Building a Cross-Platform Credential Manager in .NET MAUI
π Building a Cross-Platform Credential Manager in .NET MAUI
Designing a Secure, Unified Authentication Experience Across Android, iOS, Windows, and macOS
Authentication has evolved significantly over the past decade. Applications are no longer limited to simple username and password forms. Modern users expect seamless authentication experiences that integrate with the operating system while maintaining strong security guarantees. Today's enterprise applications commonly support:
- π Passwords
- π Biometrics
- π Passkeys
- βοΈ Password Managers
- πͺͺ Enterprise Identity Providers
- π Single Sign-On (SSO)
- π€ Multiple user accounts
Managing these authentication mechanisms independently quickly becomes difficult, especially when targeting multiple platforms. Android, iOS, Windows, and macOS all expose different APIs, capabilities, permission models, and credential providers.
Rather than scattering platform-specific authentication code throughout an application, a better approach is to build a Credential Manager: a centralized abstraction responsible for securely creating, storing, retrieving, updating, and deleting user credentials regardless of the underlying operating system.
In this guide, we'll design a reusable, enterprise-grade Credential Manager architecture for .NET MAUI capable of supporting passwords, passkeys, biometrics, secure storage, multiple identity providers, and future authentication technologies.
Why Build a Credential Manager?
Many applications begin with something like this:
Login Page
β
SecureStorage
β
API
As the application evolves, additional authentication methods appear:
- Google Sign-In
- Apple Sign-In
- Microsoft Entra ID
- Passkeys
- Face ID
- Touch ID
- Windows Hello
- Password Autofill Soon authentication logic becomes scattered across multiple services. A centralized Credential Manager eliminates this complexity.
Responsibilities
A Credential Manager should handle:
- Credential storage
- Credential retrieval
- Credential deletion
- Password autofill
- Passkey authentication
- Biometric verification
- Token management
- Multiple accounts
- Credential migration
- Session restoration Instead of multiple services:
Login
Storage
Biometrics
Passkeys
Password Manager
everything becomes:
Credential Manager
High-Level Architecture
UI
β
βΌ
Credential Manager Service
β
ββββββββββββββΌβββββββββββββ
β β β
Passwords Passkeys Biometrics
β β β
ββββββββββββββΌβββββββββββββ
β
Platform Providers
β
Android iOS Windows macOS
Business logic never communicates directly with platform APIs.
Platform Capabilities
| Platform | Native Credential Provider |
|---|---|
| Android | Credential Manager API |
| iOS | Authentication Services |
| macOS | Authentication Services |
| Windows | Windows Hello + WebAuthn |
A cross-platform abstraction allows applications to use each provider transparently.
Defining the Service Contract
public interface ICredentialManager
{
Task SaveCredentialAsync(UserCredential credential);
Task<UserCredential?> GetCredentialAsync();
Task DeleteCredentialAsync();
Task<bool> AuthenticateAsync();
Task LogoutAsync();
}
The application interacts only with this interface.
Dependency Injection
builder.Services.AddSingleton<
ICredentialManager,
CredentialManager>();
Credential Model
public class UserCredential
{
public string Username { get; init; }
public string AccessToken { get; init; }
public string RefreshToken { get; init; }
public DateTime Expiration { get; init; }
public CredentialType Type { get; init; }
}
Credential Types
public enum CredentialType
{
Password,
Passkey,
OAuth,
EnterpriseSSO,
Biometric
}
Future authentication mechanisms can easily be added.
Secure Storage
Sensitive information should never be stored as plain text. The Credential Manager should leverage platform-secure storage:
Android Keystore
β
SecureStorage
β
Credential Manager
and
iOS Keychain
β
SecureStorage
β
Credential Manager
This ensures credentials remain protected even if the application sandbox is inspected.
Supporting Multiple Accounts
Enterprise applications often allow users to switch between accounts. Architecture:
Credential Manager
β
βββ Account A
βββ Account B
βββ Account C
βββ Active Account
Switching users becomes trivial.
Password Autofill
Rather than forcing users to type credentials repeatedly, modern operating systems provide autofill services. Workflow:
Login Screen
β
Credential Provider
β
Stored Credentials
β
Auto Fill
The Credential Manager integrates with these native experiences.
Biometric Authentication
Before exposing stored credentials, require biometric verification. Example flow:
Retrieve Credentials
β
Face ID
Touch ID
Windows Hello
β
Access Granted
Example:
await credentialManager.AuthenticateAsync();
Only after successful authentication are credentials returned.
Supporting Passkeys
Passkeys eliminate traditional passwords. Authentication flow:
User
β
Passkey
β
Platform Authenticator
β
Server Challenge
β
Authentication Complete
The Credential Manager abstracts this complexity behind a unified API.
Session Restoration
Most applications automatically restore previous sessions. Startup sequence:
Application Launch
β
Credential Manager
β
Stored Credentials
β
Validate Token
β
Home Page
Users remain signed in without re-entering credentials.
Token Refresh
Access tokens expire. Instead of forcing users to log in again:
Expired Token
β
Refresh Token
β
Identity Provider
β
New Access Token
The Credential Manager handles renewal transparently.
Enterprise Identity Providers
The same architecture supports:
- Microsoft Entra ID
- OAuth 2.0
- OpenID Connect
- IdentityServer
- Auth0
- Okta Authentication providers remain interchangeable.
Credential Lifecycle
Create
β
Store
β
Use
β
Refresh
β
Revoke
β
Delete
Managing the complete lifecycle in one component simplifies maintenance.
Error Handling
Possible failures include:
- Invalid credentials
- Biometric cancellation
- Token expiration
- Provider unavailable
- Secure storage unavailable Expose meaningful exceptions or result objects instead of generic failures.
Offline Authentication
Some enterprise applications must authenticate users without network connectivity. Possible strategy:
Encrypted Credentials
β
Biometric Verification
β
Offline Access
Server synchronization can occur later.
Security Considerations
A Credential Manager should never: β Store passwords unencrypted β Expose refresh tokens unnecessarily β Cache secrets in memory longer than required β Log authentication data Instead:
- Use secure platform storage
- Minimize token lifetime
- Clear sensitive memory when possible
- Rotate refresh tokens
- Validate device integrity when appropriate
Integrating with RASP
Credential protection becomes even stronger when combined with a Runtime Application Self-Protection (RASP) layer. Example:
Credential Request
β
RASP Validation
β
Trusted Device?
β
Yes β Return Credentials
No β Block Access
Authentication decisions can consider device trust, debugger detection, root status, or runtime tampering.
Enterprise Scenarios
π¦ Banking
Protect customer credentials with biometrics and passkeys.
π₯ Healthcare
Provide secure clinician authentication while minimizing login friction.
π’ Corporate Applications
Support Microsoft Entra ID and multiple enterprise accounts.
π¦ Logistics
Enable shared devices while isolating credentials for different operators.
π Retail
Restore cashier sessions securely after device sleep or application restart.
Future Enhancements
A Credential Manager can evolve to include:
- Passwordless authentication
- Device trust evaluation
- Continuous authentication
- Risk-based authentication
- Hardware-backed key attestation
- Secure credential synchronization
- Identity wallets
- Verifiable Credentials
- Decentralized Identity (DID)
Best Practices
β Centralize all credential operations. β Separate authentication from credential storage. β Leverage platform-native credential providers. β Protect credentials with biometrics whenever possible. β Support multiple authentication mechanisms. β Design for future passwordless authentication.
Reference Links
- https://learn.microsoft.com/dotnet/maui/
- https://developer.android.com/identity/sign-in/credential-manager
- https://developer.apple.com/documentation/authenticationservices
- https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/
π Key Takeaways
- A Credential Manager centralizes authentication and credential handling behind a single abstraction.
- Platform-native credential providers offer better security and a more seamless user experience than custom implementations.
- Supporting passwords, passkeys, biometrics, and enterprise identity providers within the same architecture simplifies application maintenance.
- Secure storage, token lifecycle management, and biometric verification are essential for protecting sensitive credentials.
- Combining a Credential Manager with modern security layers such as RASP creates a robust, enterprise-ready authentication strategy for cross-platform applications.
π Final Thoughts
Authentication is no longer just about validating a username and passwordβit is about providing secure, seamless, and frictionless access across a growing ecosystem of devices, identity providers, and authentication methods.
By implementing a dedicated Credential Manager in .NET MAUI, developers can isolate authentication complexity behind a clean abstraction while taking full advantage of each platform's native capabilities. Whether integrating password managers, biometrics, passkeys, or enterprise identity systems, this architecture provides a scalable foundation that can evolve alongside future authentication standards and security requirements.
