Introductiondownload.microsoft.com/.../FMA_Design_Guide.docx · Web view2010/08/23 · The WBF...

Designing Windows Biometric Framework (WBF) Fingerprint Management ApplicationsAugust 23, 2010

Abstract

This paper provides design guidance to developers of fingerprint management applications (FMAs) that are compatible with the Windows® Biometric Framework (WBF).

This paper is for:

Developers and product managers who are planning or implementing FMAs built on the WBF.

Fingerprint sensor vendors who ship bundled software to run on Windows 7 with their sensors.

Independent software vendors (ISVs) who implement sensor-independent enrollment experiences.

Independent hardware vendors (IHVs) who can benefit from a better understanding of how FMA developers would interact with their sensors.

This paper assumes that the reader has a basic understanding of the Windows Biometric Framework (WBF), the Windows Biometric Driver Interface (WBDI), Windows 7 user experience guidelines, and general fingerprint management concepts.

This information applies to the following operating systems:

Windows Server® 2008 R2Windows 7

References and resources discussed here are listed at the end of this paper.

The current version of this paper is maintained on the Web at: http://www.microsoft.com/whdc/device/biometric/FMA_Design.mspx

http://www.microsoft.com/whdc/device/biometric/FMA_Design.mspx

Designing Windows Biometric Framework (WBF) Fingerprint Management Applications - 2

Disclaimer: This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2010 Microsoft Corporation. All rights reserved.

Document HistoryDate Change

August 23, 2010 Minor revision to correct hyperlink.

June 30, 2009 First publication

August 23, 2010© 2010 Microsoft Corporation. All rights reserved.


ContentsIntroduction.................................................................................................................... 5

Glossary of Terms..........................................................................................................5

Windows Biometric Framework Overview......................................................................6

Fingerprint Management Application Overview.............................................................7

FMA Design Guidelines.................................................................................................7

FMA Flow.................................................................................................................. 7

FMA Installation.........................................................................................................8

Pre-installation......................................................................................................8

FMA Registration...................................................................................................9

Post-installation...................................................................................................10

FMA Launch............................................................................................................10

Enrollment...............................................................................................................11

First-Time User Experience.................................................................................11

Enrollment Overview...........................................................................................11

Authenticate User Before Initiating Enrollment....................................................12

Store Credentials During First-Time Enrollment..................................................12

Enrollment Help...................................................................................................12

Displaying Fingers and Hands During Enrollment...............................................13

Choosing Which Fingerprint to Enroll..................................................................13

Collecting Fingerprint Samples for Enrollment....................................................13

Enrollment and Window Focus............................................................................13

Enrolling Duplicate Fingerprint Images................................................................14

Enrolling Multiple Fingerprints.............................................................................15

Enrolling Guest or Built-in Administrator..............................................................15

Domain User Enrollment.....................................................................................15

Encourage Adoption of Supported Features.......................................................15

Multiple Fingerprint Sensors................................................................................16



Credential Management..........................................................................................16

Show Enrolled Fingerprints.................................................................................16

Authenticate the User Before Allowing Changes.................................................16

Deleting the Last Fingerprint...............................................................................16

Deleting Fingerprints that are Not Associated with the Current Machine............17

Password Security Considerations..........................................................................17

Supporting Multiple Fingerprint Sensors..................................................................17

Enrollment...........................................................................................................18

Error Handling.........................................................................................................18

Use Error Code to Text Translation.....................................................................19

Helpful Feedback for Rejected Scans.................................................................19

Summary..................................................................................................................... 19

Resources.................................................................................................................... 19

Appendix...................................................................................................................... 20

Fast User Switching (FUS)......................................................................................20

Use the Defined API............................................................................................20

Store Credentials Securely..................................................................................20

Prioritize FUS Events..........................................................................................21

Unregister for Unhandled Swipes........................................................................21

The Biometric Devices Control Panel......................................................................21

Task Link Behavior..................................................................................................23



IntroductionThis document provides guidelines for fingerprint management applications (FMAs) that are built on the Windows® Biometric Framework (WBF). After reading this document, readers will be better equipped to design FMAs that work efficiently on top of the WBF. The information in this document:

Assists independent software vendors (ISVs), independent hardware vendors (IHVs), and original equipment manufacturers (OEMs) in designing FMAs that work seamlessly with supported fingerprint sensors on Windows 7.

Helps to ensure a consistent end-user experience.

Enables biometric devices and software solutions to interact smoothly.

By conforming to the guidelines presented in this whitepaper, FMA developers will be able to make the most out of the biometric support available in Windows 7. Some of the advantages offered by the WBF include:

Lower support costs.

Integrating with the WBF lowers the support costs of biometric solutions by providing a consistent core experience and diagnostic infrastructure.

No need for custom integration with specific devices.

The WBF enables multiple biometric devices and software solutions to coexist on a single machine without the need for custom integration.

Biometrics feature discovery.

The WBF promotes biometrics as a technology by integrating it with core Windows user experiences. The WBF publishes discovery points through Device Manager, Devices and Printers, Control Panel, Searchable Tasks, and other mechanisms.

Simplified adoption.

The WBF simplifies the incorporation of biometric capabilities into new applications by providing a platform application programming interface (API) that works across all devices.

Glossary of TermsBiometric unit (BU)

A common representation of a biometric device that is provided by the Windows Biometric Service (WBS).

Complete unenrollment

The act of removing all of a user’s fingerprint-matching templates from all available storage adapters and removing the user’s authentication information from the Windows Biometric Credential Manager.



Enrollment

In the context of biometrics, enrollment is the process of supplying reference samples of a biometric for later matching. In fingerprint enrollment, the user needs to provide a sample on the sensor (swipe or touch) to make a matching template.

Fingerprint association

A user-friendly term for either:

A fingerprint record in the Windows Fingerprint Store.

The enrollment steps to create a fingerprint record.

A fingerprint record is linked to the sensor that was used to enroll the fingerprint. A user’s finger could have a fingerprint association with multiple sensors, and thus have a record for each sensor.

Fingerprint management application (FMA)

A third-party application that extends WBF by providing management capabilities and enables additional scenarios, including enrollment experiences, Web single-sign-on, and management of proprietary attributes of a fingerprint biometric device.

Personally identifiable information (PII)

Data that is considered PII is privacy-sensitive and must be treated with special care. Fingerprints and biometrics fall into this category.

Registration

Another term for enrollment.

Unenrollment

To remove one or more fingerprint templates from one or more storage adapters. It is possible to unenroll some fingerprints for a user and leave other fingerprints enrolled. Complete unenrollment refers to removing all fingerprint data for a given user.

Windows Biometric Framework OverviewThe Windows 7 operating system provides native support for fingerprint biometric devices through the Windows Biometric Framework (WBF). This framework provides:

A more consistent user experience.

A common platform and a set of interfaces for software developers.

Improved manageability and serviceability of fingerprint biometric devices in Windows.

The WBF components that deliver these features include the following:

Core platform components, including a driver interface definition, a pluggable expansion platform, and a client API.



User-experience components that provide a consistent user experience in the Windows operating system. This component includes support for the core scenarios of logon and user account control (UAC).

Management components that let users and administrators configure biometrics and biometric devices. These components support biometric configuration either locally on a single computer system or globally for a domain through Group Policy.

A WBF component-distribution mechanism that lets biometric drivers and other components be distributed through Window Update and Action Center.

For more information about the WBF, see “Resources” later in this paper. For information about the Biometric Devices Control Panel, see “The Biometric Devices Control Panel” later in this paper.

Fingerprint Management Application OverviewYou can build a range of high-value applications using the WBF API. Such an application might be either:

A simple enrollment application.

A complex suite of applications and management capabilities.

Applications in the second category are commonly referred to as fingerprint management applications (FMAs). In addition to providing an enrollment capability, an FMA might perform one or more of the following tasks:

Provide additional mechanisms for managing user data, such as enrolling or deleting fingerprint templates.

Provide mechanisms for managing and configuring devices, such as performing firmware upgrades.

Expose proprietary capabilities of a device.

Serve as a configuration point for third-party WBF-enabled applications such as Web single-sign-on (Web SSO) and fast user switching (FUS).

For more information on the WBF API, see “Resources” later in this paper.

FMA Design GuidelinesTo ensure a consistent, high-quality biometric experience for end users in Windows 7, we recommend that you follow the guidelines presented in this section when you write an FMA.

FMA FlowThe FMA should guide the user through the most likely tasks based on the current state of the specified biometric unit (BU) and the current user context.

Figure 1 provides an overview of the tasks in an FMA.



Figure 1. Suggested FMA flow

The first thing that the FMA should do is check whether biometrics is installed and enabled. If Biometrics is not installed and enabled, the FMA should direct the user to install it. Next, the FMA should check whether the user has any enrolled templates that are compatible with the specified biometric unit. If no templates exist, the FMA should guide the user through the enrollment process.

If the user has compatible templates enrolled, then the FMA should allow the user to choose between the following tasks:

Add or remove templates.

Configure fingerprint-enabled applications.

Perform device-specific management.

We recommend that an FMA provide the user with task-based options, such as those listed above, that are easy for the user to understand.

FMA InstallationThis section provides guidelines for installing an FMA on Windows 7 and for FMA registration.

Pre-installationThe installation program for an FMA must ensure that the prerequisite software is present before it installs the FMA.

The WBF and .NET are not installed by default on Windows Server 2008 R2. If an FMA detects a server operating system during installation, it should check whether the WBF and .NET components are present. If they are not present, the FMA should direct the user to install these components. For more information on the WBF and .NET, see “Resources” later in this paper.



To check whether your FMA is running on a server SKU, check the operating system type by using these steps:

1. Call Win32::GetVersionEx(). This function fills in an OSVERSIONINFOEX structure.

2. Use the values in the OSVERSIONINFOEX structure to determine the operating system type.

3. If the dwProductType does not equal VER_NT_WORKSTATION, then your FMA is running on a server operating system.

Table 1 shows the fields of the OSVERSIONINFOEX structure for the client and server editions of Windows 7 and Windows Server 2008 R2.

Table 1. Values in the OSVERSIONINFOEX StructureOperating system

Operating system version

dwMajorVersion

dwMinorVersion

dwProductType

Windows 7 client

6.1 >=6 >=1 == VER_NT_WORKSTATION

Windows Server 2008 R2

6.1 >=6 >=1 != VER_NT_WORKSTATION

For links to the documentation for the GetVersionEx function and the OSVERSIONINFOEX structure, see “Resources” later in this paper.

FMA RegistrationYou can associate your FMA with a specific biometric device, with a subset of devices, or with all of the biometric devices on the system.

An FMA that is associated with all of the biometric devices on the system is called a global FMA. An FMA that is associated with a specific device or set of devices is called a device-specific FMA.

Registering a Global FMATo register an FMA as a global FMA, set the following registry location:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\WinBio\FMA]@="""CommandLine"="%ProgramFiles%\\FMA\\fma.exe %{biounitid}"

This location stores the command line and the replacement specification for an FMA that will be used for all biometric units.

CommandLine – this value contains the string used to run the FMA. In the example above, the FMA is invoked by %ProgramFiles%\FMA\fma.exe.



Registering a Device-Specific FMATo register an FMA for a single device, set the following registry location:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\WinBio\FMA\<WINBIO_UNIT_SCHEMA::Manufacturer>\<WINBIO_UNIT_SCHEMA::Model>] @="""CommandLine"="%ProgramFiles%\\FMA\\fma.exe %{biounitid}"

This location stores the command line and the replacement specification for an FMA that will be used for a specific biometric unit.

CommandLine – this value contains the string used to run the FMA. In the example above, the FMA is invoked by %ProgramFiles%\FMA\fma.exe.

To register your FMA for more than one biometric device, set the registry key shown above for each device.

Post-installationAfter you successfully install your FMA, we recommend that you display a finish page with a message that guides the user through the next steps such as enrollment or Windows logon.

Note: The FMA should not reboot the system when it is installing or uninstalling new drivers or applications. The FMA installer should not reboot the system either.

FMA LaunchYour FMA should display your product or company logo when the user starts the FMA or switches from the Windows 7 user experience to your application’s experience. You can also brand your FMA to identify it as being supplied by the FMA provider.

Users can launch the FMA by selecting one of the following tasks:

Use your fingerprint with Windows

Manage your fingerprint data

Remove your fingerprint data

One or more of these tasks are available on:

The Biometric Device control panel

The Hardware and Sound control panel

The User Accounts control panel

Desktop search

Table 2 maps the FMA launch tasks to their locations.



Table 2. FMA Launch Task LocationsTask Biometric

Device control panel

Hardware and Sound control panel

User Accounts control panel

Desktop search

Manage your fingerprint data

X X X X

Use your fingerprint on Windows X X X

Remove your fingerprint data

X X X

For more information on the control panels and desktop search, see “The Biometric Devices Control Panel ”.

You can also define custom launch points and entry points for your FMA.

EnrollmentThis section provides guidelines for designing the enrollment process.

First-Time User ExperienceIf a user expresses an interest in using a fingerprint device, your FMA should guide the user through the enrollment process. Additionally, the FMA should execute in response to the following events:

If a user swipes or touches the fingerprint reader and there are no enrolled templates for the user, the FMA might be launched. The FMA should prompt the user to determine whether the user wants to enroll and if so, begin the enrollment process.

If a user tries to log on to Windows by swiping a finger, but cannot log on because no fingerprints are currently enrolled, the FMA should display a message that instructs the user to log on using another method (such as a username/password or a smart card). The FMA can then begin the enrollment process automatically once the user has successfully logged on to Windows using another form of authentication.

Do not launch your FMA for these types of events when biometrics is disabled.

Avoid beginning an enrollment every time a user touches the fingerprint device accidently or swipes an unenrolled finger. The FMA should provide an option that allows the user to disable the prompted enrollment behavior. For example, there might



be a check box saying, “Show wizard when a new finger is detected”, to give the user more control.

Enrollment OverviewThe FMA should give new biometric users an overview of the complete enrollment process, including:

What is enrollment?

Why would a user want to enroll?

What are the steps?

Providing a clear, simple overview helps the user understand how to work successfully with fingerprint devices on Windows. A clear overview makes it more likely that users will complete the enrollment process without running into problems or becoming frustrated. For more information on providing a good enrollment experience, see “Enrollment Help” later in this document.

Authenticate User Before Initiating EnrollmentYour FMA should confirm the identity of the user before it modifies any enrollment information. It is important to prevent any unauthorized modification of fingerprint logon information.

Your FMA can verify the user’s identity by doing one of the following to validate the logon credentials:

Request that the user enter the account password.

Query a smart card.

Request that the user swipe an enrolled finger if the user has already enrolled.

We strongly recommend that you use the Windows Credential UI in your FMA to collect password information. This will provide users with a consistent Windows look and feel. For more information on the Windows Credential UI, see “Resources” later in this document.

After your FMA collects a user’s credentials, it should call LSALogonUser to validate them. For a link to the documentation for this function, see “Resources” later in this paper.

Store Credentials During First-Time EnrollmentWe recommend that FMAs store the user’s Windows credentials in the WBF Credential Manager. In addition, integrating with the WBF Credential Provider enables you to use biometric logon and UAC in your FMA.

During first-time enrollment, if the user chooses to log on with fingerprints, the FMA should prompt the user for a Windows password and then store it for Windows logon in the WBF Credential Manager.

If the WBF Credential Manager cannot validate the credentials for the logged-on user, it will fail to store the credentials. Your FMA should notify the user of the failure and give the user the option to retry.



It will also fail to store the credentials if biometric fingerprint logon is disabled in the “Biometrics Settings” page of the Control Panel. For more details, please refer to “Enrolling Guest or Built-in Administrator” and “Domain User Enrollment”.

If biometric fingerprint logon is disabled for the account type used by the currently logged-on user, the FMA should provide a warning to notify the user that fingerprint logon is disabled and provide a link to launch the WBF “Change Settings” page.

Note: For logon to work immediately after enrollment, the FMA must gather the user’s password and store it in the WBF Credential Manager immediately.

Enrollment HelpDuring first-time enrollment, it is helpful to provide a user aid, a tutorial, or a guide to assist the user in completing the process successfully. You can also provide video help, fingerprint scanning practice tools, and/or interactive tutorials. You should give the user the option to skip any tutorials and to use them later.

Displaying Fingers and Hands During EnrollmentTo be usable around the world, your FMA should be sensitive to issues related to cultural and social differences. Your FMA should display fingers and hands in appropriate ways that do not offend. Consider the following suggestions:

Display both hands because the user might be right-handed or left-handed, or might have other reasons (social or medical) for choosing one hand over the other.

Do not display the left hand alone because in some cultures it is considered offensive or inappropriate.

Do not display hands or fingers in a way that might be considered an insult.

The guidelines suggested above are just some of the many that need to be considered.

Choosing Which Fingerprint to EnrollThe FMA should allow the user to choose which fingerprint(s) to enroll. The user should enroll a single fingerprint at a time. The FMA should prevent the user from enrolling the same fingerprint multiple times. The WBF will reject an enrollment if the template matches any other already stored in the biometric unit.

Collecting Fingerprint Samples for EnrollmentAfter a user has indicated which fingerprint to enroll, your FMA should do the following when it is collecting fingerprint samples:

Request the fewest possible samples necessary to generate a good template.

Inform the user regarding how many swipes are required to enroll successfully.

Provide instant feedback on the success or failure when collecting a sample.

You can communicate success by showing a centered fingerprint icon and communicate failure with information that helps the user correct their actions. The corrective information could be, for example, a fingerprint graphic that shows a finger offset depending on whether a swipe is too short, too long, skewed, or off-



center. Use a sample fingerprint in such a graphic. Displaying a user's actual fingerprint might be a privacy or security risk.

Dynamically adapt to ensure that it captures a sufficient number of samples to create a valid template.

The FMA should prompt the user for more samples until a sufficient number of samples have been collected or until the user decides to abort the enrollment. For more details on helpful feedback for incorrect scans, see “Error Handling”.

Call the WinBioGetProperty function to determine the number of swipes required by a particular biometric unit.

Enrollment and Window FocusTwo WBF functions involved in the enrollment process are sensitive to current window focus:

WinBioEnrollBegin. The calling process must have window focus when it calls this function.

WinBioEnrollCapture. The calling process must have window focus when the user swipes, otherwise the system will discard the swipe.

In general, these conditions are satisfied if the FMA is a graphical user interface (GUI) application and one of its windows has focus during the enrollment sequence. The same is true of a console-based FMA as long as the surrounding console window maintains focus throughout the enrollment.

Focus management requires extra attention in an FMA in which one non-GUI application issues WBF enrollment calls while another GUI application displays the enrollment progress. In such a design, enrollment will not work correctly because window focus does not reside with the correct process. The solution is to use a pair of WBF functions that manually notify WBF of the proper focus:

WinBioAcquireFocus. The non-GUI process should call this immediately before every Windows biometric function call that requires focus.

WinBioReleaseFocus. The non-GUI process should call this when the Windows biometric operation is complete.

An important aspect of these functions is that other system events, such as a user clicking on a window “Close” button, can cause the focus to shift automatically, even after a call to WinBioAcquireFocus. Consequently, FMAs that depend on these Windows biometric focus-shifting functions can be fragile. To avoid the problem altogether, we recommend that you write your FMA as single-process GUI or console application that depends only on the built-in focus behavior of Windows to control the flow of biometric events. For similar reasons, we discourage the use of the WBF API from within services or detached processes.

Enrolling Duplicate Fingerprint Images The WBF does not allow a single fingerprint image to be associated with more than one identity on a given biometric unit. In other words, a user cannot provide swipes from the right index finger and claim that they correspond both to Bob’s account and to



Alice’s account. After a fingerprint image has been stored in a biometric unit, that same image cannot be enrolled again on that biometric unit until the previous enrollment has been deleted.

This restriction extends to multiple biometric units if they share the same fingerprint database. For example, if a system contains multiple fingerprint sensors from the same vendor, it is possible that these sensors all share a common fingerprint database. In that case, a given fingerprint image can only be enrolled once across all the sensors sharing the fingerprint database. There is no restriction on storing a single fingerprint image on multiple biometric units, if the units each have their own fingerprint database.

An FMA must provide appropriate feedback when it discovers that a fingerprint image is already enrolled on a given biometric unit. However, for security reasons, the FMA must not disclose the identity of the user associated with the already-enrolled fingerprint image.

Enrolling Multiple FingerprintsFMAs should allow the user to associate multiple fingerprints (up to 10) with the same user account.

In scenarios where a user wants to enroll more fingerprints through the ”Hardware and Settings” page, the Control Panel, the User Accounts control panel, or the command line, the FMA must prompt for an enrolled fingerprint or the user’s logon credentials to authenticate the user before allowing changes, because this is an avenue to access logon credentials.

Enrolling Guest or Built-in AdministratorThe WBF does not permit enrollments for Guest or Built-in Administrator accounts. Your FMA must handle this scenario gracefully. In particular, the FMA should not allow logged-on Guest or Built-in Administrator users to begin an enrollment sequence, and should provide appropriate text explaining the restriction. An FMA should not wait until the enrollment has failed before providing this feedback.

The WBF will not store credentials for built-in accounts in the Biometric Credential Store, therefore this scenario should be avoided.

Domain User EnrollmentBiometric domain logon is disabled by default on Windows-based systems. This setting is controlled by the system administrator by using the “Allow users to log on to a domain using their fingerprints” option in Control Panel. If biometric domain logon is disabled and a domain user tries to enroll, your FMA must notify the user of the restriction and abort enrollment before prompting for credentials. Table 3 lists functions that you can call from your FMA to determine whether domain logon is enabled.

Table 3: Functions for Biometric Domain LogonFunction Operation

WinBioGetEnabledSetting Retrieves a value that specifies whether the WBF



Function Operation

is currently enabled.

WinBioGetLogonSetting Retrieves a value that specifies whether users can log on by using biometric information.

WinBioGetDomainLogonSetting Retrieves a value that specifies whether users can log on to a domain by using biometric information.

For more information on the functions listed above, see “Resources” later in this paper.

Biometric domain logon can also be controlled by Group Policy. If domain logon is disabled by Group Policy, your FMA should direct the user to contact the system administrator. The functional requirement for an FMA is to detect the above situation, inform the user, and display the settings page to allow the user to change it.

Encourage Adoption of Supported FeaturesAfter a successful enrollment, your FMA should list some of the key features that it supports such as Windows logon and starting applications. This encourages the user to employ biometrics to its full extent.

Multiple Fingerprint SensorsFor information on handling fingerprint enrollment on a system that has multiple sensors, see ”Handling Multiple Fingerprint Sensors ” .

Credential ManagementThis section provides information about managing credentials, including showing enrolled fingerprints, authenticating before changing credentials, and deleting fingerprints.

Show Enrolled FingerprintsYour FMA should show which fingerprints are currently enrolled for a given user. For example, your FMA could display two hands and highlight the enrolled fingerprints.

To determine the enrolled fingerprints on a given sensor:

1. Get the security identifier (SID) of the user that you are interested in -- either the currently logged-on user or somebody else. You will need to call non-WBF functions from Win32®. Use the SID to build a WINBIO_IDENTITY block.

2. Select the sensor. On a multi-sensor platform, call WinBioLocateSensor or WinBioLocateSensorWithCallback and have the user swipe or touch the desired sensor. On a single sensor platform, get the unit ID of the sensor by calling WinBioEnumBiometricUnits.

3. Call WinBioEnumEnrollments with the unit ID value and identity. The function returns an array of enrolled fingerprint IDs for the sensor.



For more information about the structures and functions shown in the procedure above, see “Resources” later in this paper.

Authenticate the User Before Allowing ChangesAn FMA should prompt for an enrolled fingerprint or password to authenticate the user before allowing any changes, because this is an avenue to modify logon credentials and could pose a security threat. For example, an FMA should authenticate the user before enrolling more fingerprints through the User Accounts control panel.

Deleting the Last FingerprintDeleting a user’s last fingerprint removes the user’s password from the Biometric Credential Store and requires the user to log on to the system with a user name and password. Therefore, before your FMA deletes the last fingerprint on a machine it should do the following:

Warn the user that they are deleting their last fingerprint and give them the option to cancel the operation.

Inform the user that after completion of the deletion process, they will need their username and password to log on to Windows.

Help the user to avoid being locked out of their system by prompting the user to enter their logon credentials and by verifying them.

When a user deletes their last registered template on the Windows system, your FMA should ensure that the credentials associated with this user's fingerprint are deleted from the Windows Biometric Credential Store because they are no longer required.

Note: The FMA must securely delete personally identifiable information (PII) such as user fingerprint templates and passwords.

Deleting Fingerprints that are Not Associated with the Current MachineA biometric device can have data from a user account that has been deleted because the device might have been previously connected to a different machine. Your FMA should provide the ability to delete templates that are not associated with the current machine.

Password Security ConsiderationsYour FMA should do the following to encourage users to maintain secure passwords:

Recommend to users that they should not use a blank password.

Advise users on how to create a strong password. For more details on Windows password recommendations, see “Resources” later in this paper.

Advise users to create a password recovery disk so they are not locked out of Windows if they forget their password or cannot use fingerprints to log on (for example, due to injury).

Advise users to create a password hint if they do not have one already.



Supporting Multiple Fingerprint SensorsOne of the goals of WBF is to enable a single machine to support multiple sensors. While the majority of machines in the near term will have only a single sensor, it is important for your FMA to support multiple sensors.

When multiple fingerprint sensors are installed on a system, your FMA should start for a specific biometric unit.

When Control Panel invokes the command to start your FMA, it expands %{biounitid} to the unit ID of the sensor that your FMA should use for the enrollment. (For information about the biounitid, see “FMA Registration”.) Your FMA should do the following to ensure that it works correctly on both single sensor and multi-sensor machines:

1. When it calls WinBioEnrollBegin, specify the selected biometric unit ID so that the enrollment is stored for the correct sensor.

2. Enumerate which fingerprints are enrolled so it can show this in the user interface. It should show only the fingerprints that are enrolled for the specified sensor.

3. Let the user select which sensor to enroll on when there are multiple sensors and no biounitid is specified. This feature is optional but it would provide a consistent user experience. If there are multiple sensors on a system, the WBF displays the “Touch a fingerprint reader to enroll your fingerprints” page in Control Panel. See Figure 2.

Figure 2. Multiple fingerprint readers message



Implementing the features listed above enables your FMA to support multiple sensors and to be sensor agnostic.

To give user context, the FMA can target only one sensor at a time.

A user might generate input on a sensor other than the sensor that your FMA is currently handling. Your FMA should handle such input gracefully:

Your FMA might ignore the other inputs, or it might allow the user to abandon their current enrollment and change to the new sensor.

If your FMA is a global FMA, it should detect whether the user has enrolled fingerprints on another sensor to show the user what fingerprints are enrolled on which sensor.

EnrollmentA Global FMA must ensure that the enrollment wizard works with all sensors.

Error HandlingOne of the basic goals of the WBF is to provide a consistent end-user experience. A well-designed FMA should be able to handle errors and also address temporary service interruptions gracefully by showing appropriate messages. If the service does not become available immediately, then the FMA should either attempt self-diagnosis and repair, or it should notify the user of actions that the user can take to identify and repair the issue.

Additionally, your FMA’s user-interface should not call any blocking WBF functions.

Use Error Code to Text Translation Your FMA should translate WBF error codes into appropriate text messages to provide more helpful and specific error messages or feedback to the user. For more information, see the link to the Windows Biometric Framework API documentation in “Resources” later in this paper.

Helpful Feedback for Rejected ScansYour FMA should handle rejected scans gracefully by providing the user with helpful feedback. Your FMA can provide instructions for avoiding the error, such as “Swipe more slowly” or “Shift your finger to the right and retry”.

You should limit your feedback on unusable samples to correcting user interaction with the sensor. Your feedback should be friendly in tone to prevent the user from developing a negative perception of your FMA or of biometrics in general.

SummaryThe guidelines in this paper assist ISVs, IHVs, and OEMs in designing fingerprint management applications that work seamlessly with supported fingerprint sensors on Windows 7.



In addition, the guidelines help biometric devices and software solutions to coexist and help ensure a consistent biometric end-user experience on Windows 7.

ResourcesThe following links provide more information about the WBF, FMAs, and related topics.

Web Pages

.NET Framework Developer Center

http://msdn.microsoft.com/en-us/netframework/default.aspx

Windows Biometric Framework: Code-Signing Guidelines

http://www.microsoft.com/whdc/device/biometric/WBF_CodeSign.mspx

Windows Device Experience

http://www.microsoft.com/whdc/device/DeviceExperience/default.mspx

Whitepapers

Introduction to the Windows Biometric Framework (WBF)

http://www.microsoft.com/whdc/device/biometric/WBFIntro.mspx

Documentation on MSDN

Windows Biometric Framework API

http://msdn.microsoft.com/en-us/library/dd401509(VS.85).aspx

Windows User Experience Interaction Guidelines

http://msdn.microsoft.com/en-us/library/aa511258.aspx

CredUIPromptForWindowsCredentials Function


GetVersionEx Function

http://msdn.microsoft.com/en-us/library/ms724451(VS.85).aspx

LsaLogonUser Function

http://msdn.microsoft.com/en-us/library/aa378292(VS.85).aspx

OSVERSIONINFOEX Structure


SID Structure


WinBioEnrollBegin Function






http://msdn.microsoft.com/en-us/library/aa378292(VS.85).aspx





http://www.microsoft.com/whdc/device/input/smartcard/WBFIntro.mspx

http://www.microsoft.com/whdc/device/DeviceExperience/default.mspx

http://www.microsoft.com/whdc/device/biometric/WBF_CodeSign.mspx

http://msdn.microsoft.com/en-us/netframework/default.aspx


WinBioGetDomainLogonSetting Function


WinBioGetEnabledSetting Function


WinBioGetLogonSetting Function


WinBioLocateSensor Function

http://msdn.microsoft.com/en-us/library/dd401630(vs.85).aspx

WinBioLocateSensorWithCallback Function


WinBioLogonIdentifiedUser Function


Strong Passwords

http://msdn.microsoft.com/en-us/library/ms161962.aspx

Windows Data Protection


Appendix

Fast User Switching (FUS)Fast user switching is a feature that allows users to switch between user accounts on a single PC without quitting applications and logging off. This is a typical scenario for home users sharing a single PC. The following sections provide guidelines for designing an FMA that supports FUS.

Use the Defined APIThe WBF provides a set of functions to implement FUS efficiently on Windows. For more information, see the WBF documentation for the WinBioLogonIdentifiedUser function.

Store Credentials SecurelyTo do FUS, your FMA must store user credentials securely. We recommend that you store credentials by using the Windows Biometric Credential Manager. The Windows Biometric Credential Manager uses the credential vault, which uses the Data Protection API (DPAPI) to store credentials. For more information on Windows Data Protection, see “Resources” earlier in this paper.

Prioritize FUS Events






http://msdn.microsoft.com/en-us/library/dd401630(vs.85).aspx





FUS applications must handle FUS events before checking for other unhandled swipe events. For example, if launching an application is associated with a scan of user A’s right index finger, but user B is logged on when user A scans his or her right index finger, your FMA should log on user A but it should not start the application unless user A scans his or her right index finger again.

Unregister for Unhandled SwipesYour FMA must unregister for unhandled swipes if the application is per session. The FMA must unregister when the user session is not interactive only. It will need to re-register when the user unlocks or logs back on.

If your FMA does not unregister, then it is not able to use FUS to switch away from the user you just switched to. If the application is running on a desktop session that you are not in, then swipes cannot be captured by the application to make a FUS request.

The Biometric Devices Control PanelThe Biometric Devices control panel is the primary interface for configuring the WBF. This control panel presents various tasks to the user, including:

Viewing the status of a specific device. A device can have a status of:

Unavailable

Not enrolled

Enrolled

Enrollment in progress

Viewing and changing settings through the “Change Settings” page, including:

Enable/Disable Biometrics.

Enable/Disable Local Logon for local accounts.

Enable/Disable Domain Logon for domain accounts.

Launching third-party FMAs through the “Manage your fingerprint data” link.

Figure 3 shows a screenshot of the Biometric Devices control panel.



Figure 3. Biometric Devices control panel

The Biometric Devices control panel is available if a fingerprint device with a WBDI driver is installed on a computer running Windows 7. A user can discover the Biometric Devices control panel by browsing the Windows Control Panel. The Biometric Devices control panel is included under the “Hardware and Sound” category as shown in Figure 4.

If a WBDI driver has never been installed, the Biometric Devices control panel will not be shown.



Figure 4. Biometric Devices category on the Hardware and Sound page

Alternatively, a user can find the Biometric Devices control panel through desktop search, as shown in Figure 5.

Figure 5. Locating the Biometric Devices control panel through desktop search

For more information about the new features for how users discover and use devices that are connected to their PC running Windows 7, see the information for Windows Device Experience in “Resources” earlier in this paper.

Task Link BehaviorIf the task links are shown, their behavior depends on the following factors:August 23, 2010© 2010 Microsoft Corporation. All rights reserved.


Number of biometric unit compatibility groups available in the system pool

Number of FMAs registered

Number of available devices that work with the FMA

Presence of a global FMA

A biometric unit compatibility group is a set of sensors that each use instances of the same sensor adapter, matching engine, and storage adapter. If a user enrolls for one sensor in the group, then that user is enrolled for all sensors in the group.

A sensor can have an FMA registered for it specifically and there can also be a global FMA registered for all sensors. The FMA registered for a specific sensor is used only when there is no global FMA registered. If a global FMA is registered, then the global FMA is always run regardless of how many device-specific FMAs are registered.

It is possible to configure the system improperly, and get into a state where there is no global FMA registered and no device-specific FMA registered. You should avoid this situation by always registering a device-specific FMA.


Introductiondownload.microsoft.com/.../FMA_Design_Guide.docx · Web view2010/08/23 · The WBF...

Documents

Transcript of Introductiondownload.microsoft.com/.../FMA_Design_Guide.docx · Web view2010/08/23 · The WBF...