You are on page 1of 12

ADigitalPersonaWhitepaper

BestPracticesforImplementing FingerprintBiometricsin Applications


Tipsandguidelinesforachievinghighperformancein fingerprintenabledapplicationsusingDigitalPersonas OneTouchfamilyofSDKs

August2009 Biometricscanhelpyouenhancethesecurityandusabilityofyour application.Byfollowingafewsimpleguidelinesandusing DigitalPersonasbiometricsoftwaredevelopmentkits,youcaneasily addfastfingerprintidentificationandverificationcapabilitiesthat enableyourapplicationtorecognizeindividualuserswithoutrequiring otherformsofID.Thiscanbeusedinavarietyofwaysfromsignon andconfirmationofimportantactionstospecialapprovalsbyother userstohelpcombatfraudandboostcustomerefficiency.

2009DigitalPersona,Inc.

BestPracticesforImplementingFingerprintBiometricsinApplications

Introduction
Fingerprintbiometricsmakesitfastandeasyforyour applicationtodeterminewhoisusingit.Biometrics canbeusedto: IdentifyuserswithoutrequiringotherformsofID (suchasusernames,IDnumbersorswipecards). Verifyanotherformofidentificationwithout requiringpasswordsorPINs. Confirmthatparticularactionsarebeing performedbytherightuserturningthe fingerprintsensorintoakindofEnterkeythat tellsyourapplicationwhoisdoingwhat. Preventunauthorizedaccessandstopformer usersfromsneakingintoyourapplication. Thiswhitepaperprovidesavarietyofguidelinesand tipsthatcanhelpyouusefingerprintbiometricsto boostthesecurityandusabilityofyourapplication.It complementsthedocumentationprovidedfor DigitalPersonassoftwaredevelopmentkits, OneTouchforWindowsandOneTouchI.D. ComplianceFingerprintscanbeusedto provideanaudittrailidentifyingwhocamein contactwithsensitivedata. LossPreventionSupervisorsfingerprints canberequiredforspecialactions, facilitatingadherencetocorporatepolicies. WorkforceManagementFingerprints provideaccuratetimeandattendance tracking,reducingwaste. AccountabilityFingerprintscantieactions tospecificindividualsdeterring inappropriatebehavior. Fingerprintsprovideacompellingwayto differentiateyourapplication:

Benefitsof UsingFingerprintBiometrics

KeystoaSuccessfulApplication
Applicationsthatusefingerprintbiometricsmost successfullyoftenhavethefollowingattributes: SimplesetupYourapplicationshouldguide usersthroughregisteringorenrollingtheir fingerprint,typicallywhenauseraccountis added.Thisusuallytakesaboutaminuteandis onlydoneonce,ofteninthepresenceofa supervisororadministrator.

2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

EaseofuseWithafewvisualcuesfromyour application,fingerprintscanbeusedwithlittle efforttolinkspecificactionstotheindividuals whoperformthem.

Whenaddingfingerprintstoyourapplication,the mostimportantconceptstounderstandare: FingerprintsareuniqueNotwopeople,even identicaltwins,havethesamefingerprints. EverybodyhasfingerprintsBut,sometimesthe printsononeormorefingerscanbecomedifficult toread.Roughphysicallaborcanwearprints down,anddryskin(whetherduetoclimateor constantwashingwithalcoholbasedcleaners) canmakeprintshardertodetect.Incontrast, bodyoilonfingerscanactuallyhelpmake fingerprintseasiertoread.

SpeedImplementedcorrectly,fingerprintscan beusedtorecognizeindividualswithingroupsof thousandsofpeopleinunderasecond.

FlexibilityAllowuserstoregisterwhichever fingersaremostconvenientforthem,andallow twoormorefingerstobeusedsothatthereisa backupincaseofinjury.

PrivacyAlwaysstoreandusefingerprint templates,notrawimages.Thisismuchmore efficientandhelpsprotectusersprivacy. ImagesandTemplatesWhenausertouchesa fingerprintsensor,thehardwarescansthepadof theirfingertocaptureanimageoftheir LoggingRecordallusesofandfailurestouse biometrics,includingdetailssuchastime,place, contextwithinyourapplication,andsoon. fingerprint.Commercialapplicationsrarelyuseor storetherawfingerprintimages;instead,they converttheimageintoamuchsmaller mathematicalrepresentationcalledafingerprint templateandthendiscardtheoriginalimage. Templatescannotbeconvertedbackintothe originalimage. RegistrationorEnrollmentScanningapersons fingerprintsthefirsttimeiscalledregistrationor enrollment.Thisistypicallydonebyanapplication inacontrolled,securesetting,oftenunderthe supervisionofanattendant.Duringenrollment,it iscommonpracticetocapturemultiplescansofa fingerprinttoincreaseaccuracyandsothat peoplecanlatertouchthefingerprintsensorfrom differentangles. MatchingComparingonefingerprinttemplate againstanothertemplate(usuallytheonecreated duringtheregistrationprocess)toseeiftheyboth representthesamefingerprintiscalledmatching.

ImportantConceptsAboutFingerprints
Biometricsliterallymeansthemeasuringofa personsphysicaltraits.Itisatechnologythatcanbe usedtorecognizeandauthenticateindividualsbased onwhotheyare,insteadofwhattheyknow (passwordsorPINs)orwhattheypossess(keysor swipecards). Therearemanytypesofbiometrics,includingpalmor irisscanning,voiceandfacerecognition.Fingerprints arethemostwidelyusedformofbiometricsin commercialapplications.Fingerprintsensorsarenow builtintomostnotebookcomputers,areofferedasan optiononmanybrandsofpointofsale(POS)stations, andareincreasinglybeingusedindoorlocks,medical dispensarycabinets,andotherembeddeddevices.

2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

IdentificationComparingafingerprinttemplate againstadatabaseofmanystoredfingerprint templates(typically,thefingerprintsofallusersof yourapplication)toseeifoneormoreofthem matchesiscalledidentification.Thistechnique allowsyourapplicationtodeterminewhoisusing itwithouthavingtorequestotherformsofID suchasusernamesorIDnumbers.

FailureToCapture(FTC)Thisoccurswhenevera userpressestheirfingertothesensorandthe sensordoesnotrecognizethatafingerispresent. Thiscansometimeshappenwhenpeoplehave verydryskin.

DuplicateEnrollmentCheck(DEC)Thisisthe processofidentifyingindividualswhohave alreadyregisteredtheirfingerprintwithyour application.Thiscanbeusedduringenrollmentto makesuretheuserisntbeingenteredasecond time.

VerificationUsingafingerprinttoconfirmthata useriswhotheyclaimtobeaccordingtosome otherformofID(suchasausernameorID number)iscalledverification.Unlikeother mechanismssuchaspasswords,swipecardsor PINs,fingerprintscantbelost,forgottenorshared.

UserIDThepieceofdatathatyourapplication usesinternallytoidentifyeachdistinctuserof yourapplicationisfrequentlycalledauserID. Thisuniqueidentifier(oftenaformofusername orserialnumber)isusedtoquicklylookup informationabouteachpersoninwhateverdata storeisusedtorecorduserinformation.

AuthenticationTheactofconfirmingthat somebodyiswhotheyclaimtobeiscalled authentication.Itusuallyinvolvestwosteps:(1) identifyingwhotheysaytheyare;and(2) verifyingthattheyreallyarethatperson.Whena fingerprintisusedtobothidentifyandverify somebodyinonestep,itisoftencalledtouch andgoauthentication.

UserAccountDataYourapplicationmostlikely storesinformationassociatedwitheachUserIDin somesortofuseraccountdatabase.Typically,this includesattributeslikeaccountnames,login namesorIDs,IDnumbers,PINsandotherkindsof informationthatareusedduringsignon.

FalseAcceptRate(FAR)Thisisameasureofthe probabilitythatfingerprintsfromtwodifferent peoplemightmistakenlybeconsideredamatch.A lowerFalseAcceptRaterequiresamoreexact match,whichcouldforcelegitimateusersto rescantheirfingerprintsonoccasion.Most applicationsallowthisratetobeadjustedto handledifferentpopulationsofusers.

FalseRejectRate(FRR)Thisisameasureofthe probabilitythatfingerprintsfromalegitimateuser mightmistakenlyberejectedasnotmatchingthe onespreviouslyenrolled,forcingtheuserto rescan.Typically,alowerFalseAcceptRatewill resultinahigherFalseRejectRate.

2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

StepsforUsingFingerprintsinYourApplication
Togetthemostoutoffingerprintbiometricsinyour applications,focusonthefollowingareas: WheretoStoreFingerprintTemplates AccessingStoredFingerprintTemplates EnrollingUsersFingerprints CheckingforDuplicateEnrollments PreloadingTemplatesatApplicationStartup LookingUpUsersbyTheirFingerprint Signon FingerprintsasanEnterkey Approvals Signout RemovingUsers Logging Yourapplicationimplementsthelogicforthese policies,givingyoutheflexibilitytochoosethemost appropriateoptionsforyourcustomers.

WheretoStoreFingerprintTemplates
Thefingerprinttemplatesthatarecreatedwhenevera userenrollsfingerprintsneedtobestoredinaway thatyourapplicationcanaccessthemandknowthe useraccountstowhichtheycorrespond. Yourexistinguseraccountdataprobablyalreadyhas someformofUserIDthatcanbeusedtoquicklylook upinformationabouttheuser(e.g.,ausernameorID number).Fingerprintscanprovideaquickwayto determinethisUserIDwithouthavingtoasktheuser foranotherformofID. Therearetwocommonapproachestochoosingwhere fingerprinttemplatedataisplaced:

Fingerprintscanbeusedtoimplementvarious securityprocessestomakeyourapplicationeasierto useandmoresecure: IdentifyusersbytheirfingerprintGiveusers touchandgoauthenticationwithouttheneed forotherformsofID,likeusernames,swipecards orIDnumbers. VerifyanotherformofIDFingerprintscanbe usedtoconfirmthatausernameorIDnumber providedbytheuseractuallybelongstothem. ThisavoidstheneedforpasswordsorPINswhich canbeeasilylost,stolenorshared.

Where
How

ExtendExisting UserAccountData
Addfingerprint templates(atleast two)asextrafieldsin thedatayoustore abouteachUserID. Takes advantageof yourexistingdata backupand managementtools. Requireschangesto existinguserdata structures.

UseASeparate Database
Storefingerprint templatesina separatedatabase alongwiththe UserIDtowhich theycorrespond. Insulatesfingerprint templatesfromuser dataforenhanced privacyandsecurity. Addsanother databasetobackup andmaintain.

Pros Mostapplicationsgivecustomersadministratorsthe abilitytosetpoliciesthatcontrolhowuserslogonto theapplication.Commonexamplesoflogonpolicies include: Fingerprintonly FingerprintorUserID+Password/PIN FingerprintandUserID+Password/PIN Cons

Fingerprinttemplatesaretypicallyrepresentedas binarydatastoredinvariablelengtharraysofbytes.

2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

Thetemplateformatusedmostcommonlywith DigitalPersonasoftwaredevelopmentkitsislessthan 2048byteslong;however,othertemplateformats havedifferentsizes.IfyouareusingMicrosoftSQL Server,youcanuseavarbinary(3000)field.

action,includingapictureorshortvideoofsomebody touchingthepad(notthetip)oftheirfingertothe surfaceofthefingerprintreadercanavoidproblems later. DigitalPersonasOneTouchforWindowsSDKincludes graphicaluserinterfacecontrolsthatcaneitherbe usedasisortoprovideideasifyouwishtocreate yourowninterface:

AccessingStoredFingerprintTemplates
Ifyourapplicationcanbeusedbymultiplepeopleat thesametime(suchasfromdifferentcomputers,POS stationsorotherdevices),youcanminimizememory consumptionandcodecomplexitybycreatinga separateserviceforstoringandlookinguptemplates. Thisservice,whichcanevenrunonaseparate computer,canbecalledbyotherpartsofyour applicationusingtechnologiessuchasRPC,DCOM, WCF,orWebServices.Itprovidesaninternalinterface foryourapplicationtolookuptheUserIDassociated withagivenfingerprinttemplate.Keepingstored fingerprintdatainsulatedfromyourendusersalso helpstoprotectpeoplesprivacy.

Ifyoucreateyourownenrollmentscreens,makesure thatusersscantheirfingerprintsseveraltimesto makesubsequentmatchesmorereliable.

EnrollingUsersFingerprints
Eachpersonwhowillbeusingfingerprintswithyour applicationhastoenrolltheirfingerprintswithyour software.Manyapplicationsmakethispartoftheuser accountcreationorprovisioningprocess.Typically,an administratororotherauthorizeduserbringsupthe appropriatescreenwithinyourapplicationandhelps theuserthroughtheirinitialfingerprintscans. Themiddlefinger,indexfingerandthumboneach handtypicallyprovidethebestfingerprintstouse. Toavoidmatchingproblemsincaseofan injuredfinger,yourapplicationshouldaskusers toregisterfingerprintsfromatleasttwofingers. Graphicalscreensshouldbeusedtoguidetheuser throughtheenrollmentprocess.Whiletouchinga fingerprintreaderisanatural,easytounderstand
2009DigitalPersona,Inc

Also,makesurethatyourapplicationhandleseachof theeventsthatOneTouchforWindowsdeliversand providesvisualfeedbacktotheuser.


6

BestPracticesforImplementingFingerprintBiometricsinApplications

CheckingforDuplicateEnrollments
Withbiometrics,youcaneasilycatchpeoplewho attempttoenrollmorethanoncetouseyour application.Thisgivesyoutheabilitytoconsolidate olderaccounts,avoidaccidentalduplicate registrations,andpreventfraudulentattemptsto masqueradeassomebodyelse. Yourapplicationcaneithercheckforduplicatesinreal timeduringenrollmentorofflineaspartofadatabase cleansingprocess.Eitherapproachcanbe implementedwithOneTouchI.D.andisusefulevenif yourapplicationonlyusesfingerprintstoverify anotherformofID.

LookingUpUsersbyTheirFingerprint
Fingerprintsprovideanaturalwayforyourapplication torecognizetheuserwithouttheneedforother formsofID(e.g.,usernames,IDnumbers,orswipe cards).Peoplelearnquicklyhowtousefingerprints andcandosonaturally,withouthavingtostopor interrupttheflowofwhattheyaredoing.Thismakes fingerprintsidealnotonlyforsignon,butalsofor confirmingwhoisperformingimportantoperations especiallywhenmultiplepeoplemightbeinvolved (suchasforanapproval). OneTouchI.D.isspecificallydesignedforfingerprint identification.Asmentionedabove,ifyourapplication canbeusedbymultiplepeoplesimultaneouslyfrom separatedevices,thiscapabilityisbestimplemented inaseparateserviceormodulethatmultipleinstances ofyourapplicationcancallatthesametime. Wheneverafingerprintisscanned,yourapplication willbenotifiedsothatitcanextractatemplatefrom thefingerprint(seethesectiononSignOnbelowfora moredetaileddescription).Yourcodeshouldthen passthetemplatetotheserviceormodulethatis callingOneTouchI.D. Yourserviceormodulemayreceivemorethanone possiblematchbackfromOneTouchI.D.1 Ifthis happens,yourcodecandoanexplicitmatchagainst thefirstreturnedtemplatetoseeifitisthecorrect enrolledtemplate.Ifitisnot,yourapplicationshould logwhichusersweremismatchedandalertthe administratorthattheFalseAcceptRatehasprobably beensettoolow.

PreloadingTemplatesatApplicationStartup
TouseOneTouchI.D.,yourapplicationwillneedto loadalltheenrolledfingerprinttemplatesinto memorybeforeanylookupscanbeperformed.Since thisprocesscanpotentiallytakeanumberofseconds toaminuteormoredependinguponthenumberof templates,loadingtheenrolledfingerprinttemplates shouldbedoneonceatstartupintheservice mentionedabove.Donotwaituntilthefirsttimean attemptismadetolookupormatchafingerprint. Whenyourapplicationstarts,haveititerateoverthe enrolledfingerprinttemplates(whereveryouhave chosentostorethem)anduseOneTouchI.D.toadd eachone,alongwithitsUserID,toanidentification collectionobject.Oncethisisdone,individual lookupswilltypicallytakelessthanasecond,even whentherearethousandsofenrolledtemplates. Ifyouarenotusingfingerprintsfor identification,butonlytoverifyanotherformof ID,youdonotneedtouseOneTouchI.D.anddonot needtopreloadtemplates.

Undercertainconditions,afingerprinttemplatemaypartially matchmultipleenrolledtemplates,particularlyifyour applicationhasloweredtheFalseAcceptRatetoallowpeople withhardtoreadfingerprintstouseyourapplicationwithout havingtotouchthefingerprintscannermultipletimes.

2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

Oncetheappropriateenrolledtemplatehasbeen identified,yourserviceormodulecanthenreturnthe UserIDassociatedwiththetemplatetoyour application.Youmaywishtoalsoreturntheenrolled templatethatwasmatchedsothatthecallercan cacheitforquickmatchinginthefuture. Neverimplementfingerprintidentificationby iteratingoveryourdatabaseofenrolled fingerprinttemplates,matchingeachoneindividually. Thisapproachisveryinefficientandwillmakeusers thinkyourapplicationisslow.Instead,useOneTouch I.D.Atmost,onlyeverdoindividualmatchingagainst asmallcacheofrecentlyusedtemplatesasan optimization.

Ifyouwillbeusingfingerprintstoconfirm actionsthatareperformedfrequently,obtaina copyoftheenrolledfingerprintfromyourfingerprint lookupserviceormoduleandcacheitinyour application.Yourcodecanthenrapidlyperforma directmatchagainstthefingerprintincachebefore attemptingafulllookup. Finally,alwayscreatealogentrywheneveruserssign onandnotewhetherornottheyusedtheir fingerprint.Evenifyoudonotcreateapolicyrequiring theuseoffingerprintstosignon,itisstillagoodidea tonotewhenanyonewithregisteredfingerprints signsonwithoutusingthem.Thiscanhelpcustomers spotpotentialproblemsearly.

SignOn
Themostcommonuseoffingerprintsisforsignon, eitherasaformofidentificationorasawayto confirmanotherformofID. Whenauserscanstheirfingerprintduringsignon, yourapplicationwillreceiveaneventfromthe fingerprintSDKindicatingthatanimageortemplate (dependingonwhichSDKyouareusing)isavailable.If yourapplicationisusinganSDKthatprovidesaraw image,immediatelyextractthefingerprinttemplate anddiscardtheoriginalimage. IfyouareusingfingerprintsasaformofID,yoursign oncodecancallyourlookupserviceormodule(see above)todeterminetheUserIDofthepersonwho touchedthefingerprintreader. Ifyouareonlyusingfingerprintsforverification,then yourapplicationcanusetheotherformofIDto determinewhichUserIDtolookup.ThatUserIDcan thenbeusedtofindtheusersenrolledtemplatesto compareagainst.

TwoFingerMatching
Forextrahighsecurity,youcanrequestand matchtwofingerprintsinsteadofjustone.To avoidsurprisingusers,alwaysaskforboth fingerprints,evenifthefirstonecorrectly matches. Thistechniquecanalsobeusedtoimprove recognitionratesforpeoplewithhardtoread fingerprints.

2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

FingerprintsasanEnterKey
Fingerprintsareusefulformorethanjustsignon. Theyareafast,intuitivewayforuserstoconfirmthat theyarewhotheysaytheyarewhenperforming individualapplicationfunctions,suchas: Enteringneworders Changingordeletingimportantdata Openingacashdrawerinacashregister Printingsensitiveinformation Accessingclientcreditcardnumbers

ofusersrises.Instead,useOneTouchI.D.todelivera vastlysuperioruserexperience.

Approvals
Fingerprintscanhelpguideuserstofollowproper businessprocesses.Theyprovideasimplewayto allowotherpeople(suchassupervisorsor administrators)toauthorizeactionsrequiringspecial permissionswithoutcumbersomeswitchingofusers. Yourapplicationimplementsthelogicforapprovals, givingyoufullcontrol.Foroperationsthatrequire authenticationfromsomebodywithspecialprivileges, provideavisualpromptexplicitlyidentifyingthe privilegelevelrequiredortheroleoftheperson needed(e.g.,ManagerFingerprintRequiredfor Override). AsimplewaytoimplementapprovalsistouseOne TouchI.D.toidentifywhichuserscannedtheir fingerprintand,ifthatuserisproperlyauthorized, taketheappropriateaction.Thiseliminatestheneed topromptforanotherformofidentification(e.g.,a username,loginname,IDnumberorPIN)to determinewhichuserhasscannedafingerprint. Workflowisfastandefficientandapowerfulaudit trailcanbecreated. IfyouarenotusingOneTouchI.D.anddont wishtopromptforanotherformofID,youwill likelyneedtoimplementsomeformofpersistent cachingtoavoidhavingtoiterateoverthelistofall registeredfingerprints.However,thisaddssignificant complexitytoyourapplicationandcangreatlyreduce performance. Alwayshaveyourapplicationlogallapprovalattempts successfulandfailed.

Whenyouhaveanactionthatyouwanttoconfirmby afingerprint,prompttheusertotouchthefingerprint sensorandobtainatemplateasdescribedabove. Then,sincemostpeopletendtousethesame fingeroverandover,ifyourapplicationhas previouslycachedtheenrolledtemplatethatwas successfullymatchedatsignon,thentrytomatchthat cachedtemplatefirst. Ifyourapplicationisntcachinganyrecentlyused templates,orthetemplatedidntmatch,doalookup usingtheapproachdescribedaboveforsignon.This willtellyouwhetherthefingerprintcamefroma differentfingeronthesamepersonorfromadifferent person. Ifthefingerprintdoesntcomefromtheuserwho signedon,youcanusethetemplatetodetermineif anotherauthorizeduserisattemptingtouseyour application.Thisisaneasywaytoimplement approvalsbysupervisorsorotherprivilegedusers(see nextsection). Makesurethatyourapplicationlogsthefactthatthe actionwasconfirmedwithafingerprint. Asstatedbefore,neveriterateoverallenrolled fingerprintslookingforamatch.Itwillmake yourapplicationveryslow,particularlyasthenumber
2009DigitalPersona,Inc

BestPracticesforImplementingFingerprintBiometricsinApplications

SignOut
Whenausersignsoutofyourapplication,all temporarycopiesoffingerprinttemplatesthatyour applicationiskeepinginmemoryshouldbereleased. IfyourapplicationisnotusingOneTouchI.D.butis maintainingitsownpersistentcacheofregistered fingerprinttemplatesthathaverecentlybeenused, makesurethecacheisproperlyupdated. Asalways,makesureyourapplicationlogsthefact thattheuserhassignedout.

registeredfingerprinttemplatesfromformerusers afteragivennumberofdays.Administratorsshould beablecontrolthelengthoftimeandtoimmediately deletetemplatesifneeded.Thisisimportantasit enablesthecustomertocomplywithanylocaldata retentionregulationsandpolicies.

Logging
Fingerprintsarevaluableasadeterrentto inappropriatebehavior,asawayofimproving usability,andasavaluablesourceofdataforanaudit trail.Yourapplicationshouldautomaticallylogall authenticationandsecurityactivities,including: Wheneverauserenrollsafingerprint. Wheneversomebodyhastroubleenrolling. Wheneveraduplicateenrollmentisdetected. Wheneversomebodysignson,confirmsanaction orotherwiseauthenticateswiththewaysin whichtheyauthenticated. Wheneversomebodytriestoauthenticatebut cant. Wheneversomebodywhohasfingerprints enrolledauthenticateswithoutthem. Wheneversecuritysettingsarechanged especiallyFalseAcceptRate.Settingthis improperlycanhaveseriousconsequences.Make suretoincludeboththeoldandnewvalues.

RemovingUsers
Usingfingerprintstocontrolaccesstoyourapplication makesiteasytoimmediatelyblockaccessbypeople whosepermissionshavebeenrevoked(e.g.,former employeesorpeoplewhochangedroles). Theeasiestapproachistodeleteanytemplates associatedwiththeformeruser.Ifyourapplication usesOneTouchI.D.,removetheuserfromthe identificationcollectionthatwascreatedatstartupto immediatelypreventtheirfingerprintsfrombeing recognized.Thendeletetheregisteredtemplates fromtheuserdatarecordorfromtheseparate fingerprinttemplatedatabase. Ifyouwishtoprovidetheabilityforcustomers toflagterminateduserswhoattempttouse theirfingerprintstogaininappropriateaccess,donot immediatelyremovetheusersfingerprinttemplates. Instead,marktheusersaccountdataasdisabled. Then,whenauserattemptstoaccessyour application,simplycheckthestatusofthatusers accounttodeterminetheiraccessrightsandlogany failures. Ifyourapplicationdoesprovidesuchtemporary retentionofbiometricdata,makesurethatyou givecustomerstheabilitytopermanentlyflushthe

2009DigitalPersona,Inc

10

BestPracticesforImplementingFingerprintBiometricsinApplications

TroubleshootingandPreventingProblems
Thefollowingcapabilitiescansimplifyyourcustomers useoffingerprintsandavoidcommonproblems. forgiving,particularlywhenfingerprintsareusedfor identification(forverification,thesettingsrarelyneed tobechanged).

Providevisualfeedbackduringfingerprintuse
Whilefingerprintsarenaturallyeasyforpeopleto understand,applicationsshouldprovidefeedback duringsuccessesaswellasfailures: Prompttheuserwhenafingerprintisneeded. Warnwhenthesensorisdisconnected. Prompttheusertoretryifafingerisdetectedbut nomatchisreceivedwithinasecondortwo. Warnwhenafingerprintisreceivedbutnomatch isfound. Indicatesuccesswhenamatchisfound. YourapplicationcanmapHighorLowsettingstothe appropriatevaluesneededbytheappropriateSDKs. IncorrectlyadjustingtheFARcanhaveserious Touchthefingerprintsensorwiththeflatpadof yourfinger,notthetip. Ifyourfingersareverydry,trytouchingyour foreheadwiththepadofthefingeryouaretrying toscanandthenrescanningyourfingerprint. Ifthefingerprintsensorisdirty,gentlydabitwith thestickysideofapieceofcellophanetape.Do notrubitwithpaperanddonotgetitwet. consequences.Itisextremelyimportantthat yourapplicationsettheFARaccordingtotheSDK documentationandprovideadministratorsathorough explanationofFARoptionswithinyouruserinterface toavoidconfusion. Ifyouareusingfingerprintsforidentification,you shouldprovideawayforadministrators(butnotend users)toadjusttheFARsettings.Forexample:

Offerhelpwhenrepeatedfailuresoccur
Youcandramaticallyimprovetheuserexperienceof yourapplicationbydetectingrepeatedfailedattempts tousethefingerprintreaderandofferinghints,suchas:

TestYourApplicationwithMultiplePeople
Theeasewithwhichpeoplesfingerprintscanberead isaffectedbymanyfactors,includingdryness,age,as wellaswearandtear.Forbestresults,tryyour implementationwithmultipleanddiversepeople.

ProvideadministrativesettingsforFAR
Forsomepopulationsofusers,thedefaultFalse AcceptRatesettingsmightbetoorestrictiveortoo

2009DigitalPersona,Inc

11

BestPracticesforImplementingFingerprintBiometricsinApplications

Summary
Biometricscanhelpyouenhancethesecurityand usabilityofyourapplication.Byfollowingafewsimple guidelinesandusingDigitalPersonasbiometric softwaredevelopmentkits,youcaneasilyaddfast fingerprintidentificationandverificationcapabilities thatenableyourapplicationtorecognizeindividual userswithoutrequiringotherformsofID.Thiscanbe usedinavarietyofwaysfromsignonand confirmationofimportantactionstospecialapprovals byotheruserstohelpcombatfraudandboost customerefficiency.

DigitalPersona,Inc.,isaleadingprovideroffingerprint biometricsproductsforembeddedapplicationdevelopers, restaurant/retailPOSsolutions,enterprisesandconsumers.The companyofferssoftwareandhardwarethatprotectspeople andbusinessesbyenablingthemtocontroltheirdigital identities.Forendusers,DigitalPersonaprovidesstrongidentity protectionthatsuniquelyeasytouse;thecompanysbusiness solutionshelporganizationsaddressgrowingsecurity, complianceandlosspreventiondemands.DigitalPersonas awardwinningtechnologyhasbeenusedworldwidebyover95 millionpeople,anditssolutionsareofferedbymarketleading manufacturerssuchasHP,Dell,IBMandNCR.Formore informationcontactDigitalPersona,Inc.at+1650.474.4000,or visitwww.digitalpersona.com. 2009DigitalPersonaInc.Allrightsreserved.DigitalPersona andOneToucharetrademarksofDigitalPersona,Inc., registeredintheUnitedStatesandothercountries.Allother trademarksreferencedhereinarethepropertyoftheir respectiveowners. 2009DigitalPersona,Inc 12

You might also like