Fingerprint management application enrollment

This topic provides guidelines for designing the fingerprint management application (FMA) enrollment process.

This information applies to the following operating systems:

  • Windows Server 2008 R2
  • Windows 7

First-time user experience

If a user expresses an interest in using a fingerprint device, your FMA should guide the user through the enrollment process. Additionally, the FMA should execute in response to the following events:

  • If a user swipes or touches the fingerprint reader and there are no enrolled templates for the user, the FMA might be launched. The FMA should prompt the user to determine whether the user wants to enroll and if so, begin the enrollment process.
  • If a user tries to log on to Windows by swiping a finger, but cannot log on because no fingerprints are currently enrolled, the FMA should display a message that instructs the user to log on using another method (such as a username/password or a smart card). The FMA can then begin the enrollment process automatically once the user has successfully logged on to Windows by using another form of authentication.

Do not launch your FMA for these types of events when biometrics is disabled.

Avoid beginning an enrollment every time a user touches the fingerprint device accidently or swipes an unenrolled finger. The FMA should provide an option that allows the user to disable the prompted enrollment behavior. For example, there might be a check box saying, “Show wizard when a new finger is detected”, to give the user more control.

Enrollment overview

The FMA should give new biometric users an overview of the complete enrollment process, including the following:

  • What is enrollment?
  • Why would a user want to enroll?
  • What are the steps?

Providing a clear, simple overview helps the user understand how to work successfully with fingerprint devices on Windows. A clear overview makes it more likely that users will complete the enrollment process without running into problems or becoming frustrated. For more information on providing a good enrollment experience, see Enrollment help.

Authenticate user before initiating enrollment

Your FMA should confirm the identity of the user before it modifies any enrollment information. It is important to prevent any unauthorized modification of fingerprint logon information.

Your FMA can verify the user’s identity by doing one of the following to validate the logon credentials:

  • Request that the user enter the account password.
  • Query a smart card.
  • Request that the user swipe an enrolled finger if the user has already enrolled.

We strongly recommend that you use the Windows Credential UI in your FMA to collect password information. This will provide users with a consistent Windows look and feel. For more information on the Windows Credential UI, see CredUIPromptForWindowsCredentials function. After your FMA collects a user’s credentials, it should call the LsaLogonUser function to validate them.

Store credentials during first-time enrollment

We recommend that FMAs store the user’s Windows credentials in the WBF Credential Manager. In addition, integrating with the WBF Credential Provider enables you to use biometric logon and UAC in your FMA.

During first-time enrollment, if the user chooses to log on with fingerprints, the FMA should prompt the user for a Windows password and then store it for Windows logon in the WBF Credential Manager.

If the WBF Credential Manager cannot validate the credentials for the logged-on user, it will fail to store the credentials. Your FMA should notify the user of the failure and give the user the option to retry.

It will also fail to store the credentials if biometric fingerprint logon is disabled in the Biometrics Settings page of the Control Panel. For more details, see Enrolling Guest or Built-in Administrator accounts and Domain user enrollment.

If biometric fingerprint logon is disabled for the account type used by the currently logged-on user, the FMA should provide a warning to notify the user that fingerprint logon is disabled and provide a link to launch the WBF Change Settings page.

Note  

For logon to work immediately after enrollment, the FMA must gather the user’s password and store it in the WBF Credential Manager immediately.

 

Enrollment help

During first-time enrollment, it is helpful to provide a user aid, a tutorial, or a guide to assist the user in completing the process successfully. You can also provide video help, fingerprint scanning practice tools, and/or interactive tutorials. You should give the user the option to skip any tutorials and to use them later.

Displaying fingers and hands during enrollment

To be usable around the world, your FMA should be sensitive to issues that are related to cultural and social differences. Your FMA should display fingers and hands in appropriate ways that do not offend. Consider the following suggestions:

  • Display both hands because the user might be right-handed or left-handed, or might have other reasons (social or medical) for choosing one hand over the other.
  • Do not display the left hand alone because in some cultures it is considered offensive or inappropriate.
  • Do not display hands or fingers in a way that might be considered an insult.

The guidelines suggested above are just some of the many that need to be considered.

Choosing which fingerprint to enroll

The FMA should allow the user to choose which fingerprint(s) to enroll. The user should enroll a single fingerprint at a time. The FMA should prevent the user from enrolling the same fingerprint multiple times. The WBF will reject an enrollment if the template matches any other already stored in the biometric unit.

Collecting fingerprint samples for enrollment

After a user has indicated which fingerprint to enroll, your FMA should do the following when it is collecting fingerprint samples:

  • Request the fewest possible samples necessary to generate a good template.

  • Inform the user regarding how many swipes are required to enroll successfully.

  • Provide instant feedback on the success or failure when collecting a sample.

    You can communicate success by showing a centered fingerprint icon and communicate failure with information that helps the user correct their actions. The corrective information could be, for example, a fingerprint graphic that shows a finger offset depending on whether a swipe is too short, too long, skewed, or off-center. Use a sample fingerprint in such a graphic. Displaying a user's actual fingerprint might be a privacy or security risk.

  • Dynamically adapt to ensure that it captures a sufficient number of samples to create a valid template.

    The FMA should prompt the user for more samples until a sufficient number of samples have been collected or until the user decides to abort the enrollment. For more details on helpful feedback for incorrect scans, see Fingerprint Management Application Error Handling.

  • Call the WinBioGetProperty function to determine the number of swipes that are required by a particular biometric unit.

Enrollment and window focus

Two WBF functions involved in the enrollment process are sensitive to current window focus:

In general, these conditions are satisfied if the FMA is a graphical user interface (GUI) application and one of its windows has focus during the enrollment sequence. The same is true of a console-based FMA as long as the surrounding console window maintains focus throughout the enrollment.

Focus management requires extra attention in an FMA in which one non-GUI application issues WBF enrollment calls while another GUI application displays the enrollment progress. In such a design, enrollment will not work correctly because window focus does not reside with the correct process. The solution is to use a pair of WBF functions that manually notify WBF of the proper focus:

An important aspect of these functions is that other system events, such as a user clicking on a window “Close” button, can cause the focus to shift automatically, even after a call to the WinBioAcquireFocus function. Consequently, FMAs that depend on these Windows biometric focus-shifting functions can be fragile. To avoid the problem altogether, we recommend that you write your FMA as single-process GUI or console application that depends only on the built-in focus behavior of Windows to control the flow of biometric events. For similar reasons, we discourage the use of the WBF API from within services or detached processes.

Enrolling duplicate fingerprint images

The WBF does not allow a single fingerprint image to be associated with more than one identity on a given biometric unit. In other words, a user cannot provide swipes from the right index finger and claim that they correspond both to Bob’s account and to Alice’s account. After a fingerprint image has been stored in a biometric unit, that same image cannot be enrolled again on that biometric unit until the previous enrollment has been deleted.

This restriction extends to multiple biometric units if they share the same fingerprint database. For example, if a system contains multiple fingerprint sensors from the same vendor, it is possible that these sensors all share a common fingerprint database. In that case, a given fingerprint image can only be enrolled once across all the sensors sharing the fingerprint database. There is no restriction on storing a single fingerprint image on multiple biometric units, if the units each have their own fingerprint database.

An FMA must provide appropriate feedback when it discovers that a fingerprint image is already enrolled on a given biometric unit. However, for security reasons, the FMA must not disclose the identity of the user associated with the already-enrolled fingerprint image.

Enrolling multiple fingerprints

FMAs should allow the user to associate multiple fingerprints (up to 10) with the same user account.

In scenarios where a user wants to enroll more fingerprints through the ”Hardware and Settings” page, the Control Panel, the User Accounts control panel, or the command line, the FMA must prompt for an enrolled fingerprint or the user’s logon credentials to authenticate the user before allowing changes, because this is an avenue to access logon credentials.

Enrolling Guest or Built-in Administrator accounts

The WBF does not permit enrollments for Guest or Built-in Administrator accounts. Your FMA must handle this scenario gracefully. In particular, the FMA should not allow logged-on Guest or Built-in Administrator users to begin an enrollment sequence, and should provide appropriate text explaining the restriction. An FMA should not wait until the enrollment has failed before providing this feedback.

The WBF will not store credentials for built-in accounts in the Biometric Credential Store, therefore this scenario should be avoided.

Domain user enrollment

Biometric domain logon is disabled by default on Windows-based systems. This setting is controlled by the system administrator by using the Allow users to log on to a domain using their fingerprints option in Control Panel. If biometric domain logon is disabled and a domain user tries to enroll, your FMA must notify the user of the restriction and abort enrollment before prompting for credentials.

The following table lists functions that you can call from your FMA to determine whether domain logon is enabled.

Functions for Biometric Domain Logon

Function Operation
WinBioGetEnabledSetting function Retrieves a value that specifies whether the WBF is currently enabled.
WinBioGetLogonSetting function Retrieves a value that specifies whether users can log on by using biometric information.
WinBioGetDomainLogonSetting function Retrieves a value that specifies whether users can log on to a domain by using biometric information.

 

Biometric domain logon can also be controlled by Group Policy. If domain logon is disabled by Group Policy, your FMA should direct the user to contact the system administrator. The functional requirement for an FMA is to detect the above situation, inform the user, and display the settings page to allow the user to change it.

Encourage adoption of supported features

After a successful enrollment, your FMA should list some of the key features that it supports such as Windows logon and starting applications. This encourages the user to employ biometrics to its full extent.

Multiple fingerprint sensors

For information about handling fingerprint enrollment on a system that has multiple sensors, see Supporting Multiple Fingerprint Sensors.

Designing Windows Biometric Framework Fingerprint Management Applications

 

 

Send comments about this topic to Microsoft