Limiting Access to Sensitive Information in the TUI (Windows CE 5.0)
It can be important to limit access to potentially sensitive information that is available using the TUI application. For example, you might not want someone who walks into your office to push a few buttons and see your Exchange contacts.
One way to limit access is to require the phone user to enter a PIN to access private information. However, this is cumbersome when a user is already sitting next to an unlocked PC.
Therefore, the TUI application includes additional functionality to limit access to potentially private information. The TUI attempts to determine if the user of the phone is authenticated, by seeing if a Windows PC to which the phone is tied is locked or unlocked.
If TUI can determine that the PC is unlocked, it provides access to private information without user intervention.
If the associated PC is locked, or TUI can't determine the status of the PC, or there is no associated PC, TUI forces the phone's user to enter a user-chosen PIN, using the phone keypad, before it displays sensitive information.
TUI uses the Windows CE Local Authentication Subsystem (LASS) to abstract the authentication process. In the default IP phone OS design, the local authentication plugin (LAP) that LASS uses interacts over the network with an application running on a PC.
The Windows CE LAP and the PC application are provided, in sample form, by the PC Authentication Catalog item. For more information about LASS, see Local Authentication Subsystem (LASS). For more information about the sample PC Authentication plug in, see PC Authentication.
The complete process works as follows:
The user attempts to access sensitive information, like Exchange contacts.
TUI calls the IsPCUnlocked function in laputils.cpp (in %_WINCEROOT%\Public\VoIP\OAK\Phone\TUI\Utilities).
IsPCUnlocked calls the LASS VerifyUser function.
LASS uses the currently active LAP to determine if the user is authenticated; then the default IP phone OS design sets the sample PC Authentication LAP as the active authentication plugin.
This setup is accomplished by the InitializeVoIPLAP function in laputils.cpp. LASS uses the active LAP by calling the LAP's VerifyUser function, which is different from the generic LASS VerifyUser function.
In this scenario, LASS calls the PC Authentication VerifyUser function.
The PC Authentication LAP connects to the specified PC using the network and uses the application on the PC to determine if the PC is locked.
The PC lock or unlock status percolates back up to the TUI, which displays the requested information directly (if the PC is unlocked), or displays a PIN dialog (if the PC is locked or cannot be contacted).
Note In addition to the process described in the preceding steps, there is one place where the TUI calls the LAP code directly and bypasses LASS. This happens in the TieToPCState.cpp file (in %_WINCEROOT%\Public\VoIP\OAK\Phone\TUI\State), in the OnTieClick function. Instead of calling the LASS VerifyUser function, OnTieClick calls the PC Authentication LAP AttemptConnection function. AttemptConnection verifies authentication like the LAP normally does, but it waits a longer period of time before timing out.
See Also
Examining the TUI Implementation
Send Feedback on this topic to the authors