Upload
john-thomas-rogan
View
214
Download
0
Embed Size (px)
Citation preview
7/30/2019 DP Wp Appbestpractices2009!08!21
1/12
ADigitalPersonaWhitepaper
BestPracticesforImplementing
FingerprintBiometricsin
Applications
TipsandguidelinesforachievinghighperformanceinfingerprintenabledapplicationsusingDigitalPersonas
OneTouchfamilyofSDKs
August2009
Biometricscanhelpyouenhancethesecurityandusabilityofyour
application.By
following
afew
simple
guidelines
and
using
DigitalPersonasbiometricsoftwaredevelopmentkits,youcaneasily
addfastfingerprintidentificationandverificationcapabilitiesthat
enableyourapplicationtorecognizeindividualuserswithoutrequiring
otherformsofID.Thiscanbeusedinavarietyofwaysfromsignon
andconfirmationofimportantactionstospecialapprovalsbyother
userstohelpcombatfraudandboostcustomerefficiency.
2009DigitalPersona,Inc.
7/30/2019 DP Wp Appbestpractices2009!08!21
2/12
BestPracticesforImplementingFingerprintBiometricsinApplications
Introduction
Fingerprintbiometricsmakesitfastandeasyforyour
applicationto
determine
who
is
using
it.
Biometrics
canbeusedto:Benefits
of
UsingFingerprintBiometrics
Fingerprintsprovideacompellingwayto
differentiateyourapplication:
AccountabilityFingerprintscantieactionstospecificindividualsdeterring
inappropriatebehavior.
WorkforceManagementFingerprintsprovideaccuratetimeandattendance
tracking,reducingwaste.
LossPreventionSupervisorsfingerprintscanberequiredforspecialactions,
facilitatingadherencetocorporatepolicies.
ComplianceFingerprintscanbeusedtoprovideanaudittrailidentifyingwhocamein
contactwithsensitivedata.
IdentifyuserswithoutrequiringotherformsofID(suchasusernames,IDnumbersorswipecards).
VerifyanotherformofidentificationwithoutrequiringpasswordsorPINs.
Confirmthatparticularactionsarebeingperformedbytherightuserturningthe
fingerprintsensorintoakindofEnterkeythat
tellsyourapplicationwhoisdoingwhat.
Preventunauthorizedaccessandstopformerusersfromsneakingintoyourapplication.
Thiswhitepaperprovidesavarietyofguidelinesand
tipsthatcanhelpyouusefingerprintbiometricsto
boostthesecurityandusabilityofyourapplication.It
complementsthedocumentationprovidedfor
DigitalPersonassoftwaredevelopmentkits,
OneTouchforWindowsandOneTouchI.D.
KeystoaSuccessfulApplication
Applicationsthatusefingerprintbiometricsmost
successfullyoftenhavethefollowingattributes:
SimplesetupYourapplicationshouldguideusersthroughregisteringorenrollingtheir
fingerprint,typically
when
auser
account
is
added.Thisusuallytakesaboutaminuteandis
onlydoneonce,ofteninthepresenceofa
supervisororadministrator.
2009DigitalPersona,Inc 2
7/30/2019 DP Wp Appbestpractices2009!08!21
3/12
BestPracticesforImplementingFingerprintBiometricsinApplications
EaseofuseWithafewvisualcuesfromyourapplication,fingerprintscanbeusedwithlittle
efforttolinkspecificactionstotheindividuals
whoperformthem.
SpeedImplementedcorrectly,fingerprintscanbeusedtorecognizeindividualswithingroupsof
thousandsofpeopleinunderasecond.
FlexibilityAllowuserstoregisterwhicheverfingersaremostconvenientforthem,andallow
twoormorefingerstobeusedsothatthereisa
backupincaseofinjury.
PrivacyAlwaysstoreandusefingerprinttemplates,
not
raw
images.
This
is
much
more
efficientandhelpsprotectusersprivacy.
LoggingRecordallusesofandfailurestousebiometrics,includingdetailssuchastime,place,
contextwithinyourapplication,andsoon.
ImportantConceptsAboutFingerprints
Biometricsliterallymeansthemeasuringofa
personsphysicaltraits.Itisatechnologythatcanbe
usedtorecognizeandauthenticateindividualsbased
onwhotheyare,insteadofwhattheyknow
(passwordsorPINs)orwhattheypossess(keysor
swipecards).
Therearemanytypesofbiometrics,includingpalmor
irisscanning,voiceandfacerecognition.Fingerprints
arethemostwidelyusedformofbiometricsin
commercialapplications.Fingerprintsensorsarenow
builtinto
most
notebook
computers,
are
offered
as
an
optiononmanybrandsofpointofsale(POS)stations,
andareincreasinglybeingusedindoorlocks,medical
dispensarycabinets,andotherembeddeddevices.
Whenaddingfingerprintstoyourapplication,the
mostimportantconceptstounderstandare:
FingerprintsareuniqueNotwopeople,evenidenticaltwins,havethesamefingerprints.
EverybodyhasfingerprintsBut,sometimestheprintsononeormorefingerscanbecomedifficult
toread.Roughphysicallaborcanwearprints
down,anddryskin(whetherduetoclimateor
constantwashingwithalcoholbasedcleaners)
canmakeprintshardertodetect.Incontrast,
bodyoilonfingerscanactuallyhelpmake
fingerprintseasiertoread.
ImagesandTemplatesWhenausertouchesafingerprintsensor,thehardwarescansthepadof
theirfingertocaptureanimageoftheir
fingerprint.Commercialapplicationsrarelyuseor
storetherawfingerprintimages;instead,they
converttheimageintoamuchsmaller
mathematicalrepresentationcalledafingerprint
templateandthendiscardtheoriginalimage.
Templatescannotbeconvertedbackintothe
originalimage.
RegistrationorEnrollmentScanningapersonsfingerprintsthefirsttimeiscalledregistrationor
enrollment.Thisistypicallydonebyanapplication
inacontrolled,securesetting,oftenunderthe
supervisionofanattendant.Duringenrollment,it
iscommonpracticetocapturemultiplescansofa
fingerprinttoincreaseaccuracyandsothat
peoplecanlatertouchthefingerprintsensorfrom
differentangles.
MatchingComparingonefingerprinttemplateagainstanothertemplate(usuallytheonecreated
duringtheregistrationprocess)toseeiftheyboth
representthesamefingerprintiscalledmatching.
2009DigitalPersona,Inc 3
7/30/2019 DP Wp Appbestpractices2009!08!21
4/12
BestPracticesforImplementingFingerprintBiometricsinApplications
2009DigitalPersona,Inc 4
IdentificationComparingafingerprinttemplateagainstadatabaseofmanystoredfingerprint
templates(typically,thefingerprintsofallusersof
yourapplication)toseeifoneormoreofthem
matchesiscalledidentification.Thistechnique
allowsyourapplicationtodeterminewhoisusing
itwithouthavingtorequestotherformsofID
suchasusernamesorIDnumbers.
VerificationUsingafingerprinttoconfirmthatauseriswhotheyclaimtobeaccordingtosome
otherformofID(suchasausernameorID
number)iscalledverification.Unlikeother
mechanismssuchaspasswords,swipecardsor
PINs,fingerprints
cant
be
lost,
forgotten
or
shared.
AuthenticationTheactofconfirmingthatsomebodyiswhotheyclaimtobeiscalled
authentication.Itusuallyinvolvestwosteps:(1)
identifyingwhotheysaytheyare;and(2)
verifyingthattheyreallyarethatperson.Whena
fingerprintisusedtobothidentifyandverify
somebodyinonestep,itisoftencalledtouch
andgoauthentication.
FalseAcceptRate(FAR)Thisisameasureoftheprobabilitythatfingerprintsfromtwodifferent
peoplemightmistakenlybeconsideredamatch.A
lowerFalseAcceptRaterequiresamoreexact
match,whichcouldforcelegitimateusersto
rescantheirfingerprintsonoccasion.Most
applicationsallowthisratetobeadjustedto
handledifferentpopulationsofusers.
FalseRejectRate(FRR)Thisisameasureoftheprobabilitythatfingerprintsfromalegitimateuser
mightmistakenlyberejectedasnotmatchingthe
onespreviouslyenrolled,forcingtheuserto
rescan.Typically,alowerFalseAcceptRatewill
resultinahigherFalseRejectRate.
FailureToCapture(FTC)Thisoccurswheneverauserpressestheirfingertothesensorandthe
sensordoesnotrecognizethatafingerispresent.
Thiscansometimeshappenwhenpeoplehave
verydryskin.
DuplicateEnrollmentCheck(DEC)Thisistheprocessofidentifyingindividualswhohave
alreadyregisteredtheirfingerprintwithyour
application.Thiscanbeusedduringenrollmentto
makesuretheuserisntbeingenteredasecond
time.
UserIDThepieceofdatathatyourapplicationusesinternallytoidentifyeachdistinctuserof
yourapplicationisfrequentlycalledauserID.
Thisuniqueidentifier(oftenaformofusername
orserialnumber)isusedtoquicklylookup
informationabouteachpersoninwhateverdata
storeisusedtorecorduserinformation.
UserAccountDataYourapplicationmostlikelystoresinformationassociatedwitheachUserIDin
somesortofuseraccountdatabase.Typically,this
includesattributes
like
account
names,
login
namesorIDs,IDnumbers,PINsandotherkindsof
informationthatareusedduringsignon.
7/30/2019 DP Wp Appbestpractices2009!08!21
5/12
BestPracticesforImplementingFingerprintBiometricsinApplications
StepsforUsingFingerprintsinYourApplication
Togetthemostoutoffingerprintbiometricsinyour
applications,focusonthefollowingareas:
WheretoStoreFingerprintTemplates AccessingStoredFingerprintTemplates EnrollingUsersFingerprints CheckingforDuplicateEnrollments PreloadingTemplatesatApplicationStartup LookingUpUsersbyTheirFingerprint Signon FingerprintsasanEnterkey Approvals Signout
Removing
Users
LoggingFingerprintscanbeusedtoimplementvarious
securityprocessestomakeyourapplicationeasierto
useandmoresecure:
IdentifyusersbytheirfingerprintGiveuserstouchandgoauthenticationwithouttheneed
forotherformsofID,likeusernames,swipecards
orIDnumbers.
VerifyanotherformofIDFingerprintscanbeusedtoconfirmthatausernameorIDnumber
providedbytheuseractuallybelongstothem.
ThisavoidstheneedforpasswordsorPINswhich
canbeeasilylost,stolenorshared.
Mostapplicationsgivecustomersadministratorsthe
abilitytosetpoliciesthatcontrolhowuserslogonto
theapplication.Commonexamplesoflogonpolicies
include:
Fingerprintonly FingerprintorUserID+Password/PIN FingerprintandUserID+Password/PIN
Yourapplicationimplementsthelogicforthese
policies,givingyoutheflexibilitytochoosethemost
appropriateoptions
for
your
customers.
WheretoStoreFingerprintTemplates
Thefingerprinttemplatesthatarecreatedwhenevera
userenrollsfingerprintsneedtobestoredinaway
thatyourapplicationcanaccessthemandknowthe
useraccountstowhichtheycorrespond.
Yourexistinguseraccountdataprobablyalreadyhas
someformofUserIDthatcanbeusedtoquicklylook
upinformationabouttheuser(e.g.,ausernameorID
number).Fingerprintscanprovideaquickwayto
determinethisUserIDwithouthavingtoasktheuser
foranotherformofID.
Therearetwocommonapproachestochoosingwhere
fingerprinttemplatedataisplaced:
WhereExtendExisting
UserAccountData
UseASeparate
Database
How Addfingerprint
templates(atleast
two)asextrafieldsin
thedatayoustore
abouteachUserID.
Storefingerprint
templatesina
separatedatabase
alongwiththe
UserIDtowhich
theycorrespond.
Pros Takes advantageof
yourexistingdata
backupand
managementtools.
Insulatesfingerprint
templatesfromuser
dataforenhanced
privacyandsecurity.
Cons Requireschanges
to
existinguserdata
structures.
Addsanother
databasetobackup
andmaintain.
Fingerprinttemplatesaretypicallyrepresentedas
binarydatastoredinvariablelengtharraysofbytes.
2009DigitalPersona,Inc 5
7/30/2019 DP Wp Appbestpractices2009!08!21
6/12
BestPracticesforImplementingFingerprintBiometricsinApplications
Thetemplateformatusedmostcommonlywith
DigitalPersonasoftwaredevelopmentkitsislessthan
2048byteslong;however,othertemplateformats
havedifferentsizes.IfyouareusingMicrosoftSQL
Server,youcanuseavarbinary(3000)field.
AccessingStoredFingerprintTemplates
Ifyourapplicationcanbeusedbymultiplepeopleat
thesametime(suchasfromdifferentcomputers,POS
stationsorotherdevices),youcanminimizememory
consumptionandcodecomplexitybycreatinga
separateserviceforstoringandlookinguptemplates.
Thisservice,whichcanevenrunonaseparate
computer,can
be
called
by
other
parts
of
your
applicationusingtechnologiessuchasRPC,DCOM,
WCF,orWebServices.Itprovidesaninternalinterface
foryourapplicationtolookuptheUserIDassociated
withagivenfingerprinttemplate. Keepingstored
fingerprintdatainsulatedfromyourendusersalso
helpstoprotectpeoplesprivacy.
EnrollingUsersFingerprints
Eachpersonwhowillbeusingfingerprintswithyour
applicationhastoenrolltheirfingerprintswithyour
software.Manyapplicationsmakethispartoftheuser
accountcreationorprovisioningprocess.Typically,an
administratororotherauthorizeduserbringsupthe
appropriatescreenwithinyourapplicationandhelps
theuserthroughtheirinitialfingerprintscans.
Themiddlefinger,indexfingerandthumboneach
handtypicallyprovidethebestfingerprintstouse.
Toavoidmatchingproblemsincaseofan
injuredfinger,yourapplicationshouldaskusers
toregisterfingerprintsfromatleasttwofingers.
Graphicalscreensshouldbeusedtoguidetheuser
throughtheenrollmentprocess.Whiletouchinga
fingerprintreaderisanatural,easytounderstand
action,includingapictureorshortvideoofsomebody
touchingthepad(notthetip)oftheirfingertothe
surfaceofthefingerprintreadercanavoidproblems
later.
DigitalPersonasOne
Touch
for
Windows
SDK
includes
graphicaluserinterfacecontrolsthatcaneitherbe
usedasisortoprovideideasifyouwishtocreate
yourowninterface:
Ifyoucreateyourownenrollmentscreens,makesure
thatusersscantheirfingerprintsseveraltimesto
makesubsequent
matches
more
reliable.
Also,makesurethatyourapplicationhandleseachof
theeventsthatOneTouchforWindowsdeliversand
providesvisualfeedbacktotheuser.
2009DigitalPersona,Inc 6
7/30/2019 DP Wp Appbestpractices2009!08!21
7/12
BestPracticesforImplementingFingerprintBiometricsinApplications
2009DigitalPersona,Inc 7
CheckingforDuplicateEnrollments
Withbiometrics,youcaneasilycatchpeoplewho
attempttoenrollmorethanoncetouseyour
application.Thisgivesyoutheabilitytoconsolidate
olderaccounts,avoidaccidentalduplicate
registrations,andpreventfraudulentattemptsto
masqueradeassomebodyelse.
Yourapplicationcaneithercheckforduplicatesinreal
timeduringenrollmentorofflineaspartofadatabase
cleansingprocess.Eitherapproachcanbe
implementedwithOneTouchI.D.andisusefulevenif
yourapplicationonlyusesfingerprintstoverify
anotherformofID.
PreloadingTemplatesatApplicationStartup
TouseOneTouchI.D.,yourapplicationwillneedto
loadalltheenrolledfingerprinttemplatesinto
memorybeforeanylookupscanbeperformed.Since
thisprocesscanpotentiallytakeanumberofseconds
toaminuteormoredependinguponthenumberof
templates,loadingtheenrolledfingerprinttemplates
shouldbedoneonceatstartupintheservice
mentioned
above.
Do
not
wait
until
the
first
time
an
attemptismadetolookupormatchafingerprint.
Whenyourapplicationstarts,haveititerateoverthe
enrolledfingerprinttemplates(whereveryouhave
chosentostorethem)anduseOneTouchI.D.toadd
eachone,alongwithitsUserID,toanidentification
collectionobject.Oncethisisdone,individual
lookupswilltypicallytakelessthanasecond,even
whentherearethousandsofenrolledtemplates.
Ifyouarenotusingfingerprintsfor
identification,butonlytoverifyanotherformof
ID,youdonotneedtouseOneTouchI.D.anddonot
needtopreloadtemplates.
LookingUpUsersbyTheirFingerprint
Fingerprintsprovideanaturalwayforyourapplication
torecognizetheuserwithouttheneedforother
formsofID(e.g.,usernames,IDnumbers,orswipe
cards).Peoplelearnquicklyhowtousefingerprints
andcandosonaturally,withouthavingtostopor
interrupttheflowofwhattheyaredoing.Thismakes
fingerprintsidealnotonlyforsignon,butalsofor
confirmingwhoisperformingimportantoperations
especiallywhenmultiplepeoplemightbeinvolved
(suchasforanapproval).
OneTouchI.D.isspecificallydesignedforfingerprint
identification.Asmentionedabove,ifyourapplication
canbe
used
by
multiple
people
simultaneously
from
separatedevices,thiscapabilityisbestimplemented
inaseparateserviceormodulethatmultipleinstances
ofyourapplicationcancallatthesametime.
Wheneverafingerprintisscanned,yourapplication
willbenotifiedsothatitcanextractatemplatefrom
thefingerprint(seethesectiononSignOnbelowfora
moredetaileddescription).Yourcodeshouldthen
passthetemplatetotheserviceormodulethatis
callingOneTouchI.D.
Yourserviceormodulemayreceivemorethanone
possiblematchbackfromOneTouchI.D.1Ifthis
happens,yourcodecandoanexplicitmatchagainst
thefirstreturnedtemplatetoseeifitisthecorrect
enrolledtemplate.Ifitisnot,yourapplicationshould
logwhichusersweremismatchedandalertthe
administratorthattheFalseAcceptRatehasprobably
beenset
too
low.
1Undercertainconditions,afingerprinttemplatemaypartially
matchmultipleenrolledtemplates,particularlyifyour
applicationhasloweredtheFalseAcceptRatetoallowpeople
withhardtoreadfingerprintstouseyourapplicationwithout
havingtotouchthefingerprintscannermultipletimes.
7/30/2019 DP Wp Appbestpractices2009!08!21
8/12
BestPracticesforImplementingFingerprintBiometricsinApplications
Oncetheappropriateenrolledtemplatehasbeen
identified,yourserviceormodulecanthenreturnthe
UserIDassociatedwiththetemplatetoyour
application.Youmaywishtoalsoreturntheenrolled
templatethatwasmatchedsothatthecallercan
cacheitforquickmatchinginthefuture.
Ifyouwillbeusingfingerprintstoconfirm
actionsthatareperformedfrequently,obtaina
copyoftheenrolledfingerprintfromyourfingerprint
lookupserviceormoduleandcacheitinyour
application.Yourcodecanthenrapidlyperforma
directmatchagainstthefingerprintincachebefore
attemptingafulllookup.Neverimplementfingerprintidentificationby
iteratingoveryourdatabaseofenrolled
fingerprinttemplates,matchingeachoneindividually.
Thisapproachisveryinefficientandwillmakeusers
thinkyourapplicationisslow.Instead,useOneTouch
I.D.Atmost,onlyeverdoindividualmatchingagainst
asmallcacheofrecentlyusedtemplatesasan
optimization.
Finally,alwayscreatealogentrywheneveruserssign
onandnotewhetherornottheyusedtheir
fingerprint.Evenifyoudonotcreateapolicyrequiring
theuseoffingerprintstosignon,itisstillagoodidea
tonotewhenanyonewithregisteredfingerprints
signsonwithoutusingthem.Thiscanhelpcustomers
spotpotential
problems
early.
SignOn
Themostcommonuseoffingerprintsisforsignon,
eitherasaformofidentificationorasawayto
confirmanotherformofID.
Whenauserscanstheirfingerprintduringsignon,
yourapplicationwillreceiveaneventfromthe
fingerprintSDKindicatingthatanimageortemplate
(dependingon
which
SDK
you
are
using)
is
available.
If
yourapplicationisusinganSDKthatprovidesaraw
image,immediatelyextractthefingerprinttemplate
anddiscardtheoriginalimage.
TwoFingerMatching
Forextrahighsecurity,youcanrequestand
matchtwofingerprintsinsteadofjustone.To
avoidsurprisingusers,alwaysaskforboth
fingerprints,even
ifthe
first
one
correctly
matches.
Thistechniquecanalsobeusedtoimprove
recognitionratesforpeoplewithhardtoread
fingerprints.
IfyouareusingfingerprintsasaformofID,yoursign
oncodecancallyourlookupserviceormodule(see
above)todeterminetheUserIDofthepersonwho
touchedthefingerprintreader.
Ifyou
are
only
using
fingerprints
for
verification,
then
yourapplicationcanusetheotherformofIDto
determinewhichUserIDtolookup.ThatUserIDcan
thenbeusedtofindtheusersenrolledtemplatesto
compareagainst.
2009DigitalPersona,Inc 8
7/30/2019 DP Wp Appbestpractices2009!08!21
9/12
BestPracticesforImplementingFingerprintBiometricsinApplications
FingerprintsasanEnterKey
Fingerprintsareusefulformorethanjustsignon.
Theyareafast,intuitivewayforuserstoconfirmthat
theyarewhotheysaytheyarewhenperforming
individual
application
functions,
such
as:
Enteringneworders Changingordeletingimportantdata Openingacashdrawerinacashregister Printingsensitiveinformation AccessingclientcreditcardnumbersWhenyouhaveanactionthatyouwanttoconfirmby
afingerprint,prompttheusertotouchthefingerprint
sensorandobtainatemplateasdescribedabove.
Then,sincemostpeopletendtousethesame
fingeroverandover,ifyourapplicationhas
previouslycachedtheenrolledtemplatethatwas
successfullymatchedatsignon,thentrytomatchthat
cachedtemplatefirst.
Ifyourapplicationisntcachinganyrecentlyused
templates,orthetemplatedidntmatch,doalookup
usingtheapproachdescribedaboveforsignon.This
willtell
you
whether
the
fingerprint
came
from
a
differentfingeronthesamepersonorfromadifferent
person.
Ifthefingerprintdoesntcomefromtheuserwho
signedon,youcanusethetemplatetodetermineif
anotherauthorizeduserisattemptingtouseyour
application.Thisisaneasywaytoimplement
approvalsbysupervisorsorotherprivilegedusers(see
nextsection).
Makesurethatyourapplicationlogsthefactthatthe
actionwasconfirmedwithafingerprint.
Asstatedbefore,neveriterateoverallenrolled
fingerprintslookingforamatch. Itwillmake
yourapplicationveryslow,particularlyasthenumber
ofusersrises.Instead,useOneTouchI.D.todelivera
vastlysuperioruserexperience.
Approvals
Fingerprintscanhelpguideuserstofollowproper
businessprocesses.Theyprovideasimplewayto
allowotherpeople(suchassupervisorsor
administrators)toauthorizeactionsrequiringspecial
permissionswithoutcumbersomeswitchingofusers.
Yourapplicationimplementsthelogicforapprovals,
givingyoufullcontrol.Foroperationsthatrequire
authenticationfromsomebodywithspecialprivileges,
provideavisualpromptexplicitlyidentifyingthe
privilegelevel
required
or
the
role
of
the
person
needed(e.g.,ManagerFingerprintRequiredfor
Override).
AsimplewaytoimplementapprovalsistouseOne
TouchI.D.toidentifywhichuserscannedtheir
fingerprintand,ifthatuserisproperlyauthorized,
taketheappropriateaction.Thiseliminatestheneed
topromptforanotherformofidentification(e.g.,a
username,loginname,IDnumberorPIN)to
determinewhich
user
has
scanned
afingerprint.
Workflowisfastandefficientandapowerfulaudit
trailcanbecreated.
IfyouarenotusingOneTouchI.D.anddont
wishtopromptforanotherformofID,youwill
likelyneedtoimplementsomeformofpersistent
cachingtoavoidhavingtoiterateoverthelistofall
registeredfingerprints.However,thisaddssignificant
complexitytoyourapplicationandcangreatlyreduce
performance.
Alwayshaveyourapplicationlogallapprovalattempts
successfulandfailed.
2009DigitalPersona,Inc 9
7/30/2019 DP Wp Appbestpractices2009!08!21
10/12
BestPracticesforImplementingFingerprintBiometricsinApplications
SignOut
Whenausersignsoutofyourapplication,all
temporarycopiesoffingerprinttemplatesthatyour
applicationiskeepinginmemoryshouldbereleased.
IfyourapplicationisnotusingOneTouchI.D.butis
maintainingitsownpersistentcacheofregistered
fingerprinttemplatesthathaverecentlybeenused,
makesurethecacheisproperlyupdated.
2009DigitalPersona,Inc 10
Asalways,makesureyourapplicationlogsthefact
thattheuserhassignedout.
RemovingUsers
Usingfingerprintstocontrolaccesstoyourapplication
makesit
easy
to
immediately
block
access
by
people
whosepermissionshavebeenrevoked(e.g.,former
employeesorpeoplewhochangedroles).
Theeasiestapproachistodeleteanytemplates
associatedwiththeformeruser.Ifyourapplication
usesOneTouchI.D.,removetheuserfromthe
identificationcollectionthatwascreatedatstartupto
immediatelypreventtheirfingerprintsfrombeing
recognized. Thendeletetheregisteredtemplates
fromtheuserdatarecordorfromtheseparate
fingerprinttemplatedatabase.
Ifyouwishtoprovidetheabilityforcustomers
toflagterminateduserswhoattempttouse
theirfingerprintstogaininappropriateaccess,donot
immediatelyremovetheusersfingerprinttemplates.
Instead,marktheusersaccountdataasdisabled.
Then,whenauserattemptstoaccessyour
application,
simply
check
the
status
of
that
users
accounttodeterminetheiraccessrightsandlogany
failures.
Ifyourapplicationdoesprovidesuchtemporary
retentionofbiometricdata,makesurethatyou
givecustomerstheabilitytopermanentlyflushthe
registeredfingerprinttemplatesfromformerusers
afteragivennumberofdays.Administratorsshould
beablecontrolthelengthoftimeandtoimmediately
deletetemplatesifneeded.Thisisimportantasit
enablesthecustomertocomplywithanylocaldata
retentionregulationsandpolicies.
Logging
Fingerprintsarevaluableasadeterrentto
inappropriatebehavior,asawayofimproving
usability,andasavaluablesourceofdataforanaudit
trail.Yourapplicationshouldautomaticallylogall
authenticationandsecurityactivities,including:
Wheneverauserenrollsafingerprint. Wheneversomebodyhastroubleenrolling. Wheneveraduplicateenrollmentisdetected. Wheneversomebodysignson,confirmsanaction
orotherwiseauthenticateswiththewaysin
whichtheyauthenticated.
Wheneversomebodytriestoauthenticatebutcant.
Wheneversomebodywhohasfingerprintsenrolledauthenticateswithoutthem.
WheneversecuritysettingsarechangedespeciallyFalseAcceptRate.Settingthis
improperlycanhaveseriousconsequences.Make
suretoincludeboththeoldandnewvalues.
7/30/2019 DP Wp Appbestpractices2009!08!21
11/12
BestPracticesforImplementingFingerprintBiometricsinApplications
TroubleshootingandPreventingProblems
Thefollowingcapabilitiescansimplifyyourcustomers
useoffingerprintsandavoidcommonproblems.
Providevisualfeedbackduringfingerprintuse
Whilefingerprintsarenaturallyeasyforpeopleto
understand,applicationsshouldprovidefeedback
duringsuccessesaswellasfailures:
Prompttheuserwhenafingerprintisneeded. Warnwhenthesensorisdisconnected.
Prompt
the
user
to
retry
if
a
finger
is
detected
but
nomatchisreceivedwithinasecondortwo.
Warnwhenafingerprintisreceivedbutnomatchisfound.
Indicatesuccesswhenamatchisfound.Offerhelpwhenrepeatedfailuresoccur
Youcandramaticallyimprovetheuserexperienceof
your
application
by
detecting
repeated
failed
attempts
tousethefingerprintreaderandofferinghints,suchas:
Touchthefingerprintsensorwiththeflatpadofyourfinger,notthetip.
Ifyourfingersareverydry,trytouchingyourforeheadwiththepadofthefingeryouaretrying
toscanandthenrescanningyourfingerprint.
Ifthefingerprintsensorisdirty,gentlydabitwiththestickysideofapieceofcellophanetape.Do
notrubitwithpaperanddonotgetitwet.
ProvideadministrativesettingsforFAR
Forsomepopulationsofusers,thedefaultFalse
AcceptRatesettingsmightbetoorestrictiveortoo
forgiving,particularlywhenfingerprintsareusedfor
identification(forverification,thesettingsrarelyneed
tobe
changed).
Ifyouareusingfingerprintsforidentification,you
shouldprovideawayforadministrators(butnotend
users)toadjusttheFARsettings.Forexample:
YourapplicationcanmapHighorLowsettingstothe
appropriatevalues
needed
by
the
appropriate
SDKs.
IncorrectlyadjustingtheFARcanhaveserious
consequences. Itisextremelyimportantthat
yourapplicationsettheFARaccordingtotheSDK
documentationandprovideadministratorsathorough
explanationofFARoptionswithinyouruserinterface
toavoidconfusion.
TestYourApplicationwithMultiplePeople
Theease
with
which
peoples
fingerprints
can
be
read
isaffectedbymanyfactors,includingdryness,age,as
wellaswearandtear.Forbestresults,tryyour
implementationwithmultipleanddiversepeople.
2009DigitalPersona,Inc 11
7/30/2019 DP Wp Appbestpractices2009!08!21
12/12
BestPracticesforImplementingFingerprintBiometricsinApplications
Summary
Biometricscanhelpyouenhancethesecurityand
usabilityofyourapplication.Byfollowingafewsimple
guidelinesand
using
DigitalPersonas
biometric
softwaredevelopmentkits,youcaneasilyaddfast
fingerprintidentificationandverificationcapabilities
thatenableyourapplicationtorecognizeindividual
userswithoutrequiringotherformsofID.Thiscanbe
usedinavarietyofwaysfromsignonand
confirmationofimportantactionstospecialapprovals
byotheruserstohelpcombatfraudandboost
customerefficiency.
DigitalPersona,Inc.,isaleadingprovideroffingerprint
biometrics
products
for
embedded
application
developers,
restaurant/retailPOSsolutions,enterprisesandconsumers.The
companyofferssoftwareandhardwarethatprotectspeople
andbusinessesbyenablingthemtocontroltheirdigital
identities.Forendusers,DigitalPersonaprovidesstrongidentity
protectionthatsuniquelyeasytouse;thecompanysbusiness
solutionshelporganizationsaddressgrowingsecurity,
complianceandlosspreventiondemands.DigitalPersonas
awardwinningtechnologyhasbeenusedworldwidebyover95
millionpeople,anditssolutionsareofferedbymarketleading
manufacturerssuchasHP,Dell,IBMandNCR.Formore
informationcontact
DigitalPersona,
Inc.
at
+1
650.474.4000,
or
visitwww.digitalpersona.com.
2009DigitalPersonaInc.Allrightsreserved.DigitalPersona
andOneToucharetrademarksofDigitalPersona,Inc.,
registeredintheUnitedStatesandothercountries.Allother
trademarksreferencedhereinarethepropertyoftheir
respectiveowners.
2009DigitalPersona,Inc 12
http://www.digitalpersona.com/http://www.digitalpersona.com/