9.13 Fingerprint

The Fingerprint method is one of the strongest biometric authentication methods of Advanced Authentication. Users can authenticate with methods such as Password (something they know) and Fingerprint (something they are) for multi-factor authentication. Users need to place their finger on a fingerprint scanner to enroll and authenticate.

To configure the Fingerprint method, perform the following steps:

  1. Set the Similarity score threshold by moving the slider to the desired score.

    NOTE:Default and recommended value for Similarity score threshold is 50. Reducing the score may result in different fingerprints getting validated.

  2. Select the number of fingers that a user must enroll from Minimum number of fingers to enroll.

    It is recommended to specify a number that is more than 1 because if a finger is injured, the user can use the other enrolled finger.

    NOTE:If you want to allow the use of multi-finger reader for enrollment, ensure to select the number of fingers to be enrolled as 4, 6, 8, or 10.

  3. Select the number of scans required for enrollee's each finger.

    NOTE:To improve the quality of the fingerprint enrollment, it is recommended to have multiple captures. The total number of captures including all the enrolled fingers must not exceed 25.

  4. Set Enable multi-finger reader to enroll to ON, to allow users to enroll the Fingerprint method using the Green Bit DactyScan84c multi-finger reader. Users can set Use multi-finger reader for enrollment to ON and enroll with the multi-finger reader on the Self-Service portal. The Green Bit DactyScan84c device can scan one of the following fingers combination at a time:

    • Four fingers of the right hand

    • Four fingers of the left hand

    • Two thumbs

    To enforce the users to scan fingers using the Green Bit DactyScan84c reader, set Force to use multi-finger reader to ON.

  5. Set Specify fingers during enrollment to ON, if you want to enforce selected fingers for a user to enroll.

  6. Select the preferred fingers to enroll from the Selected fingers list.

  7. Set Enable Duress finger configuration to ON, to allow users to assign one of the enrolled fingers as duress. In case of emergency or under a threat, user can authenticate with the duress finger. Authentication with the duress finger triggers an alert notification to the configured email address and phone number.

    In the Alert Configuration section, specify the following details to configure the alert notification that is to be sent to the preferred email address and phone number:

    Table 9-1

    Parameter

    Description

    Email Alert Settings

     

    Email Recipient

    The email address of recipient to whom you want to send the email alert.

    Email Alert Subject

    Subject of the email alert.

    Format

    Format of email alert. Plain Text is the default format. Other available option is HTML.

    If you select HTML format, specify the message in HTML.

    Email Alert Body

    Body of email alert. You can specify the following variables:

    • {user}: Username.

    • {endpoint}: Device that a user authenticates to.

    • {event}: Name of the event where the user is trying to authenticate to.

    SMS Alert Settings

     

    SMS Recipient

    Phone number of recipient to whom you want to send the SMS alert.

    SMS Alert Body

    Text in the SMS that is sent to the recipient. You can specify the following variables:

    • {user}: Username.

    • {endpoint}: Device that a user authenticates to.

    • {event}: Name of the event where the user is trying to authenticate to.

  8. Click Save.

NOTE:Ensure that you configure the Mail Sender and SMS Sender policies with the sender details that are required to send an alert.

Example 1: Enrolling Multiple Fingers and Authenticating with One of the Enrolled Fingers

Consider Thomas, an administrator has performed the following steps to enforce users to enroll the Fingerprint method using the Greenbit DactyScan84c device. Users can authenticate to Linux workstation with the Fingerprint method.

  1. Set Force to use multi-finger reader to ON in the Fingerprint method.

  2. Created a chain with the Fingerprint method and added another preferred method such as LDAP password or Password.

  3. Mapped the chain to the Linux Logon event.

Paul, an end user, logs in to the Self Service portal and clicks on the Fingerprint icon. He selects the four fingers of Right hand and enrolls using the Green Bit DactyScan device. After enrollment, Paul authenticates to his Linux workstation with the Nitgen device using one of the enrolled fingers. He gets authenticated successfully.

Example 2: Authenticating with a Duress Finger During an Emergency Situation

Consider Thomas, an administrator has performed the following steps to assign an enrolled finger as duress:

  1. Set Enable Duress finger configuration to ON in the Fingerprint method.

  2. Configured Alert Configuration with the alert notification text, mail address and phone number of a network security officer to send email and SMS.

  3. Created a chain with the Fingerprint method along with preferred methods such as LDAP password and Password. Assigned the chain to Networks group.

  4. Mapped the chain to the Linux logon event. Mail server is hosted on the Linux workstation.

Paul, a network staff, logs in to the Self Service portal and clicks on the Fingerprint icon. He enrolls the middle, index, ring and little fingers of the left hand. Later, he selects Left index from Assign Duress Finger drop down.

Assume, on an unfortunate day, a miscreant forcibly enters the organization and threatens Paul to authenticate to the Linux workstation. In this situation, Paul can use the duress finger (Left index finger) for authentication which triggers an alert notification to configured security personnel, who will take the necessary action.