DigitalPersonaApplicationNote:

OneTouchI.D.DuplicateEnrollmentCheck
BeforeYouBegin Beforereadingthisdocument,wesuggestthatyoufamiliarizeyourselfwiththeOneTouchforWindows APIandtheOneTouchI.D.APIaswellastheirrespectivebasicterms.Agoodwaytodothis,isby readingtheSDKproductdocumentation(includedwithyourproduct)listedbelow.Dependingonyour developmentenvironment,youwillonlyneedtoreviewoneoftheDeveloperGuidesforeachofthe twoproducts: OneTouchforWindows FingerprintGuide.pdf OneTouchforWindowsSDK.NETDeveloperGuide.pdf OneTouchforWindowsSDKCC++DeveloperGuide.pdf OneTouchforWindowsSDKCOMActiveXDeveloperGuide.pdf OneTouchforWindowsSDKJavaDeveloperGuide.pdf OneTouchI.D. OneTouchforWindowsSDK.NETDeveloperGuide.pdf OneTouchIDSDKDeveloperGuide.pdf DECEnrollmentCheckOverview TheDuplicateEnrollmentCheck(DEC)isafeatureexposedbytheOneTouchI.D.2.1.1APItoallow businessestoreducethepotentialoffraud.Itallowstheapplicationtocomparefingerprintsbeing registeredtofingerprintsofpreviouslyregisteredusers. TheactualduplicateenrollmentcheckfunctionalityisexposedbytheOneTouchI.D.SDKsoverloaded Identify()method. AsviewedfromtheVisualStudioObjectBrowser:
public DPFP.ID.CandidateIDList Identify(DPFP.FeatureSet FeatureSet) Member of DPFP.ID.Identification

public DPFP.ID.CandidateIDList Identify(DPFP.Template Template) Member of DPFP.ID.Identification

DECPreEnrollment(1:ManySupervised) ThistypeofDECiswellsuitedforahighriskenvironment.Enrollmentissupervisedandtheworkstation isvisiblestrictlytothesupervisor.Inthissetup,theDECisusedprimarilyforfraudprevention,where userstrytoregisterundermultipleaccountstogainimmediateaccesstosensitiveinformationand

resources.TheDECcanalsobeusedinlessstrictenvironments,toreducethelikelihoodoffalse accepts,byencouraginguserstoenrollfingersthatdonotmatchotherregisteredprints. ExampleScenario: Anapplicationhasthetaskofregisteringandissuingdriverslicensesforfirsttimedriverapplicants. Thistypeofapplicationcanbethetargetoffraudsincethereispotentialincentivetoprovidedrivers licensestononqualifiedindividuals.Thistypicallyoccurswhenoneindividualtakesthelicensetestsfor otherwouldbedrivers.Suchanapplicationcannotriskprovidingalicensetotheincorrectpersonas thiscanresultinincreasedhighwayfatalityrates.Thereforeaduplicateenrollmentcheckshouldbe performedimmediatelyatregistration;requiringalluserstoregistertheirprints(eitherapre determinedsubsetorall10)iskeytoanaccurateDEC. WorkflowofaDECforadriverslicenseissuingsystem: 1. 2. 3. 4. Applicationmustbesupervised. Enrolleewillprovideidentityinformation. Iftheinformationisvalid,continueon;elserejectenrollee. Supervisorandapplicationinstructtheusertopress4predeterminedfingerstothe sensors.Thefingersmustbepresentedoneatatime,asthereadercannotcapture multipleprintsinasinglepress. ApplicationcapturesthefeaturesetsandsendstheDECrequesttotheserver. TheservercallsIdentify(featureSet)fourtimestovalidatetheprintsdonotalready existinthedatabase. Ifall4printspasstheDEC,havetheenrolleeregisteroneofthe4predeterminedfingers (preferablytherightmiddlefinger).Atthispoint,authenticationiscompleteandthere isnoneedtocontinuewiththenextsteps. Ifthefraudcheckfails,thesupervisoristoperformamorestringentexaminationof enrolleesidentity.Ifthefraudcheckfailsmoreoftenthanitshould,thesystem administratorshouldbeabletoadjustthedefaultfalseacceptrate(FAR)fortheDEC. Ifthesupervisordeterminestheenrolleesidentityislegitimateanddoesntexistinthe userdatabase,theenrolleeistoregisteroneofhis\herfingersthatdonotmatchany fingersinthedatabase.Thisisdonebysimplysendingthetemplatetotheserverfor anotherDECcheck.Thesupervisorandapplicationshouldinformtheenrolleetoonly usetheregisteredfingerforidentificationpurposes.

5. 6. 7.

8.

9.

Codeexample:(Thecodecontainedinthisdocumentistobetreatedaspseudocode).
//Handles DEC request against an acquired featureset public bool _RequeFtrsDEC(byte[] ftrBytes) { DPFP.FeatureSet ftrSet = new DPFP.FeatureSet(); ftrSet.DeSerialize(ftrBytes); DPFP.ID.CandidateIDList candidateList = null; candidateList=idSet.Identify(ftrSet); if (candidateList.Count > 0) { //Write to server log LogDECEntry("DEC Failed\r\n); //Compose response, F=Fail Response.Write("F");

foreach(DPFP.ID.UserID candidateID in candidateList) { //LogDECEntry is a function you should define for logging purposes LogDECEntry(candidateID.ToString() + GetDate() + "\r\n"; Response.Write(candidateID.ToString()); } Else //Compose response, P=Pass Response.Write("P/0"); } //Handles DEC request against a registration template public bool _RequestTemplateDEC(byte[] templateBytes) { DPFP.Template template = new DPFP.Template(); template.DeSerialize(templateBytes); DPFP.ID.CandidateIDList candidateList = null; candidateList=idSet.Identify(template); if (candidateList.Count > 0) { //Write to server log LogDECEntry("DEC Failed\r\n); //Compose response, F=Fail and log the user(s) the print matched against Response.Write("F"); foreach(DPFP.ID.UserID candidateID in candidateList) { LogDECEntry(candidateID.ToString() + GetDate() + "\r\n"; Response.Write(candidateID.ToString()); } Else //Compose response, P=Pass Response.Write("P/0"); }

DECPreEnrollment(1:ManyNonSupervised) Thisapproachisforthoseapplicationswhereitisimpossibletohavesupervisedenrollment.Thetypical motiveforsuchapplicationstouseOneTouchIDistoallowuserstologinwithouthavingtoentertheir usernameandpasswordandtopreventstealingofaccountcredentials(eitherviakeyloggersoftware orbruteforceattacks).Applicationsthatfallintothisusagescenarioareusuallywebbased.Anysystem thatispublicnotonlybenefitsfromtheconvenienceofbiometrics,butalsoguaranteesthemillionsof individualsthatdonthaveaDigitalPersonafingerprintreaderwillhavenowayofhackingintoyour customeraccounts(assumingtheapplicationhasaFingerprintOnlyorsimilarpolicy). WorkflowrequirementsofaDECforawebforumwithsensitiveinformation: 1. Allowuserstoregisteratleasttwofingers.Suggestthattheyusemiddleorindex fingers. 2. Uponcreationoftheregistrationfingerprinttemplate,sendaDECrequesttotheserver. 3. IfbothregistrationfingerprinttemplatespasstheDEC,savethosetemplatestothe usersdatabaserecord. 4. IftheregistrationfingerprinttemplatesfailtheDEC,havetheuserregisterotherfingers untiltworegistrationtemplatesthatpasstheDECarecreated.Savetheregistration templatestotheusersdatabaserecordandinformtheusertoonlyusethoseparticular

fingersthatweresuccessfullyregistered. Note:TheusermayrealizehecanusethefingersthatfailedtheDECtologinasanother user.PleaseseethesectionReinforcingSecurityatthebottomofthisdocumentfor moreinformation. DECPostEnrollment(Many:Many) Thisapproachiswellsuitedforlessstrictenvironmentswhereuserconvenienceisthetoppriorityand forthosecustomerswhohavepreexistingdatabasesofregisteredfingerprintswhereintheyneedto findalreadyexistingduplicates. Workflowrequirements: 1. Aseparateworkstation(nottheauthenticationserveritself)shouldbeusedtoperform aM:MDEC.Theworkstationmustmeetminimumhardwarerequirements(See AdditionalMemoryRequirementsoftheOneTouchIDSDKdocumentation.) 2. AnexecutableorserviceshouldbescheduledattheworkstationtoperformtheDECat periodicintervals(nightly,weekly,ormonthly.) 3. Executableshouldloaduserregistrationtemplatesintomemoryandperforma sequentialDECforeveryusertemplateagainstallotherusertemplatesatastrictFAR. Thiswillreturnthoseuserswhomayhavepotentiallyregisteredundermultiple accounts. Actualcodemaylooksomethinglike(assumingtheusercollectionandidentificationlistarealready filled):
DPFP.ID.User user=null; DPFP.ID.CandidateIDList candidateList = null;

foreach (DataRow row in tblUsers.Rows) { user = userCollection[row["UserID"]];

//Call Identify() against each users template(s)

foreach (DPFP.ID.FingerPosition finger in user.FingerPositions) { candidateList = idSet.Identify(user.Template(finger));

//Write data to file or table

foreach(DPFP.ID.UserID candidateID in candidateList) {

//WriteDECEntry is a function you would define

WriteDECEntry(user.ID, candidateID.ToString()); } } }

ReinforcingSecurity Thoughthisdocumentisnotintendedtoaddressidentification,theDECcanplayanimportantrolein improvingidentificationaccuracy.BasedonDECresults,yourapplicationcanbecomemoreadaptive whenitcomestohandlingsecuritythreats.Ultimatelywhatyoudecidewillbebasedoncustomer needsanddevelopmentresources.

Adaptationisprimarilyachievedthroughasecondpassofauthentication.Thisisperformedbycalling theDPFP.Verification.Verify()methodoftheOneTouchforWindowsSDKafteryourapplicationcallsthe DPFP.ID.Identification.Identify()method.Byusingsuchamechanismanadministratorcanhavecontrol overrecognitionpolicies,allowingforahighlyflexiblesystem. ExamplePolicies: 1. AdministratorcannotadjusttheFAR.TheFARcanonlybeadjustedbysupport personnelatyourcompany. 2. AdministratorcansetabaseidentificationFARforallusers,noperuserpolicy(easiest toimplement). 3. AdministratorcansetabaseFARforallusers,inadditiontomodifyingindividualuser FARs. 4. AdministratorcansetabaseFARforallusers,andallowuserstolower(lower=higher security)theirownFAR.Obviouslyifusersaregiventhisflexibility,youwillneedto writeyourapplicationinawayastopreventusersfromlockingthemselvesout. Considerthestrengthofexposinganautoadjustanddefaultoptionasopposedto lettingusersadjusttheirFARdirectly.Thisimplementationismoredirectedtowards largeidentificationsetsanddistributed/webbasedapplicationsinwhichitisimpractical foranadministratororsupporttechniciantoadjustindividualuseraccounts. HowtoAdjusttheFAR OneTouchforWindowsSDK:
static int PROBABILITY_ONE = 0x7FFFFFFF; DPFP.Verification.Verification verification = new DPFP.Verification.Verification(); //Set the FAR to 1/1,000,000 (The OTW default is 1/100,000) verification.FARRequested = PROBABILITY_ONE / 1000000;

OneTouchI.D.SDK:
DPFP.ID.Identification IDList = null; //Set the FAR to 1/25,000 (The OTID default is 1/10,000) IDList = new DPFP.ID.Identification(ref userCollection); IDList.FalseAcceptProbability=PROBABILITY_ONE/25000;

IMPORTANTNOTE** Becauseapplicationsandenvironmentsvary,westronglysuggestfinetuningyouroverallidentification andDECprocesstofindwhatbestfitsyourcustomers.Incorrectlymodifyingthefalseacceptrate(FAR) canresultinahighfalseacceptrateorahighfalserejectrate,yieldingreducedsecurityandapooruser experience. ForfurtherassistancepleasepostanyquestionsyoumayhavetotheDeveloperConnectionwebforum. http://www.digitalpersona.com/webforums/index.php