Fingerprint management application credential management
This topic provides information about managing credentials for fingerprint management applications (FMAs), including showing enrolled fingerprints, authenticating before changing credentials, and deleting fingerprints.
This information applies to the following operating systems:
- Windows Server 2008 R2
- Windows 7
Show enrolled fingerprints
Your FMA should show which fingerprints are currently enrolled for a given user. For example, your FMA could display two hands and highlight the enrolled fingerprints.
To determine the enrolled fingerprints on a given sensor:
- Get the security identifier (SID) of the user that you are interested in - either the currently logged-on user or somebody else. You will need to call non-WBF functions from Win32®. Use the SID to build a WINBIO_IDENTITY block.
- Select the sensor. On a multi-sensor platform, call the WinBioLocateSensor function or the WinBioLocateSensorWithCallback function and have the user swipe or touch the desired sensor. On a single sensor platform, get the unit ID of the sensor by calling WinBioEnumBiometricUnits function.
- Call the WinBioEnumEnrollments function with the unit ID value and identity. The function returns an array of enrolled fingerprint IDs for the sensor.
Authenticate the user before allowing changes
An FMA should prompt for an enrolled fingerprint or password to authenticate the user before allowing any changes, because this is an avenue to modify logon credentials and could pose a security threat. For example, an FMA should authenticate the user before enrolling more fingerprints through the User Accounts control panel.
Delete the last fingerprint
Deleting a user’s last fingerprint removes the user’s password from the Biometric Credential Store and requires the user to log on to the system by using a user name and password. Therefore, before your FMA deletes the last fingerprint on a computer, it should do the following:
- Warn the user that they are deleting their last fingerprint and give them the option to cancel the operation.
- Inform the user that after completion of the deletion process, they will need their username and password to log on to Windows.
- Help the user to avoid being locked out of their system by prompting the user to enter their logon credentials and by verifying them.
When a user deletes their last registered template on the Windows system, your FMA should ensure that the credentials associated with this user's fingerprint are deleted from the Windows Biometric Credential Store because they are no longer required.
Note The FMA must securely delete personally identifiable information (PII) such as user fingerprint templates and passwords.
Delete fingerprints that are not associated with the current computer
A biometric device can have data from a user account that has been deleted because the device might have been previously connected to a different computer. Your FMA should provide the ability to delete templates that are not associated with the current computer.
Password security considerations
Your FMA should do the following to encourage users to maintain secure passwords:
- Recommend to users that they should not use a blank password.
- Advise users on how to create a strong password. For more details on Windows password recommendations, see Strong Passwords.
- Advise users to create a password recovery disk so they are not locked out of Windows if they forget their password or cannot use fingerprints to log on (for example, due to injury).
- Advise users to create a password hint if they do not have one already.
Related topics
Designing Windows Biometric Framework Fingerprint Management Applications