********* Biometric ********* .. image:: images/Authentication/Biometric/PalmReaderAction.gif Overview ======== Biometric authentication methods currently include fingerprint and palmprint and can be applied to the Windows Login using AuthControl Desktop. Fingerprint or palmprint can be used for both identification (purely to determine the username during login) and authentication purposes (biometric as a multifactor credential). Prerequisites ============= * AuthControl Sentry v4.0.5 onwards * AuthControl Desktop v5.4.5 onwards * Windows 10 * Nitgen Fingkey Hamster (for fingerprint) * Fujitsu PalmSecure-F Pro (for palmprint) * Third party biometric reader or Laptop supporting biometric authentication (Windows Hello) with integrated fingerprint reader Supported models """""""""""""""" * Nitgen Fingkey Hamster (fully supported) * Fujitsu PalmSecure-F Pro (fully supported) * Dell, HP and Lenovo Laptops with Windows 10 using Windows Biometric Framework (partially supported where tested, please see below) The following native biometric readers have been tested successfully: * Dell Vostro 15 5568 * HP Probook 6550b * Lenovo Thinkpad 13 Gen 2 * Lenovo Thinkpad T520 Fingerprint: Nitgen Reader vs Laptop Reader """"""""""""""""""""""""""""""""""""""""""" There are some relevant differences with both types of readers that need to be considered. 1) Enrolment * Nitgen Reader: enrolment is done during the first login * Laptop Reader: the user cannot be enrolled during login, so enrolment is done inside AuthControl Credential Provider Configuration 2) Authentication in multiple devices * Nitgen Reader: allows authentication against several devices with only one enrolment * Laptop Reader: it's necessary to enrol the user against each laptop they wish to login to Configuration for Nitgen Biometric Fingerprint Reader ===================================================== Configure Third Party Authentication Nitgen """"""""""""""""""""""""""""""""""""""""""" In AuthControl Sentry Management Console, add the following Third Party to Server > Third Party Authentication "Identifier:" FingerprintNitgen "Class:" com.swiveltechnologies.pinsafe.server.thirdparty.FingerprintNitgen "Enabled:" yes .. image:: images/Authentication/Biometric/Nitgen_finger_4.png Configure AuthControl Desktop """"""""""""""""""""""""""""" Select in Authentication -> Method the option "Biometric". Select in Authentication -> Biometric Reader the option "Nitgen". .. image:: images/Authentication/Biometric/ACD_NitGen.png Enrol the user with Nitgen """""""""""""""""""""""""" When the user is not enrolled, the user is requested, after login with username and password, to enrol the fingerprint. 1) Select the finger to enrol 2) Place the finger on the sensor the necessary times untill the enrolment is successfull .. image:: images/Authentication/Biometric/Nitgen_finger_2.jpg Authenticating with Nitgen """""""""""""""""""""""""" After authenticationg with username and password, when requested, place the finger on the sensor .. image:: images/Authentication/Biometric/Nitgen_finger_3.jpg Configuration for Laptop Biometric Reader ========================================= Configure Third Party Authentication """""""""""""""""""""""""""""""""""" In AuthControl Sentry Management Console, add the following Third Party to Server > Third Party Authentication "Identifier:" WinBioFingerprint "Class:" com.swiveltechnologies.pinsafe.server.thirdparty.FingerprintNitgen "Enabled:" yes .. image:: images/Authentication/Biometric/Native_finger_5.png Disable Windows Hello """"""""""""""""""""" Windows Hello Biometric usage must be disabled in Local Group Policy: - Access the Windows Local Group Policy Editor. - Go to: Computer Configuration > Administrative Templates > Windows Components > Biometrics and disable the setting "Allow users to log on user biometrics". .. image:: images/Authentication/Biometric/Native_finger_1.png Install Credential Provider with Fingerprint Enrolment """""""""""""""""""""""""""""""""""""""""""""""""""""" .. image:: images/Authentication/Biometric/Native_finger_2.png Configure AuthControl Desktop """"""""""""""""""""""""""""" Select in Authentication -> Method the option "Biometric". Select in Authentication -> Biometric Reader the option "Native". Click Apply. .. image:: images/Authentication/Biometric/ACD_Native.png Enrol the user """""""""""""" After selecting "Native" "and clicking Apply", click in the button “New Enroll” to open the "BioEnrol" executable. Select option 1 to start a new enrol to current user and follow the steps presented. .. image:: images/Authentication/Biometric/Native_finger_4.png Authenticating """""""""""""" With all configurations done, go to the Windows login page and access using your registered fingerprint when prompted. .. image:: images/Authentication/Biometric/Biometric_Native.png Configuration for Fujitsu PalmSecure-F Pro Biometric Reader =========================================================== "(This section is under construction / The Fujitsu PalmSecure-F Pro Biometric Reader is in Beta testing)" Configure Third Party Authentication PalmSecure """"""""""""""""""""""""""""""""""""""""""""""" In AuthControl Sentry Management Console, add the following Third Party to Server > Third Party Authentication "Identifier:" PalmSecureReader "Class:" com.swiveltechnologies.pinsafe.server.thirdparty.FingerprintNitgen "Enabled:" yes .. image:: images/Authentication/Biometric/Thirdparty_PalmSecure.png Configure Credential Provider PalmSecure """""""""""""""""""""""""""""""""""""""" Select in Authentication -> Method the option "Biometric". Select in Authentication -> Biometric Reader the option "PalmSecure". Click Apply. .. image:: images/Authentication/Biometric/ACD_PalmSecure.png Enrolment with PalmSecure """"""""""""""""""""""""" .. image:: images/Authentication/Biometric/PalmSecure_Enrolment.png Authenticating with PalmSecure """""""""""""""""""""""""""""" .. image:: images/Authentication/Biometric/PalmSecure_Authentication.png Identification with PalmSecure """""""""""""""""""""""""""""" .. image:: images/Authentication/Biometric/PalmSecure_Identification.png Biometric Identification ======================== It's possible to use Biometric Identification instead of entering the username. First enable "Biometric Identification" under "Authentication" inside the Configuration. .. image:: images/Authentication/Biometric/Native_finger_3.png When authenticating, select option "Read Fingerprint" and place your finger on the sensor when requested. If the fingerprint is enrolled, the username is automatically filled. .. image:: images/Authentication/Biometric/Biometric_identification.jpeg Removing user biometrics ======================== To remove a user biometric from the appliance, the administrator can go to User Administration, Select View -> Attributes, click the user and select "Remove fingerprint". .. image:: images/Authentication/Biometric/Remove_fingerprint.png Troubleshoot ============ If you have issues with enrolment on the Integrated Laptop Reader, you might need to stop "Windows Biometric Service" or "WbioSrvc" under your Windows Services and then delete the files located at "WinBioDatabase" in C:\\Windows\\System32\\WinBioDatabase.