Add Windows biometric authentication support using Windows Hello

[azu]

Summary

Add support for biometric authentication on Windows systems using Windows Hello API.

Background

Currently, confirm-pam only supports Touch ID authentication on macOS. To provide cross-platform biometric authentication, we need to implement Windows support using Windows Hello, which supports fingerprint, face recognition, and PIN authentication.

Technical Approach

Dependencies

• Windows Hello API: Native Windows biometric authentication framework
• Windows Runtime (WinRT): Modern Windows API for accessing Hello functionality
• windows-rs crate: Rust bindings for Windows APIs

Implementation Plan

1. Capability Detection: Check if Windows Hello is available and configured
2. Authentication: Use Windows Hello API to prompt for biometric authentication
3. Fallback Handling: Support multiple authentication methods (fingerprint, face, PIN)
4. Error Handling: Graceful handling when biometric hardware is unavailable
5. Testing: Ensure compatibility across Windows 10/11 versions

Example Windows Hello Integration

// Pseudo-code for Windows implementation
use windows::{
    Security::Credentials::UI::*,
    Foundation::*,
};

async fn authenticate_windows(message: &str) -> Result<bool, AuthError> {
    // Check if Windows Hello is available
    let availability = UserConsentVerifier::check_availability_async()?.await?;
    
    if availability \!= UserConsentVerifierAvailability::Available {
        return Err(AuthError::BiometricsUnavailable);
    }
    
    // Request biometric authentication
    let result = UserConsentVerifier::request_verification_async(message)?.await?;
    
    match result {
        UserConsentVerificationResult::Verified => Ok(true),
        UserConsentVerificationResult::DeviceNotPresent => Err(AuthError::DeviceNotPresent),
        UserConsentVerificationResult::NotConfiguredForUser => Err(AuthError::NotConfigured),
        UserConsentVerificationResult::DisabledByPolicy => Err(AuthError::DisabledByPolicy),
        UserConsentVerificationResult::DeviceBusy => Err(AuthError::DeviceBusy),
        UserConsentVerificationResult::RetriesExhausted => Err(AuthError::RetriesExhausted),
        UserConsentVerificationResult::Canceled => Ok(false),
    }
}

Acceptance Criteria

• Detect if Windows Hello is available and configured on the system
• Support multiple biometric authentication methods (fingerprint, face recognition)
• Display custom authentication message to user
• Return appropriate exit codes (0=success, 1=failure, 2=error)
• Handle cases where Windows Hello is disabled or not configured
• Graceful fallback when biometric hardware is not available
• Test on Windows 10 (version 1903+) and Windows 11
• Support both traditional Windows login and Microsoft account scenarios

Dependencies

• Add windows crate for Windows API integration
• Conditional compilation for Windows-specific code
• Async runtime support for Windows Hello API calls

Windows Hello Supported Authentication Methods

1. Fingerprint: Physical fingerprint scanners
2. Face Recognition: Windows Hello face authentication
3. PIN: Secure PIN as fallback
4. Security Keys: FIDO2 hardware keys (future consideration)

Additional Notes

The implementation should follow the same patterns as the existing macOS Touch ID implementation to maintain consistency across platforms. Windows Hello provides a unified API that abstracts the underlying biometric hardware, making implementation more straightforward than platform-specific drivers.

Related: This issue addresses the Windows support mentioned in the Platform Support section of the README.

Minimum System Requirements

• Windows 10 version 1903 (19H1) or later
• Windows 11 (all versions)
• Biometric hardware (fingerprint reader, IR camera, etc.) or configured PIN
• Windows Hello enabled in system settings

[fafnirZ]

Hi, I was actually planning on experimenting with the windows hello API for a very similar purpose over the christmas break.
Mind if I take on this ticket?