Windows 7 Architectural and Internal Security Improvements - New Logon Architecture

Logging on to Windows provides access to local resources (including EFS-encrypted files) and, in AD DS environments, protected network resources. Many organizations require more than a user name and password to authenticate users. For example, they might require multifactor authentication using both a password and biometric identification or a one-time password token.

In Windows XP and earlier versions of Windows, implementing custom authentication methods required developers to completely rewrite the Graphical Identification and Authentication (GINA) interface. Often, the effort required did not justify the benefits provided by strong authentication, and the project was abandoned. Additionally, Windows XP supported only a single GINA. With Windows Vista and Windows 7, developers can now provide custom authentication methods by creating a new credential provider. This requires significantly less development effort, allowing more organizations to offer custom authentication methods. The new architecture also enables credential providers to be event driven and integrated throughout the user experience. For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource. The same prompt also can be used by applications that use the new credential user interface API. Additionally, the Windows logon user interface can use multiple credential providers simultaneously, providing greater flexibility for environments that might have different authentication requirements for different users.


Source of Information : Windows 7 Resource Kit 2009 Microsoft Press