9.16 HANIS Fingerprint

Advanced Authentication provides the HANIS Fingerprint method that facilitates citizens of South Africa to authenticate through their fingerprint that has been enrolled in the National Identification System. However, when the user enrolls this method using their Passport number or National ID. Advanced Authentication forwards these details and captured fingerprint to the third-party Service Provider that is integrated with National Identification System where the validation takes place. Based on the validation result, the user gets authenticated to the required resource or endpoint.

The HANIS Fingerprint method is implemented to authenticate to the Advanced Authentication portals, such as Self-Service (Enrollment) and Helpdesk.

Authentication Flow in the HANIS Method

The authentication flow for the HANIS method in Advanced Authentication is described in the following image:

A user wants to authenticate on an endpoint such as a laptop or a website with the HANIS method. The following steps describe the authentication flow:

  1. When the authentication request is initiated, the endpoint contacts the Advanced Authentication server.

  2. Along with the biometrics data (fingerprint scan or facial image), the Advanced Authentication server retrieves the user’s details, such as Passport number or National ID and phone number from the repository if available. However, the endpoint must send these details as part of the authentication request.

  3. The Advanced Authentication server forwards the authentication request to the third-party Service Provider.

  4. The Service Provider that is integrated with the National Identification System forwards the authentication request to the Identification System.

  5. The National Identification System validates the details, such as passport number, phone number, and biometrics data.

  6. After the validation, the National Identification System shares validation status with the third-party Service Provider.

  7. The third-party Service Provider transmits the validation status to the Advance Authentication server.

  8. Finally, the Advanced Authentication server authenticates a user to the endpoint based on the validation status.

To configure the HANIS Fingerprint method, specify the following details:

Parameter

Description

Base URL

The third-party Service Provide URL that is integrated with National Identification System.

User name

The username to access the third-party Service Provider.

Password

The password to access the third-party Service Provider.

Organization code

An unique code using which the third-party Service Provider requires to group the requests.

Encryption Key

The key to secure the communication between the third-party Service Provider and Advanced Authentication.

Encryption initialization vector

A value that is used along with a secret key to encrypt data so that the encrypted values are not identical.

HANIS API client timeout (seconds)

The duration till when the Advanced Authentication server waits for a response from the third-party Service Provider.

User ID/Passport attribute

The passport number or national ID of a user against which the validation takes place. You can use custom attribute workforce ID of the repository.

You must define the attribute in User ID/Passport Number Attributes of the Repositories section.

User cell phone attribute

The cell phone number of a user that the third-party Service Provider requires for processing the authentication request. You must define the attribute in User Cell Phone Attributes of the Repositories section.

Allow overriding ID/Passport number

Option to prevent users from providing a passport number that is not registered in the LDAP repository. The option is set to ON by default. Set to OFF to prevent users to specifying the passport number during the enrollment.

Allow overriding phone number

Option that allows to prevent users from providing a phone number that is not registered in the LDAP repository. The option is set to ON by default. Set to OFF to prevent users to specify a different phone number during the enrollment.

Allow lower resolution fingerprint image scan

Option that enables the Advanced Authentication server to receive the lower resolution fingerprint images that do not comply with standards. The option is set to OFF by default. The fingerprint image that does not comply with the standard is not sent to the server for validation. However, if the fingerprint device complies with image standards then the authentication is successful without any issue.

When set to ON, the Advanced Authentication server receives the lower resolution fingerprint images that do not comply with standards. However, the authentication might not be successful.

NOTE:When you modify the settings related to the HANIS Fingerprint method, ensure to specify the Password, Encryption Key, and Encryption initialization vector to apply the changes.

Scenario for Authenticating with the HANIS Method

Paul, an end user, wants to authenticate to the new Enrollment portal of Advanced Authentication. He authenticates to the website with the Digital Persona device using one of the enrolled fingers. The National Identification System receives and validates the user details and fingerprint image then shares the validation status. Paul is authenticated to the new Enrollment portal successfully.