Building a Cross-Platform Credential Manager in .NET MAUI

πŸ” Building a Cross-Platform Credential Manager in .NET MAUI

Designing a Secure, Unified Authentication Experience Across Android, iOS, Windows, and macOS

Authentication has evolved significantly over the past decade. Applications are no longer limited to simple username and password forms. Modern users expect seamless authentication experiences that integrate with the operating system while maintaining strong security guarantees. Today's enterprise applications commonly support:

  • πŸ”‘ Passwords
  • πŸ‘† Biometrics
  • πŸ” Passkeys
  • ☁️ Password Managers
  • πŸͺͺ Enterprise Identity Providers
  • πŸ”„ Single Sign-On (SSO)
  • πŸ‘€ Multiple user accounts

Managing these authentication mechanisms independently quickly becomes difficult, especially when targeting multiple platforms. Android, iOS, Windows, and macOS all expose different APIs, capabilities, permission models, and credential providers.

Rather than scattering platform-specific authentication code throughout an application, a better approach is to build a Credential Manager: a centralized abstraction responsible for securely creating, storing, retrieving, updating, and deleting user credentials regardless of the underlying operating system.

In this guide, we'll design a reusable, enterprise-grade Credential Manager architecture for .NET MAUI capable of supporting passwords, passkeys, biometrics, secure storage, multiple identity providers, and future authentication technologies.


Why Build a Credential Manager?

Many applications begin with something like this:

Login Page
      β”‚
SecureStorage
      β”‚
     API

As the application evolves, additional authentication methods appear:

  • Google Sign-In
  • Apple Sign-In
  • Microsoft Entra ID
  • Passkeys
  • Face ID
  • Touch ID
  • Windows Hello
  • Password Autofill Soon authentication logic becomes scattered across multiple services. A centralized Credential Manager eliminates this complexity.

Responsibilities

A Credential Manager should handle:

  • Credential storage
  • Credential retrieval
  • Credential deletion
  • Password autofill
  • Passkey authentication
  • Biometric verification
  • Token management
  • Multiple accounts
  • Credential migration
  • Session restoration Instead of multiple services:
Login
Storage
Biometrics
Passkeys
Password Manager

everything becomes:

Credential Manager

High-Level Architecture

                  UI
                  β”‚
                  β–Ό
      Credential Manager Service
                  β”‚
     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
     β”‚            β”‚            β”‚
Passwords   Passkeys   Biometrics
     β”‚            β”‚            β”‚
     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                  β”‚
          Platform Providers
                  β”‚
     Android  iOS  Windows  macOS

Business logic never communicates directly with platform APIs.


Platform Capabilities

Platform Native Credential Provider
Android Credential Manager API
iOS Authentication Services
macOS Authentication Services
Windows Windows Hello + WebAuthn

A cross-platform abstraction allows applications to use each provider transparently.


Defining the Service Contract

public interface ICredentialManager
{
    Task SaveCredentialAsync(UserCredential credential);

    Task<UserCredential?> GetCredentialAsync();

    Task DeleteCredentialAsync();

    Task<bool> AuthenticateAsync();

    Task LogoutAsync();
}

The application interacts only with this interface.


Dependency Injection

builder.Services.AddSingleton<
    ICredentialManager,
    CredentialManager>();

Credential Model

public class UserCredential
{
    public string Username { get; init; }

    public string AccessToken { get; init; }

    public string RefreshToken { get; init; }

    public DateTime Expiration { get; init; }

    public CredentialType Type { get; init; }
}

Credential Types

public enum CredentialType
{
    Password,
    Passkey,
    OAuth,
    EnterpriseSSO,
    Biometric
}

Future authentication mechanisms can easily be added.


Secure Storage

Sensitive information should never be stored as plain text. The Credential Manager should leverage platform-secure storage:

Android Keystore
        β”‚
SecureStorage
        β”‚
Credential Manager

and

iOS Keychain
      β”‚
SecureStorage
      β”‚
Credential Manager

This ensures credentials remain protected even if the application sandbox is inspected.


Supporting Multiple Accounts

Enterprise applications often allow users to switch between accounts. Architecture:

Credential Manager
       β”‚
       β”œβ”€β”€ Account A
       β”œβ”€β”€ Account B
       β”œβ”€β”€ Account C
       └── Active Account

Switching users becomes trivial.


Password Autofill

Rather than forcing users to type credentials repeatedly, modern operating systems provide autofill services. Workflow:

Login Screen
      β”‚
Credential Provider
      β”‚
Stored Credentials
      β”‚
Auto Fill

The Credential Manager integrates with these native experiences.


Biometric Authentication

Before exposing stored credentials, require biometric verification. Example flow:

Retrieve Credentials
         β”‚
      Face ID
      Touch ID
      Windows Hello
         β”‚
   Access Granted

Example:

await credentialManager.AuthenticateAsync();

Only after successful authentication are credentials returned.


Supporting Passkeys

Passkeys eliminate traditional passwords. Authentication flow:

User
   β”‚
Passkey
   β”‚
Platform Authenticator
   β”‚
Server Challenge
   β”‚
Authentication Complete

The Credential Manager abstracts this complexity behind a unified API.


Session Restoration

Most applications automatically restore previous sessions. Startup sequence:

Application Launch
        β”‚
Credential Manager
        β”‚
Stored Credentials
        β”‚
Validate Token
        β”‚
Home Page

Users remain signed in without re-entering credentials.


Token Refresh

Access tokens expire. Instead of forcing users to log in again:

Expired Token
      β”‚
Refresh Token
      β”‚
Identity Provider
      β”‚
New Access Token

The Credential Manager handles renewal transparently.


Enterprise Identity Providers

The same architecture supports:

  • Microsoft Entra ID
  • OAuth 2.0
  • OpenID Connect
  • IdentityServer
  • Auth0
  • Okta Authentication providers remain interchangeable.

Credential Lifecycle

Create
   β”‚
Store
   β”‚
Use
   β”‚
Refresh
   β”‚
Revoke
   β”‚
Delete

Managing the complete lifecycle in one component simplifies maintenance.


Error Handling

Possible failures include:

  • Invalid credentials
  • Biometric cancellation
  • Token expiration
  • Provider unavailable
  • Secure storage unavailable Expose meaningful exceptions or result objects instead of generic failures.

Offline Authentication

Some enterprise applications must authenticate users without network connectivity. Possible strategy:

Encrypted Credentials
        β”‚
Biometric Verification
        β”‚
Offline Access

Server synchronization can occur later.


Security Considerations

A Credential Manager should never: ❌ Store passwords unencrypted ❌ Expose refresh tokens unnecessarily ❌ Cache secrets in memory longer than required ❌ Log authentication data Instead:

  • Use secure platform storage
  • Minimize token lifetime
  • Clear sensitive memory when possible
  • Rotate refresh tokens
  • Validate device integrity when appropriate

Integrating with RASP

Credential protection becomes even stronger when combined with a Runtime Application Self-Protection (RASP) layer. Example:

Credential Request
        β”‚
RASP Validation
        β”‚
Trusted Device?
        β”‚
Yes β†’ Return Credentials

No β†’ Block Access

Authentication decisions can consider device trust, debugger detection, root status, or runtime tampering.


Enterprise Scenarios

🏦 Banking

Protect customer credentials with biometrics and passkeys.


πŸ₯ Healthcare

Provide secure clinician authentication while minimizing login friction.


🏒 Corporate Applications

Support Microsoft Entra ID and multiple enterprise accounts.


πŸ“¦ Logistics

Enable shared devices while isolating credentials for different operators.


πŸ›’ Retail

Restore cashier sessions securely after device sleep or application restart.


Future Enhancements

A Credential Manager can evolve to include:

  • Passwordless authentication
  • Device trust evaluation
  • Continuous authentication
  • Risk-based authentication
  • Hardware-backed key attestation
  • Secure credential synchronization
  • Identity wallets
  • Verifiable Credentials
  • Decentralized Identity (DID)

Best Practices

βœ… Centralize all credential operations. βœ… Separate authentication from credential storage. βœ… Leverage platform-native credential providers. βœ… Protect credentials with biometrics whenever possible. βœ… Support multiple authentication mechanisms. βœ… Design for future passwordless authentication.


Reference Links


πŸš€ Key Takeaways

  • A Credential Manager centralizes authentication and credential handling behind a single abstraction.
  • Platform-native credential providers offer better security and a more seamless user experience than custom implementations.
  • Supporting passwords, passkeys, biometrics, and enterprise identity providers within the same architecture simplifies application maintenance.
  • Secure storage, token lifecycle management, and biometric verification are essential for protecting sensitive credentials.
  • Combining a Credential Manager with modern security layers such as RASP creates a robust, enterprise-ready authentication strategy for cross-platform applications.

πŸ” Final Thoughts

Authentication is no longer just about validating a username and passwordβ€”it is about providing secure, seamless, and frictionless access across a growing ecosystem of devices, identity providers, and authentication methods.

By implementing a dedicated Credential Manager in .NET MAUI, developers can isolate authentication complexity behind a clean abstraction while taking full advantage of each platform's native capabilities. Whether integrating password managers, biometrics, passkeys, or enterprise identity systems, this architecture provides a scalable foundation that can evolve alongside future authentication standards and security requirements.


An unhandled error has occurred. Reload πŸ—™