DP Wp Appbestpractices2009!08!21

Embed Size (px)

Citation preview

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    1/12

    ADigitalPersonaWhitepaper

    BestPracticesforImplementing

    FingerprintBiometricsin

    Applications

    TipsandguidelinesforachievinghighperformanceinfingerprintenabledapplicationsusingDigitalPersonas

    OneTouchfamilyofSDKs

    August2009

    Biometricscanhelpyouenhancethesecurityandusabilityofyour

    application.By

    following

    afew

    simple

    guidelines

    and

    using

    DigitalPersonasbiometricsoftwaredevelopmentkits,youcaneasily

    addfastfingerprintidentificationandverificationcapabilitiesthat

    enableyourapplicationtorecognizeindividualuserswithoutrequiring

    otherformsofID.Thiscanbeusedinavarietyofwaysfromsignon

    andconfirmationofimportantactionstospecialapprovalsbyother

    userstohelpcombatfraudandboostcustomerefficiency.

    2009DigitalPersona,Inc.

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    2/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    Introduction

    Fingerprintbiometricsmakesitfastandeasyforyour

    applicationto

    determine

    who

    is

    using

    it.

    Biometrics

    canbeusedto:Benefits

    of

    UsingFingerprintBiometrics

    Fingerprintsprovideacompellingwayto

    differentiateyourapplication:

    AccountabilityFingerprintscantieactionstospecificindividualsdeterring

    inappropriatebehavior.

    WorkforceManagementFingerprintsprovideaccuratetimeandattendance

    tracking,reducingwaste.

    LossPreventionSupervisorsfingerprintscanberequiredforspecialactions,

    facilitatingadherencetocorporatepolicies.

    ComplianceFingerprintscanbeusedtoprovideanaudittrailidentifyingwhocamein

    contactwithsensitivedata.

    IdentifyuserswithoutrequiringotherformsofID(suchasusernames,IDnumbersorswipecards).

    VerifyanotherformofidentificationwithoutrequiringpasswordsorPINs.

    Confirmthatparticularactionsarebeingperformedbytherightuserturningthe

    fingerprintsensorintoakindofEnterkeythat

    tellsyourapplicationwhoisdoingwhat.

    Preventunauthorizedaccessandstopformerusersfromsneakingintoyourapplication.

    Thiswhitepaperprovidesavarietyofguidelinesand

    tipsthatcanhelpyouusefingerprintbiometricsto

    boostthesecurityandusabilityofyourapplication.It

    complementsthedocumentationprovidedfor

    DigitalPersonassoftwaredevelopmentkits,

    OneTouchforWindowsandOneTouchI.D.

    KeystoaSuccessfulApplication

    Applicationsthatusefingerprintbiometricsmost

    successfullyoftenhavethefollowingattributes:

    SimplesetupYourapplicationshouldguideusersthroughregisteringorenrollingtheir

    fingerprint,typically

    when

    auser

    account

    is

    added.Thisusuallytakesaboutaminuteandis

    onlydoneonce,ofteninthepresenceofa

    supervisororadministrator.

    2009DigitalPersona,Inc 2

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    3/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    EaseofuseWithafewvisualcuesfromyourapplication,fingerprintscanbeusedwithlittle

    efforttolinkspecificactionstotheindividuals

    whoperformthem.

    SpeedImplementedcorrectly,fingerprintscanbeusedtorecognizeindividualswithingroupsof

    thousandsofpeopleinunderasecond.

    FlexibilityAllowuserstoregisterwhicheverfingersaremostconvenientforthem,andallow

    twoormorefingerstobeusedsothatthereisa

    backupincaseofinjury.

    PrivacyAlwaysstoreandusefingerprinttemplates,

    not

    raw

    images.

    This

    is

    much

    more

    efficientandhelpsprotectusersprivacy.

    LoggingRecordallusesofandfailurestousebiometrics,includingdetailssuchastime,place,

    contextwithinyourapplication,andsoon.

    ImportantConceptsAboutFingerprints

    Biometricsliterallymeansthemeasuringofa

    personsphysicaltraits.Itisatechnologythatcanbe

    usedtorecognizeandauthenticateindividualsbased

    onwhotheyare,insteadofwhattheyknow

    (passwordsorPINs)orwhattheypossess(keysor

    swipecards).

    Therearemanytypesofbiometrics,includingpalmor

    irisscanning,voiceandfacerecognition.Fingerprints

    arethemostwidelyusedformofbiometricsin

    commercialapplications.Fingerprintsensorsarenow

    builtinto

    most

    notebook

    computers,

    are

    offered

    as

    an

    optiononmanybrandsofpointofsale(POS)stations,

    andareincreasinglybeingusedindoorlocks,medical

    dispensarycabinets,andotherembeddeddevices.

    Whenaddingfingerprintstoyourapplication,the

    mostimportantconceptstounderstandare:

    FingerprintsareuniqueNotwopeople,evenidenticaltwins,havethesamefingerprints.

    EverybodyhasfingerprintsBut,sometimestheprintsononeormorefingerscanbecomedifficult

    toread.Roughphysicallaborcanwearprints

    down,anddryskin(whetherduetoclimateor

    constantwashingwithalcoholbasedcleaners)

    canmakeprintshardertodetect.Incontrast,

    bodyoilonfingerscanactuallyhelpmake

    fingerprintseasiertoread.

    ImagesandTemplatesWhenausertouchesafingerprintsensor,thehardwarescansthepadof

    theirfingertocaptureanimageoftheir

    fingerprint.Commercialapplicationsrarelyuseor

    storetherawfingerprintimages;instead,they

    converttheimageintoamuchsmaller

    mathematicalrepresentationcalledafingerprint

    templateandthendiscardtheoriginalimage.

    Templatescannotbeconvertedbackintothe

    originalimage.

    RegistrationorEnrollmentScanningapersonsfingerprintsthefirsttimeiscalledregistrationor

    enrollment.Thisistypicallydonebyanapplication

    inacontrolled,securesetting,oftenunderthe

    supervisionofanattendant.Duringenrollment,it

    iscommonpracticetocapturemultiplescansofa

    fingerprinttoincreaseaccuracyandsothat

    peoplecanlatertouchthefingerprintsensorfrom

    differentangles.

    MatchingComparingonefingerprinttemplateagainstanothertemplate(usuallytheonecreated

    duringtheregistrationprocess)toseeiftheyboth

    representthesamefingerprintiscalledmatching.

    2009DigitalPersona,Inc 3

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    4/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    2009DigitalPersona,Inc 4

    IdentificationComparingafingerprinttemplateagainstadatabaseofmanystoredfingerprint

    templates(typically,thefingerprintsofallusersof

    yourapplication)toseeifoneormoreofthem

    matchesiscalledidentification.Thistechnique

    allowsyourapplicationtodeterminewhoisusing

    itwithouthavingtorequestotherformsofID

    suchasusernamesorIDnumbers.

    VerificationUsingafingerprinttoconfirmthatauseriswhotheyclaimtobeaccordingtosome

    otherformofID(suchasausernameorID

    number)iscalledverification.Unlikeother

    mechanismssuchaspasswords,swipecardsor

    PINs,fingerprints

    cant

    be

    lost,

    forgotten

    or

    shared.

    AuthenticationTheactofconfirmingthatsomebodyiswhotheyclaimtobeiscalled

    authentication.Itusuallyinvolvestwosteps:(1)

    identifyingwhotheysaytheyare;and(2)

    verifyingthattheyreallyarethatperson.Whena

    fingerprintisusedtobothidentifyandverify

    somebodyinonestep,itisoftencalledtouch

    andgoauthentication.

    FalseAcceptRate(FAR)Thisisameasureoftheprobabilitythatfingerprintsfromtwodifferent

    peoplemightmistakenlybeconsideredamatch.A

    lowerFalseAcceptRaterequiresamoreexact

    match,whichcouldforcelegitimateusersto

    rescantheirfingerprintsonoccasion.Most

    applicationsallowthisratetobeadjustedto

    handledifferentpopulationsofusers.

    FalseRejectRate(FRR)Thisisameasureoftheprobabilitythatfingerprintsfromalegitimateuser

    mightmistakenlyberejectedasnotmatchingthe

    onespreviouslyenrolled,forcingtheuserto

    rescan.Typically,alowerFalseAcceptRatewill

    resultinahigherFalseRejectRate.

    FailureToCapture(FTC)Thisoccurswheneverauserpressestheirfingertothesensorandthe

    sensordoesnotrecognizethatafingerispresent.

    Thiscansometimeshappenwhenpeoplehave

    verydryskin.

    DuplicateEnrollmentCheck(DEC)Thisistheprocessofidentifyingindividualswhohave

    alreadyregisteredtheirfingerprintwithyour

    application.Thiscanbeusedduringenrollmentto

    makesuretheuserisntbeingenteredasecond

    time.

    UserIDThepieceofdatathatyourapplicationusesinternallytoidentifyeachdistinctuserof

    yourapplicationisfrequentlycalledauserID.

    Thisuniqueidentifier(oftenaformofusername

    orserialnumber)isusedtoquicklylookup

    informationabouteachpersoninwhateverdata

    storeisusedtorecorduserinformation.

    UserAccountDataYourapplicationmostlikelystoresinformationassociatedwitheachUserIDin

    somesortofuseraccountdatabase.Typically,this

    includesattributes

    like

    account

    names,

    login

    namesorIDs,IDnumbers,PINsandotherkindsof

    informationthatareusedduringsignon.

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    5/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    StepsforUsingFingerprintsinYourApplication

    Togetthemostoutoffingerprintbiometricsinyour

    applications,focusonthefollowingareas:

    WheretoStoreFingerprintTemplates AccessingStoredFingerprintTemplates EnrollingUsersFingerprints CheckingforDuplicateEnrollments PreloadingTemplatesatApplicationStartup LookingUpUsersbyTheirFingerprint Signon FingerprintsasanEnterkey Approvals Signout

    Removing

    Users

    LoggingFingerprintscanbeusedtoimplementvarious

    securityprocessestomakeyourapplicationeasierto

    useandmoresecure:

    IdentifyusersbytheirfingerprintGiveuserstouchandgoauthenticationwithouttheneed

    forotherformsofID,likeusernames,swipecards

    orIDnumbers.

    VerifyanotherformofIDFingerprintscanbeusedtoconfirmthatausernameorIDnumber

    providedbytheuseractuallybelongstothem.

    ThisavoidstheneedforpasswordsorPINswhich

    canbeeasilylost,stolenorshared.

    Mostapplicationsgivecustomersadministratorsthe

    abilitytosetpoliciesthatcontrolhowuserslogonto

    theapplication.Commonexamplesoflogonpolicies

    include:

    Fingerprintonly FingerprintorUserID+Password/PIN FingerprintandUserID+Password/PIN

    Yourapplicationimplementsthelogicforthese

    policies,givingyoutheflexibilitytochoosethemost

    appropriateoptions

    for

    your

    customers.

    WheretoStoreFingerprintTemplates

    Thefingerprinttemplatesthatarecreatedwhenevera

    userenrollsfingerprintsneedtobestoredinaway

    thatyourapplicationcanaccessthemandknowthe

    useraccountstowhichtheycorrespond.

    Yourexistinguseraccountdataprobablyalreadyhas

    someformofUserIDthatcanbeusedtoquicklylook

    upinformationabouttheuser(e.g.,ausernameorID

    number).Fingerprintscanprovideaquickwayto

    determinethisUserIDwithouthavingtoasktheuser

    foranotherformofID.

    Therearetwocommonapproachestochoosingwhere

    fingerprinttemplatedataisplaced:

    WhereExtendExisting

    UserAccountData

    UseASeparate

    Database

    How Addfingerprint

    templates(atleast

    two)asextrafieldsin

    thedatayoustore

    abouteachUserID.

    Storefingerprint

    templatesina

    separatedatabase

    alongwiththe

    UserIDtowhich

    theycorrespond.

    Pros Takes advantageof

    yourexistingdata

    backupand

    managementtools.

    Insulatesfingerprint

    templatesfromuser

    dataforenhanced

    privacyandsecurity.

    Cons Requireschanges

    to

    existinguserdata

    structures.

    Addsanother

    databasetobackup

    andmaintain.

    Fingerprinttemplatesaretypicallyrepresentedas

    binarydatastoredinvariablelengtharraysofbytes.

    2009DigitalPersona,Inc 5

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    6/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    Thetemplateformatusedmostcommonlywith

    DigitalPersonasoftwaredevelopmentkitsislessthan

    2048byteslong;however,othertemplateformats

    havedifferentsizes.IfyouareusingMicrosoftSQL

    Server,youcanuseavarbinary(3000)field.

    AccessingStoredFingerprintTemplates

    Ifyourapplicationcanbeusedbymultiplepeopleat

    thesametime(suchasfromdifferentcomputers,POS

    stationsorotherdevices),youcanminimizememory

    consumptionandcodecomplexitybycreatinga

    separateserviceforstoringandlookinguptemplates.

    Thisservice,whichcanevenrunonaseparate

    computer,can

    be

    called

    by

    other

    parts

    of

    your

    applicationusingtechnologiessuchasRPC,DCOM,

    WCF,orWebServices.Itprovidesaninternalinterface

    foryourapplicationtolookuptheUserIDassociated

    withagivenfingerprinttemplate. Keepingstored

    fingerprintdatainsulatedfromyourendusersalso

    helpstoprotectpeoplesprivacy.

    EnrollingUsersFingerprints

    Eachpersonwhowillbeusingfingerprintswithyour

    applicationhastoenrolltheirfingerprintswithyour

    software.Manyapplicationsmakethispartoftheuser

    accountcreationorprovisioningprocess.Typically,an

    administratororotherauthorizeduserbringsupthe

    appropriatescreenwithinyourapplicationandhelps

    theuserthroughtheirinitialfingerprintscans.

    Themiddlefinger,indexfingerandthumboneach

    handtypicallyprovidethebestfingerprintstouse.

    Toavoidmatchingproblemsincaseofan

    injuredfinger,yourapplicationshouldaskusers

    toregisterfingerprintsfromatleasttwofingers.

    Graphicalscreensshouldbeusedtoguidetheuser

    throughtheenrollmentprocess.Whiletouchinga

    fingerprintreaderisanatural,easytounderstand

    action,includingapictureorshortvideoofsomebody

    touchingthepad(notthetip)oftheirfingertothe

    surfaceofthefingerprintreadercanavoidproblems

    later.

    DigitalPersonasOne

    Touch

    for

    Windows

    SDK

    includes

    graphicaluserinterfacecontrolsthatcaneitherbe

    usedasisortoprovideideasifyouwishtocreate

    yourowninterface:

    Ifyoucreateyourownenrollmentscreens,makesure

    thatusersscantheirfingerprintsseveraltimesto

    makesubsequent

    matches

    more

    reliable.

    Also,makesurethatyourapplicationhandleseachof

    theeventsthatOneTouchforWindowsdeliversand

    providesvisualfeedbacktotheuser.

    2009DigitalPersona,Inc 6

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    7/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    2009DigitalPersona,Inc 7

    CheckingforDuplicateEnrollments

    Withbiometrics,youcaneasilycatchpeoplewho

    attempttoenrollmorethanoncetouseyour

    application.Thisgivesyoutheabilitytoconsolidate

    olderaccounts,avoidaccidentalduplicate

    registrations,andpreventfraudulentattemptsto

    masqueradeassomebodyelse.

    Yourapplicationcaneithercheckforduplicatesinreal

    timeduringenrollmentorofflineaspartofadatabase

    cleansingprocess.Eitherapproachcanbe

    implementedwithOneTouchI.D.andisusefulevenif

    yourapplicationonlyusesfingerprintstoverify

    anotherformofID.

    PreloadingTemplatesatApplicationStartup

    TouseOneTouchI.D.,yourapplicationwillneedto

    loadalltheenrolledfingerprinttemplatesinto

    memorybeforeanylookupscanbeperformed.Since

    thisprocesscanpotentiallytakeanumberofseconds

    toaminuteormoredependinguponthenumberof

    templates,loadingtheenrolledfingerprinttemplates

    shouldbedoneonceatstartupintheservice

    mentioned

    above.

    Do

    not

    wait

    until

    the

    first

    time

    an

    attemptismadetolookupormatchafingerprint.

    Whenyourapplicationstarts,haveititerateoverthe

    enrolledfingerprinttemplates(whereveryouhave

    chosentostorethem)anduseOneTouchI.D.toadd

    eachone,alongwithitsUserID,toanidentification

    collectionobject.Oncethisisdone,individual

    lookupswilltypicallytakelessthanasecond,even

    whentherearethousandsofenrolledtemplates.

    Ifyouarenotusingfingerprintsfor

    identification,butonlytoverifyanotherformof

    ID,youdonotneedtouseOneTouchI.D.anddonot

    needtopreloadtemplates.

    LookingUpUsersbyTheirFingerprint

    Fingerprintsprovideanaturalwayforyourapplication

    torecognizetheuserwithouttheneedforother

    formsofID(e.g.,usernames,IDnumbers,orswipe

    cards).Peoplelearnquicklyhowtousefingerprints

    andcandosonaturally,withouthavingtostopor

    interrupttheflowofwhattheyaredoing.Thismakes

    fingerprintsidealnotonlyforsignon,butalsofor

    confirmingwhoisperformingimportantoperations

    especiallywhenmultiplepeoplemightbeinvolved

    (suchasforanapproval).

    OneTouchI.D.isspecificallydesignedforfingerprint

    identification.Asmentionedabove,ifyourapplication

    canbe

    used

    by

    multiple

    people

    simultaneously

    from

    separatedevices,thiscapabilityisbestimplemented

    inaseparateserviceormodulethatmultipleinstances

    ofyourapplicationcancallatthesametime.

    Wheneverafingerprintisscanned,yourapplication

    willbenotifiedsothatitcanextractatemplatefrom

    thefingerprint(seethesectiononSignOnbelowfora

    moredetaileddescription).Yourcodeshouldthen

    passthetemplatetotheserviceormodulethatis

    callingOneTouchI.D.

    Yourserviceormodulemayreceivemorethanone

    possiblematchbackfromOneTouchI.D.1Ifthis

    happens,yourcodecandoanexplicitmatchagainst

    thefirstreturnedtemplatetoseeifitisthecorrect

    enrolledtemplate.Ifitisnot,yourapplicationshould

    logwhichusersweremismatchedandalertthe

    administratorthattheFalseAcceptRatehasprobably

    beenset

    too

    low.

    1Undercertainconditions,afingerprinttemplatemaypartially

    matchmultipleenrolledtemplates,particularlyifyour

    applicationhasloweredtheFalseAcceptRatetoallowpeople

    withhardtoreadfingerprintstouseyourapplicationwithout

    havingtotouchthefingerprintscannermultipletimes.

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    8/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    Oncetheappropriateenrolledtemplatehasbeen

    identified,yourserviceormodulecanthenreturnthe

    UserIDassociatedwiththetemplatetoyour

    application.Youmaywishtoalsoreturntheenrolled

    templatethatwasmatchedsothatthecallercan

    cacheitforquickmatchinginthefuture.

    Ifyouwillbeusingfingerprintstoconfirm

    actionsthatareperformedfrequently,obtaina

    copyoftheenrolledfingerprintfromyourfingerprint

    lookupserviceormoduleandcacheitinyour

    application.Yourcodecanthenrapidlyperforma

    directmatchagainstthefingerprintincachebefore

    attemptingafulllookup.Neverimplementfingerprintidentificationby

    iteratingoveryourdatabaseofenrolled

    fingerprinttemplates,matchingeachoneindividually.

    Thisapproachisveryinefficientandwillmakeusers

    thinkyourapplicationisslow.Instead,useOneTouch

    I.D.Atmost,onlyeverdoindividualmatchingagainst

    asmallcacheofrecentlyusedtemplatesasan

    optimization.

    Finally,alwayscreatealogentrywheneveruserssign

    onandnotewhetherornottheyusedtheir

    fingerprint.Evenifyoudonotcreateapolicyrequiring

    theuseoffingerprintstosignon,itisstillagoodidea

    tonotewhenanyonewithregisteredfingerprints

    signsonwithoutusingthem.Thiscanhelpcustomers

    spotpotential

    problems

    early.

    SignOn

    Themostcommonuseoffingerprintsisforsignon,

    eitherasaformofidentificationorasawayto

    confirmanotherformofID.

    Whenauserscanstheirfingerprintduringsignon,

    yourapplicationwillreceiveaneventfromthe

    fingerprintSDKindicatingthatanimageortemplate

    (dependingon

    which

    SDK

    you

    are

    using)

    is

    available.

    If

    yourapplicationisusinganSDKthatprovidesaraw

    image,immediatelyextractthefingerprinttemplate

    anddiscardtheoriginalimage.

    TwoFingerMatching

    Forextrahighsecurity,youcanrequestand

    matchtwofingerprintsinsteadofjustone.To

    avoidsurprisingusers,alwaysaskforboth

    fingerprints,even

    ifthe

    first

    one

    correctly

    matches.

    Thistechniquecanalsobeusedtoimprove

    recognitionratesforpeoplewithhardtoread

    fingerprints.

    IfyouareusingfingerprintsasaformofID,yoursign

    oncodecancallyourlookupserviceormodule(see

    above)todeterminetheUserIDofthepersonwho

    touchedthefingerprintreader.

    Ifyou

    are

    only

    using

    fingerprints

    for

    verification,

    then

    yourapplicationcanusetheotherformofIDto

    determinewhichUserIDtolookup.ThatUserIDcan

    thenbeusedtofindtheusersenrolledtemplatesto

    compareagainst.

    2009DigitalPersona,Inc 8

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    9/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    FingerprintsasanEnterKey

    Fingerprintsareusefulformorethanjustsignon.

    Theyareafast,intuitivewayforuserstoconfirmthat

    theyarewhotheysaytheyarewhenperforming

    individual

    application

    functions,

    such

    as:

    Enteringneworders Changingordeletingimportantdata Openingacashdrawerinacashregister Printingsensitiveinformation AccessingclientcreditcardnumbersWhenyouhaveanactionthatyouwanttoconfirmby

    afingerprint,prompttheusertotouchthefingerprint

    sensorandobtainatemplateasdescribedabove.

    Then,sincemostpeopletendtousethesame

    fingeroverandover,ifyourapplicationhas

    previouslycachedtheenrolledtemplatethatwas

    successfullymatchedatsignon,thentrytomatchthat

    cachedtemplatefirst.

    Ifyourapplicationisntcachinganyrecentlyused

    templates,orthetemplatedidntmatch,doalookup

    usingtheapproachdescribedaboveforsignon.This

    willtell

    you

    whether

    the

    fingerprint

    came

    from

    a

    differentfingeronthesamepersonorfromadifferent

    person.

    Ifthefingerprintdoesntcomefromtheuserwho

    signedon,youcanusethetemplatetodetermineif

    anotherauthorizeduserisattemptingtouseyour

    application.Thisisaneasywaytoimplement

    approvalsbysupervisorsorotherprivilegedusers(see

    nextsection).

    Makesurethatyourapplicationlogsthefactthatthe

    actionwasconfirmedwithafingerprint.

    Asstatedbefore,neveriterateoverallenrolled

    fingerprintslookingforamatch. Itwillmake

    yourapplicationveryslow,particularlyasthenumber

    ofusersrises.Instead,useOneTouchI.D.todelivera

    vastlysuperioruserexperience.

    Approvals

    Fingerprintscanhelpguideuserstofollowproper

    businessprocesses.Theyprovideasimplewayto

    allowotherpeople(suchassupervisorsor

    administrators)toauthorizeactionsrequiringspecial

    permissionswithoutcumbersomeswitchingofusers.

    Yourapplicationimplementsthelogicforapprovals,

    givingyoufullcontrol.Foroperationsthatrequire

    authenticationfromsomebodywithspecialprivileges,

    provideavisualpromptexplicitlyidentifyingthe

    privilegelevel

    required

    or

    the

    role

    of

    the

    person

    needed(e.g.,ManagerFingerprintRequiredfor

    Override).

    AsimplewaytoimplementapprovalsistouseOne

    TouchI.D.toidentifywhichuserscannedtheir

    fingerprintand,ifthatuserisproperlyauthorized,

    taketheappropriateaction.Thiseliminatestheneed

    topromptforanotherformofidentification(e.g.,a

    username,loginname,IDnumberorPIN)to

    determinewhich

    user

    has

    scanned

    afingerprint.

    Workflowisfastandefficientandapowerfulaudit

    trailcanbecreated.

    IfyouarenotusingOneTouchI.D.anddont

    wishtopromptforanotherformofID,youwill

    likelyneedtoimplementsomeformofpersistent

    cachingtoavoidhavingtoiterateoverthelistofall

    registeredfingerprints.However,thisaddssignificant

    complexitytoyourapplicationandcangreatlyreduce

    performance.

    Alwayshaveyourapplicationlogallapprovalattempts

    successfulandfailed.

    2009DigitalPersona,Inc 9

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    10/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    SignOut

    Whenausersignsoutofyourapplication,all

    temporarycopiesoffingerprinttemplatesthatyour

    applicationiskeepinginmemoryshouldbereleased.

    IfyourapplicationisnotusingOneTouchI.D.butis

    maintainingitsownpersistentcacheofregistered

    fingerprinttemplatesthathaverecentlybeenused,

    makesurethecacheisproperlyupdated.

    2009DigitalPersona,Inc 10

    Asalways,makesureyourapplicationlogsthefact

    thattheuserhassignedout.

    RemovingUsers

    Usingfingerprintstocontrolaccesstoyourapplication

    makesit

    easy

    to

    immediately

    block

    access

    by

    people

    whosepermissionshavebeenrevoked(e.g.,former

    employeesorpeoplewhochangedroles).

    Theeasiestapproachistodeleteanytemplates

    associatedwiththeformeruser.Ifyourapplication

    usesOneTouchI.D.,removetheuserfromthe

    identificationcollectionthatwascreatedatstartupto

    immediatelypreventtheirfingerprintsfrombeing

    recognized. Thendeletetheregisteredtemplates

    fromtheuserdatarecordorfromtheseparate

    fingerprinttemplatedatabase.

    Ifyouwishtoprovidetheabilityforcustomers

    toflagterminateduserswhoattempttouse

    theirfingerprintstogaininappropriateaccess,donot

    immediatelyremovetheusersfingerprinttemplates.

    Instead,marktheusersaccountdataasdisabled.

    Then,whenauserattemptstoaccessyour

    application,

    simply

    check

    the

    status

    of

    that

    users

    accounttodeterminetheiraccessrightsandlogany

    failures.

    Ifyourapplicationdoesprovidesuchtemporary

    retentionofbiometricdata,makesurethatyou

    givecustomerstheabilitytopermanentlyflushthe

    registeredfingerprinttemplatesfromformerusers

    afteragivennumberofdays.Administratorsshould

    beablecontrolthelengthoftimeandtoimmediately

    deletetemplatesifneeded.Thisisimportantasit

    enablesthecustomertocomplywithanylocaldata

    retentionregulationsandpolicies.

    Logging

    Fingerprintsarevaluableasadeterrentto

    inappropriatebehavior,asawayofimproving

    usability,andasavaluablesourceofdataforanaudit

    trail.Yourapplicationshouldautomaticallylogall

    authenticationandsecurityactivities,including:

    Wheneverauserenrollsafingerprint. Wheneversomebodyhastroubleenrolling. Wheneveraduplicateenrollmentisdetected. Wheneversomebodysignson,confirmsanaction

    orotherwiseauthenticateswiththewaysin

    whichtheyauthenticated.

    Wheneversomebodytriestoauthenticatebutcant.

    Wheneversomebodywhohasfingerprintsenrolledauthenticateswithoutthem.

    WheneversecuritysettingsarechangedespeciallyFalseAcceptRate.Settingthis

    improperlycanhaveseriousconsequences.Make

    suretoincludeboththeoldandnewvalues.

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    11/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    TroubleshootingandPreventingProblems

    Thefollowingcapabilitiescansimplifyyourcustomers

    useoffingerprintsandavoidcommonproblems.

    Providevisualfeedbackduringfingerprintuse

    Whilefingerprintsarenaturallyeasyforpeopleto

    understand,applicationsshouldprovidefeedback

    duringsuccessesaswellasfailures:

    Prompttheuserwhenafingerprintisneeded. Warnwhenthesensorisdisconnected.

    Prompt

    the

    user

    to

    retry

    if

    a

    finger

    is

    detected

    but

    nomatchisreceivedwithinasecondortwo.

    Warnwhenafingerprintisreceivedbutnomatchisfound.

    Indicatesuccesswhenamatchisfound.Offerhelpwhenrepeatedfailuresoccur

    Youcandramaticallyimprovetheuserexperienceof

    your

    application

    by

    detecting

    repeated

    failed

    attempts

    tousethefingerprintreaderandofferinghints,suchas:

    Touchthefingerprintsensorwiththeflatpadofyourfinger,notthetip.

    Ifyourfingersareverydry,trytouchingyourforeheadwiththepadofthefingeryouaretrying

    toscanandthenrescanningyourfingerprint.

    Ifthefingerprintsensorisdirty,gentlydabitwiththestickysideofapieceofcellophanetape.Do

    notrubitwithpaperanddonotgetitwet.

    ProvideadministrativesettingsforFAR

    Forsomepopulationsofusers,thedefaultFalse

    AcceptRatesettingsmightbetoorestrictiveortoo

    forgiving,particularlywhenfingerprintsareusedfor

    identification(forverification,thesettingsrarelyneed

    tobe

    changed).

    Ifyouareusingfingerprintsforidentification,you

    shouldprovideawayforadministrators(butnotend

    users)toadjusttheFARsettings.Forexample:

    YourapplicationcanmapHighorLowsettingstothe

    appropriatevalues

    needed

    by

    the

    appropriate

    SDKs.

    IncorrectlyadjustingtheFARcanhaveserious

    consequences. Itisextremelyimportantthat

    yourapplicationsettheFARaccordingtotheSDK

    documentationandprovideadministratorsathorough

    explanationofFARoptionswithinyouruserinterface

    toavoidconfusion.

    TestYourApplicationwithMultiplePeople

    Theease

    with

    which

    peoples

    fingerprints

    can

    be

    read

    isaffectedbymanyfactors,includingdryness,age,as

    wellaswearandtear.Forbestresults,tryyour

    implementationwithmultipleanddiversepeople.

    2009DigitalPersona,Inc 11

  • 7/30/2019 DP Wp Appbestpractices2009!08!21

    12/12

    BestPracticesforImplementingFingerprintBiometricsinApplications

    Summary

    Biometricscanhelpyouenhancethesecurityand

    usabilityofyourapplication.Byfollowingafewsimple

    guidelinesand

    using

    DigitalPersonas

    biometric

    softwaredevelopmentkits,youcaneasilyaddfast

    fingerprintidentificationandverificationcapabilities

    thatenableyourapplicationtorecognizeindividual

    userswithoutrequiringotherformsofID.Thiscanbe

    usedinavarietyofwaysfromsignonand

    confirmationofimportantactionstospecialapprovals

    byotheruserstohelpcombatfraudandboost

    customerefficiency.

    DigitalPersona,Inc.,isaleadingprovideroffingerprint

    biometrics

    products

    for

    embedded

    application

    developers,

    restaurant/retailPOSsolutions,enterprisesandconsumers.The

    companyofferssoftwareandhardwarethatprotectspeople

    andbusinessesbyenablingthemtocontroltheirdigital

    identities.Forendusers,DigitalPersonaprovidesstrongidentity

    protectionthatsuniquelyeasytouse;thecompanysbusiness

    solutionshelporganizationsaddressgrowingsecurity,

    complianceandlosspreventiondemands.DigitalPersonas

    awardwinningtechnologyhasbeenusedworldwidebyover95

    millionpeople,anditssolutionsareofferedbymarketleading

    manufacturerssuchasHP,Dell,IBMandNCR.Formore

    informationcontact

    DigitalPersona,

    Inc.

    at

    +1

    650.474.4000,

    or

    visitwww.digitalpersona.com.

    2009DigitalPersonaInc.Allrightsreserved.DigitalPersona

    andOneToucharetrademarksofDigitalPersona,Inc.,

    registeredintheUnitedStatesandothercountries.Allother

    trademarksreferencedhereinarethepropertyoftheir

    respectiveowners.

    2009DigitalPersona,Inc 12

    http://www.digitalpersona.com/http://www.digitalpersona.com/