共用方式為


Authentication and User Identity (XAML)

[This article is for Windows 8.x and Windows Phone 8.x developers writing Windows Runtime apps. If you’re developing for Windows 10, see the latest documentation]

You have several options for user authentication in apps that can provide both convenience for authenticated users, such as single sign-on (SSO) or persisted user credentials, and highly secure authentication such as smart card authentication or authentication using trusted certificates. The following table describes your options for authentication inapps.

Credential Locker

The Credential Locker is a convenient and secure way to store user credentials that your app uses to connect to services like media, social networking, and so on. You can store a user's userid and password in the Credential Locker, and then automatically log them on to services when they use your app. Credentials stored in the Credential Locker automatically roam with a users's Microsoft Account.

Web authentication broker

The web authentication broker supports the OAuth and OpenID internet authentication protocols, so you can integrate your app with a web service that provides user authentication. This allows you to utilize user identity in your apps from services such as Facebook, Flickr, Google, and Twitter. You can also use the web authentication broker to enable single sign-on (SSO) for multiple internet authenticated apps.

Fingerprint (biometric) authentication

Fingerprint (biometric) verification enables you to enhance the security of your app by requesting a fingerprint when the user is required to consent to a particular action such as authorizing an in-app purchase, or accessing a restricted resource.

Smart Cards and Virtual Smart Cards

Smart cards and virtual smart cards provide a high level of authentication for your app. You can use the APIs in the Windows.Devices.SmartCards namespace to authenticate a user using a smart card, gather information about smart card devices, and manage smart card devices, such as requesting a PIN reset. You can also create Trusted Platform Module (TPM) Virtual Smart Cards that provide smart card-level authentication without requiring a physical smart card from your user.

For more information, see the Windows.Devices.SmartCards namespace and the Smart Card Sample.

Certificate authentication

Certificate authentication provides a high level of trust when authenticating a user. Apps that require secure authentication beyond a userid and password combination can use certificates for authentication.

Enterprise authentication

Enterprise authentication enables users of your app to authenticate using Windows domain credentials. Enterprise authentication is commonly used for line-of-business apps where users require access to corporate resources that are part of a domain. Examples include access to corporate web or SharePoint sites, or access to files on a corporate network using the file picker control. To include enterprise authentication in your app, enable the Enterprise Authentication capability in your app manifest.

Microsoft account (Live services)

You can sign users in to their Microsoft account, so that your app will work with Microsoft cloud services like Outlook.com and Microsoft OneDrive.

For information on signing a user in to their Microsoft account, see Microsoft account sign-in for Windows Store apps using C++, C#, or Visual Basic and Single sign-on for apps and websites.

For information on using Live services such as Outlook.com and OneDrive in your app, see

Using Live Connect in your Windows Store apps using C++, C#, or Visual Basic.

Account settings

You can use the Settings contract to include Accounts as a settings option for your user. This enables the user to manage their credentials in an intuitive and consistent manner, just as they would manage any other app settings. To include the Account settings manager, add an AccountsCommand to the ApplicationCommands collection for your app. For information on the Settings contract, see Adding app settings.

You can also extend the Accounts settings manager with the built-in command for deleting a credential, or add your own custom commands for your user such as updating or upgrading an existing account credential.

For examples of using Account settings, see the Credential Locker SDK Sample or the Web Authentication Broker SDK Sample.