwp/security/fingerprint-biometrics.md renamed to ‎hub/apps/develop/security/fingerprint-biometrics.md
Lines changed: 19 additions & 18 deletions b/‎uwp/security/fingerprint-biometrics.md renamed to ‎hub/apps/develop/security/fingerprint-biometrics.md
Lines changed: 19 additions & 18 deletions
diff --git a/‎hub/apps/develop/security/index.md
Lines changed: 16 additions & 6 deletions b/‎hub/apps/develop/security/index.md
Lines changed: 16 additions & 6 deletions
@@ -8154,6 +8154,21 @@
       "source_path": "hub/apps/design/shell/tiles-and-notifications/index.md",
       "redirect_url": "/windows/uwp/launch-resume/creating-tiles",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "uwp/security/fingerprint-biometrics.md",
+      "redirect_url": "/windows/apps/develop/security/fingerprint-biometrics",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "uwp/security/smart-cards.md",
+      "redirect_url": "/windows/apps/develop/security/smart-cards",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "uwp/security/credential-locker.md",
+      "redirect_url": "/windows/apps/develop/security/credential-locker",
+      "redirect_document_id": false
     }
   ]
 }
 
@@ -0,0 +1,137 @@
+---
+title: Credential locker for Windows apps
+description: This article describes how Windows apps can use the Credential Locker to securely store and retrieve user credentials.
+ms.date: 08/05/2024
+ms.topic: how-to
+#customer intent: As a Windows developer, I want to learn how I can integrate the Credential Locker APIs into my native apps to store and retrieve user credentials.
+---
+
+# Credential locker for Windows apps
+
+This article describes how Windows apps can use the Credential Locker to securely store and retrieve user credentials, and roam them between devices with the user's Microsoft account.
+
+The Windows Runtime (WinRT) APIs for Credential Locker access are part of the [Windows Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/). These APIs were created for use in Universal Windows Platform (UWP) apps, but they can also be used in WinUI apps or in packaged desktop apps, including WPF and Windows Forms. For more information about using WinRT APIs in your Windows desktop app, see [Call Windows Runtime APIs in desktop apps](/windows/apps/desktop/modernize/desktop-to-uwp-enhance).
+
+## Overview of the sample scenario
+
+For example, you have an app that connects to a service to access protected resources such as media files, or social networking. Your service requires login information for each user. You've built UI into your app that gets the username and password for the user, which is then used to log the user into the service. Using the Credential Locker API, you can store the username and password for your user and easily retrieve them and log the user in automatically the next time they open your app, regardless of what device they're on.
+
+User credentials stored in the Credential Locker do *not* expire, are *not* affected by the [ApplicationData.RoamingStorageQuota](/uwp/api/windows.storage.applicationdata.roamingstoragequota), and will *not* be cleared out due to inactivity like traditional roaming data. However, you can only store up to 20 credentials per app in the Credential Locker.
+
+Credential Locker works a little differently for domain accounts. If there are credentials stored with your Microsoft account, and you associate that account with a domain account (such as the account that you use at work), your credentials will roam to that domain account. However, any new credentials added when signed on with the domain account won’t roam. This ensures that private credentials for the domain aren't exposed outside of the domain.
+
+## Storing user credentials
+
+1. Obtain a reference to the Credential Locker using the [PasswordVault](/uwp/api/Windows.Security.Credentials.PasswordVault) object from the [Windows.Security.Credentials](/uwp/api/Windows.Security.Credentials) namespace.
+1. Create a [PasswordCredential](/uwp/api/Windows.Security.Credentials.PasswordCredential) object that contains an identifier for your app, the username and the password, and pass that to the [PasswordVault.Add](/uwp/api/windows.security.credentials.passwordvault.add) method to add the credential to the locker.
+
+```cs
+var vault = new Windows.Security.Credentials.PasswordVault();
+vault.Add(new Windows.Security.Credentials.PasswordCredential(
+    "My App", username, password));
+```
+
+## Retrieving user credentials
+
+You have several options for retrieving user credentials from the Credential Locker after you have a reference to the [PasswordVault](/uwp/api/Windows.Security.Credentials.PasswordVault) object.
+
+- You can retrieve all the credentials the user has supplied for your app in the locker with the [PasswordVault.RetrieveAll](/uwp/api/windows.security.credentials.passwordvault.retrieveall) method.
+- If you know the username for the stored credentials, you can retrieve all the credentials for that username with the [PasswordVault.FindAllByUserName](/uwp/api/windows.security.credentials.passwordvault.findallbyusername) method.
+- If you know the resource name for the stored credentials, you can retrieve all the credentials for that resource name with the [PasswordVault.FindAllByResource](/uwp/api/windows.security.credentials.passwordvault.findallbyresource) method.
+- Finally, if you know both the username and the resource name for a credential, you can retrieve just that credential with the [PasswordVault.Retrieve](/uwp/api/windows.security.credentials.passwordvault.retrieve) method.
+
+Let’s look at an example where we have stored the resource name globally in an app and we log the user on automatically if we find a credential for them. If we find multiple credentials for the same user, we ask the user to select a default credential to use when logging on.
+
+```cs
+private string resourceName = "My App";
+private string defaultUserName;
+
+private void Login()
+{
+    var loginCredential = GetCredentialFromLocker();
+
+    if (loginCredential != null)
+    {
+        // There is a credential stored in the locker.
+        // Populate the Password property of the credential
+        // for automatic login.
+        loginCredential.RetrievePassword();
+    }
+    else
+    {
+        // There is no credential stored in the locker.
+        // Display UI to get user credentials.
+        loginCredential = GetLoginCredentialUI();
+    }
+
+    // Log the user in.
+    ServerLogin(loginCredential.UserName, loginCredential.Password);
+}
+
+private Windows.Security.Credentials.PasswordCredential GetCredentialFromLocker()
+{
+    Windows.Security.Credentials.PasswordCredential credential = null;
+
+    var vault = new Windows.Security.Credentials.PasswordVault();
+
+    IReadOnlyList<PasswordCredential> credentialList = null;
+
+    try
+    {
+        credentialList = vault.FindAllByResource(resourceName);
+    }
+    catch(Exception)
+    {
+        return null;
+    }
+
+    if (credentialList.Count > 0)
+    {
+        if (credentialList.Count == 1)
+        {
+            credential = credentialList[0];
+        }
+        else
+        {
+            // When there are multiple usernames,
+            // retrieve the default username. If one doesn't
+            // exist, then display UI to have the user select
+            // a default username.
+            defaultUserName = GetDefaultUserNameUI();
+
+            credential = vault.Retrieve(resourceName, defaultUserName);
+        }
+    }
+
+    return credential;
+}
+```
+
+## Deleting user credentials
+
+Deleting user credentials in the Credential Locker is also a quick, two-step process.
+
+1. Obtain a reference to the Credential Locker using the [PasswordVault](/uwp/api/Windows.Security.Credentials.PasswordVault) object from the [Windows.Security.Credentials](/uwp/api/Windows.Security.Credentials) namespace.
+1. Pass the credential you want to delete to the [PasswordVault.Remove](/uwp/api/windows.security.credentials.passwordvault.remove) method.
+
+```cs
+var vault = new Windows.Security.Credentials.PasswordVault();
+vault.Remove(new Windows.Security.Credentials.PasswordCredential(
+    "My App", username, password));
+```
+
+## Best practices
+
+Only use the credential locker for passwords and not for larger data blobs.
+
+Save passwords in the credential locker only if the following criteria are met:
+
+- The user has successfully signed in.
+- The user has opted to save passwords.
+
+Never store credentials in plain-text using app data or roaming settings.
+
+## Related content
+
+- [PasswordVault](/uwp/api/Windows.Security.Credentials.PasswordVault)
+- [Call Windows Runtime APIs in desktop apps](/windows/apps/desktop/modernize/desktop-to-uwp-enhance)
@@ -1,23 +1,20 @@
 ---
 title: Fingerprint biometrics
-description: This article explains how to add fingerprint biometrics to your Universal Windows Platform (UWP) app.
-ms.assetid: 55483729-5F8A-401A-8072-3CD611DDFED2
-ms.date: 02/08/2017
-ms.topic: article
-keywords: windows 10, uwp, security
-ms.localizationpriority: medium
+description: This article explains how to add fingerprint biometrics to your packaged Windows app using WinRT APIs from the Windows SDK.
+ms.date: 08/05/2024
+ms.topic: how-to
+#customer intent: As a Windows developer, I want to add fingerprint biometrics to my Windows apps.
 ---
-# Fingerprint biometrics
-
 
+# Fingerprint biometrics
 
+This article explains how to add fingerprint biometrics to your Windows app, including a request for fingerprint authentication when the user must consent to a particular action increases the security of your app. For example, you could require fingerprint authentication before authorizing an in-app purchase, or access to restricted resources. Fingerprint authentication is managed using the [UserConsentVerifier](/uwp/api/Windows.Security.Credentials.UI.UserConsentVerifier) class in the [Windows.Security.Credentials.UI](/uwp/api/Windows.Security.Credentials.UI) namespace.
 
-This article explains how to add fingerprint biometrics to your Universal Windows Platform (UWP) app. Including a request for fingerprint authentication when the user must consent to a particular action increases the security of your app. For example, you could require fingerprint authentication before authorizing an in-app purchase, or access to restricted resources. Fingerprint authentication is managed using the [**UserConsentVerifier**](/uwp/api/Windows.Security.Credentials.UI.UserConsentVerifier) class in the [**Windows.Security.Credentials.UI**](/uwp/api/Windows.Security.Credentials.UI) namespace.
+The Windows Runtime (WinRT) APIs for fingerprint biometrics are part of the [Windows Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/). These APIs were created for use in Universal Windows Platform (UWP) apps, but they can also be used in WinUI apps or in packaged desktop apps, including WPF and Windows Forms. For more information about using WinRT APIs in your Windows desktop app, see [Call Windows Runtime APIs in desktop apps](/windows/apps/desktop/modernize/desktop-to-uwp-enhance).
 
 ## Check the device for a fingerprint reader
 
-
-To find out whether the device has a fingerprint reader, call [**UserConsentVerifier.CheckAvailabilityAsync**](/uwp/api/windows.security.credentials.ui.userconsentverifier.checkavailabilityasync). Even if a device supports fingerprint authentication, your app should still provide users with an option in Settings to enable or disable it.
+To find out whether the device has a fingerprint reader, call [UserConsentVerifier.CheckAvailabilityAsync](/uwp/api/windows.security.credentials.ui.userconsentverifier.checkavailabilityasync). Even if a device supports fingerprint authentication, your app should still provide users with an option in Settings to enable or disable it.
 
 ```cs
 public async System.Threading.Tasks.Task<string> CheckFingerprintAvailability()
@@ -54,7 +51,7 @@ public async System.Threading.Tasks.Task<string> CheckFingerprintAvailability()
     }
     catch (Exception ex)
     {
-        returnMessage = "Fingerprint authentication availability check failed: " + ex.ToString();
+        returnMessage = $"Fingerprint authentication availability check failed: {ex.ToString()}";
     }
 
     return returnMessage;
@@ -63,10 +60,8 @@ public async System.Threading.Tasks.Task<string> CheckFingerprintAvailability()
 
 ## Request consent and return results
 
-
-To request user consent from a fingerprint scan, call the [**UserConsentVerifier.RequestVerificationAsync**](/uwp/api/windows.security.credentials.ui.userconsentverifier.requestverificationasync) method. For fingerprint authentication to work, the user must have previously added a fingerprint "signature" to the fingerprint database.
-
-When you call the [**UserConsentVerifier.RequestVerificationAsync**](/uwp/api/windows.security.credentials.ui.userconsentverifier.requestverificationasync), the user is presented with a modal dialog requesting a fingerprint scan. You can supply a message to the **UserConsentVerifier.RequestVerificationAsync** method that will be displayed to the user as part of the modal dialog, as shown in the following image.
+1. To request user consent from a fingerprint scan, call the [UserConsentVerifier.RequestVerificationAsync](/uwp/api/windows.security.credentials.ui.userconsentverifier.requestverificationasync) method. For fingerprint authentication to work, the user must have previously added a fingerprint "signature" to the fingerprint database.
+1. When you call the [UserConsentVerifier.RequestVerificationAsync](/uwp/api/windows.security.credentials.ui.userconsentverifier.requestverificationasync), the user is presented with a modal dialog requesting a fingerprint scan. You can supply a message to the **UserConsentVerifier.RequestVerificationAsync** method that will be displayed to the user as part of the modal dialog, as shown in the following image.
 
 ```cs
 private async System.Threading.Tasks.Task<string> RequestConsent(string userMessage)
@@ -114,9 +109,15 @@ private async System.Threading.Tasks.Task<string> RequestConsent(string userMess
     }
     catch (Exception ex)
     {
-        returnMessage = "Fingerprint authentication failed: " + ex.ToString();
+        returnMessage = $"Fingerprint authentication failed: {ex.ToString()}";
     }
 
     return returnMessage;
 }
-```
+```
+
+## Related content
+
+- [UserConsentVerifier](/uwp/api/Windows.Security.Credentials.UI.UserConsentVerifier)
+- [Windows.Security.Credentials.UI namespace](/uwp/api/Windows.Security.Credentials.UI)
+- [Call Windows Runtime APIs in desktop apps](/windows/apps/desktop/modernize/desktop-to-uwp-enhance)
@@ -1,20 +1,22 @@
 ---
 title: Security and identity
 description: This article provides an index of development features that are related to security and identity scenarios in Windows apps.
-ms.topic: article
-ms.date: 07/12/2024
+ms.topic: overview
+ms.date: 08/05/2024
+#customer intent: As a Windows developer, I want to learn to use security and identity features available to Windows apps so that I can build more secure apps.
 ---
 
 # Security and identity
 
 This article provides an index of development features that are related to scenarios involving security and identity in Windows apps.
 
-> [!NOTE]
-> The [Windows App SDK](../../windows-app-sdk/index.md) currently does not provide APIs related to security and identity scenarios.
-
 ## Windows OS features
 
-Windows 10 and later OS releases provide a wide variety of APIs related to graphics scenarios for apps. These features are available via a combination of WinRT and Win32 (C++ and COM) APIs provided by the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-sdk).
+Windows provides a wide variety of APIs related to security and identity scenarios for apps. These features are available via a combination of Windows App SDK, Windows Runtime (WinRT), and Win32 (C++ and COM) APIs provided by the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-sdk).
+
+### Windows App SDK APIs
+
+The [Windows App SDK](../../windows-app-sdk/index.md) currently does not provide APIs related to security and identity scenarios other than a few helper APIs in the [Microsoft.Windows.Security.AccessControl](/windows/windows-app-sdk/api/winrt/microsoft.windows.security.accesscontrol) namespace. These APIs are related to named object sharing between packaged apps and Win32 applications.
 
 ### WinRT APIs
 
@@ -24,7 +26,10 @@ The following articles provide information about features available via WinRT AP
 |---------|-------------|
 | [Security](/windows/uwp/security) | Learn about the breadth of security features for Windows apps.  |
 | [Authentication and user identity](/windows/uwp/security/authentication-and-user-identity) | Windows apps have several options for user authentication, ranging from simple single sign-on (SSO) using Web authentication broker to highly secure two-factor authentication. |
+| [Credential locker](credential-locker.md) | This article describes how Windows apps can use the Credential Locker to securely store and retrieve user credentials, and roam them between devices with the user's Microsoft account. |
 | [Cryptography](/windows/uwp/security/cryptography) | Learn about cryptography features available to Windows apps. |
+| [Fingerprint biometrics](fingerprint-biometrics.md) | This article explains how to add fingerprint biometrics to your Windows app, including a request for fingerprint authentication when the user must consent to a particular action increases the security of your app. |
+| [Smart cards](smart-cards.md) | This topic explains how packaged Windows apps can use smart cards to connect users to secure network services. |
 | [Windows Hello](windows-hello.md) | This article describes the Windows Hello technology and discusses how developers can implement this technology to protect their apps and backend services. It highlights specific capabilities of Windows Hello that help mitigate threats from conventional credentials and provides guidance about designing and deploying these technologies as part of your packaged Windows apps. |
 | [Create a Windows Hello login app](windows-hello-login.md) | Part 1 of a complete walkthrough on how to create a packaged Windows app that uses Windows Hello as an alternative to traditional username and password authentication systems. |
 | [Create a Microsoft Passport login service](windows-hello-auth-service.md) | Part 2 of a complete walkthrough on how to use Windows Hello as an alternative to traditional username and password authentication systems in packaged Windows apps. |
@@ -48,3 +53,8 @@ The .NET SDK also provides APIs related to security and identity scenarios for W
 | [Security in .NET](/dotnet/standard/security/)  | Learn about security concepts and features for all .NET apps.  |
 | [Security (WPF)](/dotnet/desktop/wpf/security-wpf) | Learn about security concepts and features for WPF apps. |
 | [Windows Forms Security](/dotnet/desktop/winforms/windows-forms-security) | Learn about security concepts and features for Windows Forms apps. |
+
+## Related content
+
+- [App lifecycle and system services](../app-lifecycle-and-system-services.md)
+- [Develop Windows desktop apps](../index.md)