I'm struggling to understand the capabilities of a custom Windows SSP/AP.
I work on a biometric authentication system, and am interested in creating a custom SSP/AP to support biometrics. The goal is to provide a "drop in replacement" for the venerable Password. The users should never have to provide a password. This is both more secure and less of a hassle for users (no expiring passwords).
I believe a SSP/AP will suffice for interactive logons, such as workstation logon and unlock. I understand how to implement the SSP/AP, and attach biometric credentials to the user's token.
But I'm unclear on the capabilities for non-interactive logins. Examples: Outlook, network shares. The documentation seems to imply this is application choice. So even if I provide credentials, Outlook won't use them?
So, can I truly get away from passwords? There's no real value unless passwords can be eliminated for all common scenarios. I think this rules out sub-authentication packages and the like.
The issue isn't the coding; I've previously worked on GINA replacements (pre-Vista) and custom Credential Providers (Vista and Win7). I'm just unclear on what a SSP/AP can really do.