DP Wp Appbestpractices2009!08!21

7/30/2019 DP Wp Appbestpractices2009!08!21

1/12

ADigitalPersonaWhitepaper

BestPracticesforImplementing

FingerprintBiometricsin

Applications

TipsandguidelinesforachievinghighperformanceinfingerprintenabledapplicationsusingDigitalPersonas

OneTouchfamilyofSDKs

August2009

Biometricscanhelpyouenhancethesecurityandusabilityofyour

application.By

following

afew

simple

guidelines

and

using

DigitalPersonasbiometricsoftwaredevelopmentkits,youcaneasily

addfastfingerprintidentificationandverificationcapabilitiesthat

enableyourapplicationtorecognizeindividualuserswithoutrequiring

otherformsofID.Thiscanbeusedinavarietyofwaysfromsignon

andconfirmationofimportantactionstospecialapprovalsbyother

userstohelpcombatfraudandboostcustomerefficiency.

2009DigitalPersona,Inc.


2/12

BestPracticesforImplementingFingerprintBiometricsinApplications

Introduction

Fingerprintbiometricsmakesitfastandeasyforyour

applicationto

determine

who

is

using

it.

Biometrics

canbeusedto:Benefits

of

UsingFingerprintBiometrics

Fingerprintsprovideacompellingwayto

differentiateyourapplication:

AccountabilityFingerprintscantieactionstospecificindividualsdeterring

inappropriatebehavior.

WorkforceManagementFingerprintsprovideaccuratetimeandattendance

tracking,reducingwaste.

LossPreventionSupervisorsfingerprintscanberequiredforspecialactions,

facilitatingadherencetocorporatepolicies.

ComplianceFingerprintscanbeusedtoprovideanaudittrailidentifyingwhocamein

contactwithsensitivedata.

IdentifyuserswithoutrequiringotherformsofID(suchasusernames,IDnumbersorswipecards).

VerifyanotherformofidentificationwithoutrequiringpasswordsorPINs.

Confirmthatparticularactionsarebeingperformedbytherightuserturningthe

fingerprintsensorintoakindofEnterkeythat

tellsyourapplicationwhoisdoingwhat.

Preventunauthorizedaccessandstopformerusersfromsneakingintoyourapplication.

Thiswhitepaperprovidesavarietyofguidelinesand

tipsthatcanhelpyouusefingerprintbiometricsto

boostthesecurityandusabilityofyourapplication.It

complementsthedocumentationprovidedfor

DigitalPersonassoftwaredevelopmentkits,

OneTouchforWindowsandOneTouchI.D.

KeystoaSuccessfulApplication

Applicationsthatusefingerprintbiometricsmost

successfullyoftenhavethefollowingattributes:

SimplesetupYourapplicationshouldguideusersthroughregisteringorenrollingtheir

fingerprint,typically

when

auser

account

is

added.Thisusuallytakesaboutaminuteandis

onlydoneonce,ofteninthepresenceofa

supervisororadministrator.

2009DigitalPersona,Inc 2


3/12


EaseofuseWithafewvisualcuesfromyourapplication,fingerprintscanbeusedwithlittle

efforttolinkspecificactionstotheindividuals

whoperformthem.

SpeedImplementedcorrectly,fingerprintscanbeusedtorecognizeindividualswithingroupsof

thousandsofpeopleinunderasecond.

FlexibilityAllowuserstoregisterwhicheverfingersaremostconvenientforthem,andallow

twoormorefingerstobeusedsothatthereisa

backupincaseofinjury.

PrivacyAlwaysstoreandusefingerprinttemplates,

not

raw

images.

This

is

much

more

efficientandhelpsprotectusersprivacy.

LoggingRecordallusesofandfailurestousebiometrics,includingdetailssuchastime,place,

contextwithinyourapplication,andsoon.

ImportantConceptsAboutFingerprints

Biometricsliterallymeansthemeasuringofa

personsphysicaltraits.Itisatechnologythatcanbe

usedtorecognizeandauthenticateindividualsbased

onwhotheyare,insteadofwhattheyknow

(passwordsorPINs)orwhattheypossess(keysor

swipecards).

Therearemanytypesofbiometrics,includingpalmor

irisscanning,voiceandfacerecognition.Fingerprints

arethemostwidelyusedformofbiometricsin

commercialapplications.Fingerprintsensorsarenow

builtinto

most

notebook

computers,

are

offered

as

an

optiononmanybrandsofpointofsale(POS)stations,

andareincreasinglybeingusedindoorlocks,medical

dispensarycabinets,andotherembeddeddevices.

Whenaddingfingerprintstoyourapplication,the

mostimportantconceptstounderstandare:

FingerprintsareuniqueNotwopeople,evenidenticaltwins,havethesamefingerprints.

EverybodyhasfingerprintsBut,sometimestheprintsononeormorefingerscanbecomedifficult

toread.Roughphysicallaborcanwearprints

down,anddryskin(whetherduetoclimateor

constantwashingwithalcoholbasedcleaners)

canmakeprintshardertodetect.Incontrast,

bodyoilonfingerscanactuallyhelpmake

fingerprintseasiertoread.

ImagesandTemplatesWhenausertouchesafingerprintsensor,thehardwarescansthepadof

theirfingertocaptureanimageoftheir

fingerprint.Commercialapplicationsrarelyuseor

storetherawfingerprintimages;instead,they

converttheimageintoamuchsmaller

mathematicalrepresentationcalledafingerprint

templateandthendiscardtheoriginalimage.

Templatescannotbeconvertedbackintothe

originalimage.

RegistrationorEnrollmentScanningapersonsfingerprintsthefirsttimeiscalledregistrationor

enrollment.Thisistypicallydonebyanapplication

inacontrolled,securesetting,oftenunderthe

supervisionofanattendant.Duringenrollment,it

iscommonpracticetocapturemultiplescansofa

fingerprinttoincreaseaccuracyandsothat

peoplecanlatertouchthefingerprintsensorfrom

differentangles.

MatchingComparingonefingerprinttemplateagainstanothertemplate(usuallytheonecreated

duringtheregistrationprocess)toseeiftheyboth

representthesamefingerprintiscalledmatching.



4/12



IdentificationComparingafingerprinttemplateagainstadatabaseofmanystoredfingerprint

templates(typically,thefingerprintsofallusersof

yourapplication)toseeifoneormoreofthem

matchesiscalledidentification.Thistechnique

allowsyourapplicationtodeterminewhoisusing

itwithouthavingtorequestotherformsofID

suchasusernamesorIDnumbers.

VerificationUsingafingerprinttoconfirmthatauseriswhotheyclaimtobeaccordingtosome

otherformofID(suchasausernameorID

number)iscalledverification.Unlikeother

mechanismssuchaspasswords,swipecardsor

PINs,fingerprints

cant

be

lost,

forgotten

or

shared.

AuthenticationTheactofconfirmingthatsomebodyiswhotheyclaimtobeiscalled

authentication.Itusuallyinvolvestwosteps:(1)

identifyingwhotheysaytheyare;and(2)

verifyingthattheyreallyarethatperson.Whena

fingerprintisusedtobothidentifyandverify

somebodyinonestep,itisoftencalledtouch

andgoauthentication.

FalseAcceptRate(FAR)Thisisameasureoftheprobabilitythatfingerprintsfromtwodifferent

peoplemightmistakenlybeconsideredamatch.A

lowerFalseAcceptRaterequiresamoreexact

match,whichcouldforcelegitimateusersto

rescantheirfingerprintsonoccasion.Most

applicationsallowthisratetobeadjustedto

handledifferentpopulationsofusers.

FalseRejectRate(FRR)Thisisameasureoftheprobabilitythatfingerprintsfromalegitimateuser

mightmistakenlyberejectedasnotmatchingthe

onespreviouslyenrolled,forcingtheuserto

rescan.Typically,alowerFalseAcceptRatewill

resultinahigherFalseRejectRate.

FailureToCapture(FTC)Thisoccurswheneverauserpressestheirfingertothesensorandthe

sensordoesnotrecognizethatafingerispresent.

Thiscansometimeshappenwhenpeoplehave

verydryskin.

DuplicateEnrollmentCheck(DEC)Thisistheprocessofidentifyingindividualswhohave

alreadyregisteredtheirfingerprintwithyour

application.Thiscanbeusedduringenrollmentto

makesuretheuserisntbeingenteredasecond

time.

UserIDThepieceofdatathatyourapplicationusesinternallytoidentifyeachdistinctuserof

yourapplicationisfrequentlycalledauserID.

Thisuniqueidentifier(oftenaformofusername

orserialnumber)isusedtoquicklylookup

informationabouteachpersoninwhateverdata

storeisusedtorecorduserinformation.

UserAccountDataYourapplicationmostlikelystoresinformationassociatedwitheachUserIDin

somesortofuseraccountdatabase.Typically,this

includesattributes

like

account

names,

login

namesorIDs,IDnumbers,PINsandotherkindsof

informationthatareusedduringsignon.


5/12


StepsforUsingFingerprintsinYourApplication

Togetthemostoutoffingerprintbiometricsinyour

applications,focusonthefollowingareas:

WheretoStoreFingerprintTemplates AccessingStoredFingerprintTemplates EnrollingUsersFingerprints CheckingforDuplicateEnrollments PreloadingTemplatesatApplicationStartup LookingUpUsersbyTheirFingerprint Signon FingerprintsasanEnterkey Approvals Signout

Removing

Users

LoggingFingerprintscanbeusedtoimplementvarious

securityprocessestomakeyourapplicationeasierto

useandmoresecure:

IdentifyusersbytheirfingerprintGiveuserstouchandgoauthenticationwithouttheneed

forotherformsofID,likeusernames,swipecards

orIDnumbers.

VerifyanotherformofIDFingerprintscanbeusedtoconfirmthatausernameorIDnumber

providedbytheuseractuallybelongstothem.

ThisavoidstheneedforpasswordsorPINswhich

canbeeasilylost,stolenorshared.

Mostapplicationsgivecustomersadministratorsthe

abilitytosetpoliciesthatcontrolhowuserslogonto

theapplication.Commonexamplesoflogonpolicies

include:

Fingerprintonly FingerprintorUserID+Password/PIN FingerprintandUserID+Password/PIN

Yourapplicationimplementsthelogicforthese

policies,givingyoutheflexibilitytochoosethemost

appropriateoptions

for

your

customers.

WheretoStoreFingerprintTemplates

Thefingerprinttemplatesthatarecreatedwhenevera

userenrollsfingerprintsneedtobestoredinaway

thatyourapplicationcanaccessthemandknowthe

useraccountstowhichtheycorrespond.

Yourexistinguseraccountdataprobablyalreadyhas

someformofUserIDthatcanbeusedtoquicklylook

upinformationabouttheuser(e.g.,ausernameorID

number).Fingerprintscanprovideaquickwayto

determinethisUserIDwithouthavingtoasktheuser

foranotherformofID.

Therearetwocommonapproachestochoosingwhere

fingerprinttemplatedataisplaced:

WhereExtendExisting

UserAccountData

UseASeparate

Database

How Addfingerprint

templates(atleast

two)asextrafieldsin

thedatayoustore

abouteachUserID.

Storefingerprint

templatesina

separatedatabase

alongwiththe

UserIDtowhich

theycorrespond.

Pros Takes advantageof

yourexistingdata

backupand

managementtools.

Insulatesfingerprint

templatesfromuser

dataforenhanced

privacyandsecurity.

Cons Requireschanges

to

existinguserdata

structures.

Addsanother

databasetobackup

andmaintain.

Fingerprinttemplatesaretypicallyrepresentedas

binarydatastoredinvariablelengtharraysofbytes.



6/12


Thetemplateformatusedmostcommonlywith

DigitalPersonasoftwaredevelopmentkitsislessthan

2048byteslong;however,othertemplateformats

havedifferentsizes.IfyouareusingMicrosoftSQL

Server,youcanuseavarbinary(3000)field.

AccessingStoredFingerprintTemplates

Ifyourapplicationcanbeusedbymultiplepeopleat

thesametime(suchasfromdifferentcomputers,POS

stationsorotherdevices),youcanminimizememory

consumptionandcodecomplexitybycreatinga

separateserviceforstoringandlookinguptemplates.

Thisservice,whichcanevenrunonaseparate

computer,can

be

called

by

other

parts

of

your

applicationusingtechnologiessuchasRPC,DCOM,

WCF,orWebServices.Itprovidesaninternalinterface

foryourapplicationtolookuptheUserIDassociated

withagivenfingerprinttemplate. Keepingstored

fingerprintdatainsulatedfromyourendusersalso

helpstoprotectpeoplesprivacy.

EnrollingUsersFingerprints

Eachpersonwhowillbeusingfingerprintswithyour

applicationhastoenrolltheirfingerprintswithyour

software.Manyapplicationsmakethispartoftheuser

accountcreationorprovisioningprocess.Typically,an

administratororotherauthorizeduserbringsupthe

appropriatescreenwithinyourapplicationandhelps

theuserthroughtheirinitialfingerprintscans.

Themiddlefinger,indexfingerandthumboneach

handtypicallyprovidethebestfingerprintstouse.

Toavoidmatchingproblemsincaseofan

injuredfinger,yourapplicationshouldaskusers

toregisterfingerprintsfromatleasttwofingers.

Graphicalscreensshouldbeusedtoguidetheuser

throughtheenrollmentprocess.Whiletouchinga

fingerprintreaderisanatural,easytounderstand

action,includingapictureorshortvideoofsomebody

touchingthepad(notthetip)oftheirfingertothe

surfaceofthefingerprintreadercanavoidproblems

later.

DigitalPersonasOne

Touch

for

Windows

SDK

includes

graphicaluserinterfacecontrolsthatcaneitherbe

usedasisortoprovideideasifyouwishtocreate

yourowninterface:

Ifyoucreateyourownenrollmentscreens,makesure

thatusersscantheirfingerprintsseveraltimesto

makesubsequent

matches

more

reliable.

Also,makesurethatyourapplicationhandleseachof

theeventsthatOneTouchforWindowsdeliversand

providesvisualfeedbacktotheuser.



7/12



CheckingforDuplicateEnrollments

Withbiometrics,youcaneasilycatchpeoplewho

attempttoenrollmorethanoncetouseyour

application.Thisgivesyoutheabilitytoconsolidate

olderaccounts,avoidaccidentalduplicate

registrations,andpreventfraudulentattemptsto

masqueradeassomebodyelse.

Yourapplicationcaneithercheckforduplicatesinreal

timeduringenrollmentorofflineaspartofadatabase

cleansingprocess.Eitherapproachcanbe

implementedwithOneTouchI.D.andisusefulevenif

yourapplicationonlyusesfingerprintstoverify

anotherformofID.

PreloadingTemplatesatApplicationStartup

TouseOneTouchI.D.,yourapplicationwillneedto

loadalltheenrolledfingerprinttemplatesinto

memorybeforeanylookupscanbeperformed.Since

thisprocesscanpotentiallytakeanumberofseconds

toaminuteormoredependinguponthenumberof

templates,loadingtheenrolledfingerprinttemplates

shouldbedoneonceatstartupintheservice

mentioned

above.

Do

not

wait

until

the

first

time

an

attemptismadetolookupormatchafingerprint.

Whenyourapplicationstarts,haveititerateoverthe

enrolledfingerprinttemplates(whereveryouhave

chosentostorethem)anduseOneTouchI.D.toadd

eachone,alongwithitsUserID,toanidentification

collectionobject.Oncethisisdone,individual

lookupswilltypicallytakelessthanasecond,even

whentherearethousandsofenrolledtemplates.

Ifyouarenotusingfingerprintsfor

identification,butonlytoverifyanotherformof

ID,youdonotneedtouseOneTouchI.D.anddonot

needtopreloadtemplates.

LookingUpUsersbyTheirFingerprint

Fingerprintsprovideanaturalwayforyourapplication

torecognizetheuserwithouttheneedforother

formsofID(e.g.,usernames,IDnumbers,orswipe

cards).Peoplelearnquicklyhowtousefingerprints

andcandosonaturally,withouthavingtostopor

interrupttheflowofwhattheyaredoing.Thismakes

fingerprintsidealnotonlyforsignon,butalsofor

confirmingwhoisperformingimportantoperations

especiallywhenmultiplepeoplemightbeinvolved

(suchasforanapproval).

OneTouchI.D.isspecificallydesignedforfingerprint

identification.Asmentionedabove,ifyourapplication

canbe

used

by

multiple

people

simultaneously

from

separatedevices,thiscapabilityisbestimplemented

inaseparateserviceormodulethatmultipleinstances

ofyourapplicationcancallatthesametime.

Wheneverafingerprintisscanned,yourapplication

willbenotifiedsothatitcanextractatemplatefrom

thefingerprint(seethesectiononSignOnbelowfora

moredetaileddescription).Yourcodeshouldthen

passthetemplatetotheserviceormodulethatis

callingOneTouchI.D.

Yourserviceormodulemayreceivemorethanone

possiblematchbackfromOneTouchI.D.1Ifthis

happens,yourcodecandoanexplicitmatchagainst

thefirstreturnedtemplatetoseeifitisthecorrect

enrolledtemplate.Ifitisnot,yourapplicationshould

logwhichusersweremismatchedandalertthe

administratorthattheFalseAcceptRatehasprobably

beenset

too

low.

1Undercertainconditions,afingerprinttemplatemaypartially

matchmultipleenrolledtemplates,particularlyifyour

applicationhasloweredtheFalseAcceptRatetoallowpeople

withhardtoreadfingerprintstouseyourapplicationwithout

havingtotouchthefingerprintscannermultipletimes.


8/12


Oncetheappropriateenrolledtemplatehasbeen

identified,yourserviceormodulecanthenreturnthe

UserIDassociatedwiththetemplatetoyour

application.Youmaywishtoalsoreturntheenrolled

templatethatwasmatchedsothatthecallercan

cacheitforquickmatchinginthefuture.

Ifyouwillbeusingfingerprintstoconfirm

actionsthatareperformedfrequently,obtaina

copyoftheenrolledfingerprintfromyourfingerprint

lookupserviceormoduleandcacheitinyour

application.Yourcodecanthenrapidlyperforma

directmatchagainstthefingerprintincachebefore

attemptingafulllookup.Neverimplementfingerprintidentificationby

iteratingoveryourdatabaseofenrolled

fingerprinttemplates,matchingeachoneindividually.

Thisapproachisveryinefficientandwillmakeusers

thinkyourapplicationisslow.Instead,useOneTouch

I.D.Atmost,onlyeverdoindividualmatchingagainst

asmallcacheofrecentlyusedtemplatesasan

optimization.

Finally,alwayscreatealogentrywheneveruserssign

onandnotewhetherornottheyusedtheir

fingerprint.Evenifyoudonotcreateapolicyrequiring

theuseoffingerprintstosignon,itisstillagoodidea

tonotewhenanyonewithregisteredfingerprints

signsonwithoutusingthem.Thiscanhelpcustomers

spotpotential

problems

early.

SignOn

Themostcommonuseoffingerprintsisforsignon,

eitherasaformofidentificationorasawayto

confirmanotherformofID.

Whenauserscanstheirfingerprintduringsignon,

yourapplicationwillreceiveaneventfromthe

fingerprintSDKindicatingthatanimageortemplate

(dependingon

which

SDK

you

are

using)

is

available.

If

yourapplicationisusinganSDKthatprovidesaraw

image,immediatelyextractthefingerprinttemplate

anddiscardtheoriginalimage.

TwoFingerMatching

Forextrahighsecurity,youcanrequestand

matchtwofingerprintsinsteadofjustone.To

avoidsurprisingusers,alwaysaskforboth

fingerprints,even

ifthe

first

one

correctly

matches.

Thistechniquecanalsobeusedtoimprove

recognitionratesforpeoplewithhardtoread

fingerprints.

IfyouareusingfingerprintsasaformofID,yoursign

oncodecancallyourlookupserviceormodule(see

above)todeterminetheUserIDofthepersonwho

touchedthefingerprintreader.

Ifyou

are

only

using

fingerprints

for

verification,

then

yourapplicationcanusetheotherformofIDto

determinewhichUserIDtolookup.ThatUserIDcan

thenbeusedtofindtheusersenrolledtemplatesto

compareagainst.



9/12


FingerprintsasanEnterKey

Fingerprintsareusefulformorethanjustsignon.

Theyareafast,intuitivewayforuserstoconfirmthat

theyarewhotheysaytheyarewhenperforming

individual

application

functions,

such

as:

Enteringneworders Changingordeletingimportantdata Openingacashdrawerinacashregister Printingsensitiveinformation AccessingclientcreditcardnumbersWhenyouhaveanactionthatyouwanttoconfirmby

afingerprint,prompttheusertotouchthefingerprint

sensorandobtainatemplateasdescribedabove.

Then,sincemostpeopletendtousethesame

fingeroverandover,ifyourapplicationhas

previouslycachedtheenrolledtemplatethatwas

successfullymatchedatsignon,thentrytomatchthat

cachedtemplatefirst.

Ifyourapplicationisntcachinganyrecentlyused

templates,orthetemplatedidntmatch,doalookup

usingtheapproachdescribedaboveforsignon.This

willtell

you

whether

the

fingerprint

came

from

a

differentfingeronthesamepersonorfromadifferent

person.

Ifthefingerprintdoesntcomefromtheuserwho

signedon,youcanusethetemplatetodetermineif

anotherauthorizeduserisattemptingtouseyour

application.Thisisaneasywaytoimplement

approvalsbysupervisorsorotherprivilegedusers(see

nextsection).

Makesurethatyourapplicationlogsthefactthatthe

actionwasconfirmedwithafingerprint.

Asstatedbefore,neveriterateoverallenrolled

fingerprintslookingforamatch. Itwillmake

yourapplicationveryslow,particularlyasthenumber

ofusersrises.Instead,useOneTouchI.D.todelivera

vastlysuperioruserexperience.

Approvals

Fingerprintscanhelpguideuserstofollowproper

businessprocesses.Theyprovideasimplewayto

allowotherpeople(suchassupervisorsor

administrators)toauthorizeactionsrequiringspecial

permissionswithoutcumbersomeswitchingofusers.

Yourapplicationimplementsthelogicforapprovals,

givingyoufullcontrol.Foroperationsthatrequire

authenticationfromsomebodywithspecialprivileges,

provideavisualpromptexplicitlyidentifyingthe

privilegelevel

required

or

the

role

of

the

person

needed(e.g.,ManagerFingerprintRequiredfor

Override).

AsimplewaytoimplementapprovalsistouseOne

TouchI.D.toidentifywhichuserscannedtheir

fingerprintand,ifthatuserisproperlyauthorized,

taketheappropriateaction.Thiseliminatestheneed

topromptforanotherformofidentification(e.g.,a

username,loginname,IDnumberorPIN)to

determinewhich

user

has

scanned

afingerprint.

Workflowisfastandefficientandapowerfulaudit

trailcanbecreated.

IfyouarenotusingOneTouchI.D.anddont

wishtopromptforanotherformofID,youwill

likelyneedtoimplementsomeformofpersistent

cachingtoavoidhavingtoiterateoverthelistofall

registeredfingerprints.However,thisaddssignificant

complexitytoyourapplicationandcangreatlyreduce

performance.

Alwayshaveyourapplicationlogallapprovalattempts

successfulandfailed.



10/12


SignOut

Whenausersignsoutofyourapplication,all

temporarycopiesoffingerprinttemplatesthatyour

applicationiskeepinginmemoryshouldbereleased.

IfyourapplicationisnotusingOneTouchI.D.butis

maintainingitsownpersistentcacheofregistered

fingerprinttemplatesthathaverecentlybeenused,

makesurethecacheisproperlyupdated.


Asalways,makesureyourapplicationlogsthefact

thattheuserhassignedout.

RemovingUsers

Usingfingerprintstocontrolaccesstoyourapplication

makesit

easy

to

immediately

block

access

by

people

whosepermissionshavebeenrevoked(e.g.,former

employeesorpeoplewhochangedroles).

Theeasiestapproachistodeleteanytemplates

associatedwiththeformeruser.Ifyourapplication

usesOneTouchI.D.,removetheuserfromthe

identificationcollectionthatwascreatedatstartupto

immediatelypreventtheirfingerprintsfrombeing

recognized. Thendeletetheregisteredtemplates

fromtheuserdatarecordorfromtheseparate

fingerprinttemplatedatabase.

Ifyouwishtoprovidetheabilityforcustomers

toflagterminateduserswhoattempttouse

theirfingerprintstogaininappropriateaccess,donot

immediatelyremovetheusersfingerprinttemplates.

Instead,marktheusersaccountdataasdisabled.

Then,whenauserattemptstoaccessyour

application,

simply

check

the

status

of

that

users

accounttodeterminetheiraccessrightsandlogany

failures.

Ifyourapplicationdoesprovidesuchtemporary

retentionofbiometricdata,makesurethatyou

givecustomerstheabilitytopermanentlyflushthe

registeredfingerprinttemplatesfromformerusers

afteragivennumberofdays.Administratorsshould

beablecontrolthelengthoftimeandtoimmediately

deletetemplatesifneeded.Thisisimportantasit

enablesthecustomertocomplywithanylocaldata

retentionregulationsandpolicies.

Logging

Fingerprintsarevaluableasadeterrentto

inappropriatebehavior,asawayofimproving

usability,andasavaluablesourceofdataforanaudit

trail.Yourapplicationshouldautomaticallylogall

authenticationandsecurityactivities,including:

Wheneverauserenrollsafingerprint. Wheneversomebodyhastroubleenrolling. Wheneveraduplicateenrollmentisdetected. Wheneversomebodysignson,confirmsanaction

orotherwiseauthenticateswiththewaysin

whichtheyauthenticated.

Wheneversomebodytriestoauthenticatebutcant.

Wheneversomebodywhohasfingerprintsenrolledauthenticateswithoutthem.

WheneversecuritysettingsarechangedespeciallyFalseAcceptRate.Settingthis

improperlycanhaveseriousconsequences.Make

suretoincludeboththeoldandnewvalues.


11/12


TroubleshootingandPreventingProblems

Thefollowingcapabilitiescansimplifyyourcustomers

useoffingerprintsandavoidcommonproblems.

Providevisualfeedbackduringfingerprintuse

Whilefingerprintsarenaturallyeasyforpeopleto

understand,applicationsshouldprovidefeedback

duringsuccessesaswellasfailures:

Prompttheuserwhenafingerprintisneeded. Warnwhenthesensorisdisconnected.

Prompt

the

user

to

retry

if

a

finger

is

detected

but

nomatchisreceivedwithinasecondortwo.

Warnwhenafingerprintisreceivedbutnomatchisfound.

Indicatesuccesswhenamatchisfound.Offerhelpwhenrepeatedfailuresoccur

Youcandramaticallyimprovetheuserexperienceof

your

application

by

detecting

repeated

failed

attempts

tousethefingerprintreaderandofferinghints,suchas:

Touchthefingerprintsensorwiththeflatpadofyourfinger,notthetip.

Ifyourfingersareverydry,trytouchingyourforeheadwiththepadofthefingeryouaretrying

toscanandthenrescanningyourfingerprint.

Ifthefingerprintsensorisdirty,gentlydabitwiththestickysideofapieceofcellophanetape.Do

notrubitwithpaperanddonotgetitwet.

ProvideadministrativesettingsforFAR

Forsomepopulationsofusers,thedefaultFalse

AcceptRatesettingsmightbetoorestrictiveortoo

forgiving,particularlywhenfingerprintsareusedfor

identification(forverification,thesettingsrarelyneed

tobe

changed).

Ifyouareusingfingerprintsforidentification,you

shouldprovideawayforadministrators(butnotend

users)toadjusttheFARsettings.Forexample:

YourapplicationcanmapHighorLowsettingstothe

appropriatevalues

needed

by

the

appropriate

SDKs.

IncorrectlyadjustingtheFARcanhaveserious

consequences. Itisextremelyimportantthat

yourapplicationsettheFARaccordingtotheSDK

documentationandprovideadministratorsathorough

explanationofFARoptionswithinyouruserinterface

toavoidconfusion.

TestYourApplicationwithMultiplePeople

Theease

with

which

peoples

fingerprints

can

be

read

isaffectedbymanyfactors,includingdryness,age,as

wellaswearandtear.Forbestresults,tryyour

implementationwithmultipleanddiversepeople.



12/12


Summary

Biometricscanhelpyouenhancethesecurityand

usabilityofyourapplication.Byfollowingafewsimple

guidelinesand

using

DigitalPersonas

biometric

softwaredevelopmentkits,youcaneasilyaddfast

fingerprintidentificationandverificationcapabilities

thatenableyourapplicationtorecognizeindividual

userswithoutrequiringotherformsofID.Thiscanbe

usedinavarietyofwaysfromsignonand

confirmationofimportantactionstospecialapprovals

byotheruserstohelpcombatfraudandboost

customerefficiency.

DigitalPersona,Inc.,isaleadingprovideroffingerprint

biometrics

products

for

embedded

application

developers,

restaurant/retailPOSsolutions,enterprisesandconsumers.The

companyofferssoftwareandhardwarethatprotectspeople

andbusinessesbyenablingthemtocontroltheirdigital

identities.Forendusers,DigitalPersonaprovidesstrongidentity

protectionthatsuniquelyeasytouse;thecompanysbusiness

solutionshelporganizationsaddressgrowingsecurity,

complianceandlosspreventiondemands.DigitalPersonas

awardwinningtechnologyhasbeenusedworldwidebyover95

millionpeople,anditssolutionsareofferedbymarketleading

manufacturerssuchasHP,Dell,IBMandNCR.Formore

informationcontact

DigitalPersona,

Inc.

at

+1

650.474.4000,

or

visitwww.digitalpersona.com.

2009DigitalPersonaInc.Allrightsreserved.DigitalPersona

andOneToucharetrademarksofDigitalPersona,Inc.,

registeredintheUnitedStatesandothercountries.Allother

trademarksreferencedhereinarethepropertyoftheir

respectiveowners.

http://www.digitalpersona.com/http://www.digitalpersona.com/

Documents

DP Wp Appbestpractices2009!08!21