Beruflich Dokumente
Kultur Dokumente
DigitalPersona Online
Version 5.5.0
Administrator Guide
DigitalPersona, Inc.
19962013 DigitalPersona, Inc. All Rights Reserved.
All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation included with or
described in this guide are owned by DigitalPersona or its suppliers and are protected by United States copyright laws,
other applicable copyright laws, and international treaty provisions. DigitalPersona and its suppliers retain all rights not
expressly granted.
DigitalPersona, One Touch, and U.are.U are trademarks of DigitalPersona, Inc., registered in the United States and other
countries. Microsoft, ActiveX, Internet Explorer, JScript, Windows, Windows NT, and Windows Server are registered
trademarks and SQL Server is a trademark of Microsoft Corporation in the United States and other countries. Oracle, Java
and JavaScript are trademarks or registered trademarks of Oracle America, Inc. in the United States and other countries. All
other trademarks are the property of their respective owners.
This document and the software it describes are furnished under license as set forth in the License Agreement screen(s)
may be shown during the installation process.
Except as permitted by such license or by the terms of this guide, no part of this document may be reproduced, stored,
transmitted, and translated, in any form and by any means, without the prior written consent of DigitalPersona. The
contents of this guide are furnished for informational use only and are subject to change without notice. Any mention of
third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a
recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party
products. DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or
liability for any errors or inaccuracies that may appear in it.
Technical Support
Upon your purchase of a Developer Support package (available from http://buy.digitalpersona.com), you are entitled to a
specified number of hours of telephone and email support.
Feedback
Although the information in this guide has been thoroughly reviewed and tested, we welcome your feedback on any
errors, omissions, or suggestions for future improvements. Please contact us at
TechPubs@digitalpersona.com
or
DigitalPersona, Inc.
720 Bay Road, Suite 100
Redwood City, California 94063
USA
(650) 474-4000
(650) 298-8313 Fax
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Whats new in this version? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Migrating from version 4.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Functional Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploying DigitalPersona Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using a DigitalPersona Online-Secured Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registering User Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticating with DigitalPersona Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional client features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
13
13
14
16
17
17
18
18
18
18
19
21
22
24
26
26
26
27
27
27
28
29
30
30
30
30
30
31
Table of Contents
32
32
32
32
33
34
35
36
36
36
37
38
39
39
42
49
55
55
55
55
55
56
57
59
59
Table of Contents
Table of Contents
Table of Contents
Introduction
The DigitalPersona Online Administrator Guide provides instructions on installing, configuring and utilizing
DigitalPersona Online, an end-to-end server and client software solution that enables businesses to provide
increased security to customers, partners and employees by adding the security of advanced fingerprint
authentication to their Web-based applications.
DigitalPersona Online also provides a sample website demonstrating its features and contains detailed
instructions showing developers how to quickly and easily integrate fingerprint authentication functionality
into a Web application using the DigitalPersona Online ActiveX control and its API.
There is also a companion document, the DigitalPersona Online Quick Start Guide, located in the Docs
directory within the product package. It may be used to quickly set up a prototype or demonstration site, and
can be used as a general reference when setting up your production environment. More detailed instructions
for setting up your production environment are provided later in this document.
Target Audience
This guide provides information and procedures for those who will install, configure and administer
DigitalPersona Online, as well as the developers who will create web-based applications incorporating
fingerprint authentication using this software.
Developers should have
A high-degree of familiarity with Microsoft Internet Information Server, which is required not only to
serve Web applications to users, but to run the code that provides the fingerprint authentication
functionality.
Basic knowledge of Microsoft SQL Server in order to create the required databases, tables, and fields
needed for DigitalPersona Online.
Strong programming skills in languages supported by Microsoft Internet Information Server (IIS) such as
Actie Server Pages (ASP), JScript and VBScript.
Basic knowledge of HTML, JavaScript and ActiveX is also required in order to embed Online Client
components into your web application using the sample code provided with the DigitalPersona Online
Application Server SDK.
Chapter 1: Introduction
System Requirements
System Requirements
The major components may all be installed on the same computer for testing purposes. However, in most
scenarios, each major component (i.e. the Authentication Server, the sample Application Server and the SQL
Server) will be installed on separate computers. The list below shows recommended or minimum requirements
for the entire system. For specific requirements for each component, see the chapter on that component.
Microsoft Internet Information Server (IIS) 7 or 8 (Optional install requiring OS install disc)
Internet Explorer 8 - 11
Chapter Overview
Chapter 1, Introduction (this chapter), describes the target audience for this guide, lists system requirements
and provides an overview of each chapter in this document.
Chapter 2, Functional Overview, describes the software and hardware components that interoperate to provide
the fingerprint authentication functionality of DigitalPersona Online and an overview of a typical
DigitalPersona Online server and client deployment. It demonstrates how DigitalPersona Online operates from
an end-users perspective and describes the functionality developers must incorporate in Web applications to
achieve fingerprint authentication functionality.
Chapter 3, Online Authentication Server, describes the Authentication Server, its installation and configuration.
Chapter 5, Online Application Server, describes the sample Application Server, its installation and configuration.
Chapter 4, Online Client Installation, describes the Online Client and the Developer Sample Site, including
installation instructions and an overview of the DigitalPersona Online ActiveX Control features.
Chapter 6, Code Integration Guidelines, describes how to use the ActiveX control, HTML and JavaScript to
facilitate the registration and authentication processes at the API level.
Chapter 7, ActiveX Control API Reference, provides the API documentation for properties, methods and events of
the ActiveX control that facilitates the authentication and registration process.
Chapter 1: Introduction
Compatibility
Appendix 8, Warranties and General Provisions, contains the DigitalPersona limited warranties and warranty
service and the general provisions statements.
An index is also included for your reference.
Compatibility
This product is compatible with DigitalPersona Pro Enterprise 5.5 and later.
DigitalPersona Online 5.5.0 Authentication and sample Application Servers are compatible with the
DigitalPersona Online Client, versions 4.4.1 and 5.5.0.
A new Templates table has been added to the UareUOnlineUsers database to store fingerprints templates
for multiple fingers. Update script provides automatic migration of all existing fingerprint data to the new
table.
Direct access to tables is eliminated, all data access logic is moved to stored procedures.
SQL server security is improved by using Windows Integrated Security for all database connections.
Safe password authentication - Uses better practices for safe password authentication (password hashing
vs clear text passwords) while keeping the sample code simple.
ASP programming - Uses better practices for ASP programming (master pages, server includes) to reduce
sample code base and get you closer to the essential logic.
Web programming - Uses better practices for web programming (CSS vs direct page scripting) to further
reduce the sample code base.
10
Chapter 1: Introduction
11
Chapter 1: Introduction
Additional Resources
Additional Resources
The following additional resources are available to assist you in using this product.
Description
Document or URL
http://devportal.digitalpersona.com
http://www.digitalpersona.com/support/updates
12
Functional Overview
The DigitalPersona Online SDK allows you to control access to protected Web applications using fingerprint
authentication functionality. A DigitalPersona Online-secured application allows users to register
authentication credentialsincluding a user name, password and fingerprintand provides a way for a user
to authenticate to the application using those credentials.
This chapter provides an overview of how DigitalPersona Online components are deployed to provide
fingerprint authentication functionality. In addition, it demonstrates the end-user experience when interacting
with a DigitalPersona Online-secured application.
Authentication Server
Application Server
The authentication server performs the authentication for authorized DigitalPersona Online-secured Web
applications, which are hosted on the application server. The client workstation must have the DigitalPersona
Online Client software and a U.are.U Fingerprint Reader to provide fingerprint authentication functionality to
users accessing DigitalPersona Online-secured Web applications.
13
Our sample implementation contains three Web pages. The first is where users can register their credentials,
such as fingerprints and/or passwords, to later be used for accessing a protected section of the Web site. Then,
in order to actually access the protected section, the site provides another Web page that allows a user to
authenticate to the site using their supplied credentials prior to accessing the protected section. Finally, a third
page gives registered users the ability to modify their credentials by registering another fingerprint.
NOTE: The examples described in this section are for instructional purposes only; they are not intended to
recommend any particular installation, configuration or deployment. DigitalPersona Online fingerprint
authentication functionality can be integrated in a variety of ways to suit the needs of any Web
application.
NOTE: A typical Web application will determine the authentication policynot the user.
When presented with this page, the users can type their user name and password in the appropriate fields and
click the Register for DigitalPersona Online button to start the fingerprint registration process.
NOTE: Web applications can, of course, request other credential information, such as a PIN number.
14
When the DigitalPersona Online button is clicked, the Fingerprint Registration wizard launches, allowing the
users to choose a fingerprint to register. Then on-screen instructions guide them through the registration
process.
When users supply all required authentication credentials and submits the form, the registration data must be
processed by a component of the Web application to
Evaluate the supplied credentials against the authentication policy to ensure validity and completeness.
Determine whether the user is permitted to register with the Web application in order to gain access to
protected data or functions.
Add the authentication credentials to a database for later use during authentication.
A Web page that implements DigitalPersona Online registration functionality must also contain event handlers
to listen for events related to the registration process, as described in Fingerprint Registration Event Handler on
page 41.
15
Any Web page implementing fingerprint authentication must contain the necessary authentication credential
fields, which include the user name and any other field needed to fulfill the requirements of the authentication
policy.
The example in the previous figure allows a user to type their password and click the Logon with Password Only
button or simply touch the fingerprint reader to gain access to the protected section of the Web site. This
assumes the authentication policy permits these methods of authentication.
When the form is submitted, a component of the Web application must process the authentication data in the
following ways:
Evaluate the supplied credentials against the credentials required by the authentication policy for validity
and completeness.
Perform the authentication process to determine whether there is a match between the supplied
credentials and the stored credentials.
A Web page that implements DigitalPersona Online authentication functionality should contain event handlers
to listen for authentication events, which is described in detail in Fingerprint Authentication Event Handlers on
page 46.
16
Account Modification
Account Modification
The DigitalPersona Online SDK allows developers to provide account modification functionality for registered
users, where they can specify a new authentication policy or even change the fingerprint they use for
authentication.
The Web component that processes the new credential information must do the following:
Evaluate the supplied credentials against the credentials required by the authentication policy for validity
and completeness.
Add the new credentials to the database, ensuring that the records being updated correspond to the
appropriate user.
Similar to the registration process described in Registering User Credentials on page 14, event handlers should
be added to the account modification Web page to help facilitate the fingerprint registration process.
17
The DigitalPersona Online Authentication Server is a reliable and scalable back-end authentication server built
to provide fingerprint authentication for any DigitalPersona-secured web application.
This chapter provides instructions on the installation of the DigitalPersona Online Authentication Server,
including system requirements, setting up the requisite databases, configuring your web server to work with
DigitalPersona Online and uninstallation of the component.
This chapter covers the following topics relating to the DigitalPersona Online Authentication Server.
System Requirements
Deployment Considerations
Uninstallation
System Requirements
Before installing the DigitalPersona Online Authentication Server, ensure that your target computer meets the
minimum hardware and software requirements specified below.
Hardware Requirements
Following are the minimum hardware requirements:
Memory: 4 GB RAM on both the authentication database server and authentication server PCs
Software Requirements
Following are the minimum software requirements:
DigitalPersona Online servers
18
Microsoft Internet Information Server (IIS) 7 or 8 (Optional install requiring OS install disc)
Internet Explorer 8 - 11
19
4. When requested, enter the name of the database server you will be using with DigitalPersona Online.
5. Upon completion of the wizard, you will be asked to restart your system.
6. Create the Online database - During the installation of the Online Authentication Server, several SQL
scripts are copied to the target computer. They are also available in the DigitalPersona Online
Authentication Server\Database scripts folder of the product package.
These scripts can be used to create the databases used by the Online Authentication Server and the
Online Developer Sample Site. Alternatively, you can create the tables manually by following the detailed
instructions in the section Create the Authentication Server databases on page 22
In your Microsoft SQL Server management tool, select File, Open and navigate to the following
directory on your computer: C:\Program Files\DigitalPersona\Online Server\SQLScripts
For new installations, execute the provided SQL scripts in the following order.
UareUOnlineSessions.db.5.5.0.sql
UareUOnlineSessions.sp.5.5.0.sql
UareUOnlineUsers.db.5.5.0.sql
UareUOnlineUsers.sp.5.5.0.sql
For upgrading an installation (from version 4.4.1 only), execute the provided SQL scripts in the
following order.
UareUOnlineSessions.db.5.5.0.upd.sql
UareUOnlineUsers.db.5.5.0.upd.sql
7. Configure IIS (refer to the section Configure IIS (Internet Information Server) on page 21.
20
2. Select Anonymous Authentication in the list. Then click Enable in the Actions pane. Click Edit, and in the
resulting dialog, select Application pool identity.
21
UareUOnlineUsers Database
Create the UareUOnlineUsers database, and then add the specified tables and their respective fields according
to the details provided in the following sections.
Applications Table
The Applications table contains the Application ID and Application Key used by application providers when
integrating DigitalPersona Online Server into their applications. In addition, you must specify the maximum
number of users allowed for a given application provider.
Create the Applications table, and then add these fields to it.
Fieldname
Type
Size
App_Id
char
100
App_Key
char
100
Max_Users
int
Nulls
Default
Key
no
Primary, clustered
Records table
The Records table contains data used in the authentication process. It stores the Record ID and the associated
fingerprint template and private key for use during the authentication and account modification processes. It
also stores the Application ID to associate a user record with an application provider.
Create the Records table, and then add these fields to it.
Fieldname
Type
RecordId
int
HexPrivKey
varchar
1400
HexPubKey
varchar
1400
Size
4
Nulls
Default
Key
no
identity(1,1)
22
Fieldname
Type
App_Id
char
Status
tinyint
Size
Nulls
Default
100
1
Key
foreign key, references Applications (App_Id)
no
The RecordId field of the records table is a key field. It auto-increments (identity if set to true), starting at 1 (seed
equals 1), and increments by 1 (increment equals 1).
Templates table
The Templates table contains fingerprint templates required for fingerprint matching.
Fingerprint template data is stored in the Data field.
The Finger field keeps a finger number (N) as a bit field with 1 in the Nth position (I.e. 2N). The finger numbers
go from 1 (left pinky) to 10 (right pinky).
The RecordId field associates the fingerprint template with an authentication record. There may be up to 10
templates stored for every record.
Create the Templates table, and then add these fields to it.
Fieldname
Type
RecordId
int
Data
text
Finger
int
Size
Nulls
4
no
no
Default
Key
Foreign key, references Records (RecordId)
64
UsageLog table
The UsageLog table contains data that allows you to monitor registration and authentication activity on your
DigitalPersona Online Server.
NOTE: Monitoring activity using the data in this table, as well a description of each field, is described in the
section Tracking System Usage on page 26.
Create the UsageLog table, and then add these fields to it.
Fieldname
Type
RecordId
int
no
LogNow
datetime
no
Size
Nulls
Default
Key
foreign key, references Records (RecordId)
GetDate()
23
Fieldname
Type
Size
LogAgent
char
24
LogOper
char
SerialNum
char
48
Nulls
Default
Key
UareUOnlineSessions Database
The UareUOnlineSessions database consists of only one table that contains information used by the
authentication server software to establish sessions between the client and the authentication server.
Session Table
Create the Session table, and then add these fields to it.
Fieldname
Type
SessionId
int
Nonce
DateTime
Size
Nulls
Default
Key
no
identity(1,1)
primary key
int
no
datetime
no
GetDate()
The SessionId field of the session table is a key field. It auto-increments (identity is set to true), starting at 1
(seed equals 1), and increments by 1 (increment equals 1).
When an application key is generated, it must be added to the appropriate fields in the authentication
server database.
24
8. Click Next. Click the Change the default database to button, and then in the list, click the database
name: UareUOnlineUsers or UareUOnlineSessions.
9. Click Next, and then click Finish.
10. Click the Test Data Source button to ensure the settings are correct. If they are not, repeat the steps in
this section; otherwise, click OK on each subsequent dialog box to close it.
25
Record ID. The record ID is logged in the recordid field after each operation and is associated with the
application ID in the records table of the UareUOnlineUsers database. This is beneficial if you are
providing authentication service to multiple application providers and require a way to identify which
operations belong to a specific application provider.
Event date and time. The date and time an operation is completed is logged in the lognow field.
Specifying a date range in a SQL query using the values in this field can group operations that correspond
to billing cycles, for example.
Operation type. The type of operation is logged in the logoper field, indicated by one of three
characters R, A, or Uwhich indicates registration, authentication, or update (account modification),
respectively.
HTTP agent component name. Logged in the logagent field, the HTTP agent component name is used
in conjunction with the client IP address in the operation permission process described previously.
NOTE: These fields are not used to track system usage; they are only included in this table because they are
associated with each operation.
26
Deployment Considerations
Deployment Considerations
This chapter discusses some of the areas that should be considered when planning the deployment of
DigitalPersona Online Server, such as security, privacy, application key generation, and software distribution. It
is intended for anyone who manages and is responsible for the deployment of the DigitalPersona Online
Server.
Maintain separate application provider and authentication server databases. Information in the
authentication server database can be directly linked to end-user personal information stored in an
application providers database. By separating the data, the security of two databases must be
compromised instead of one, effectively doubling security.
Store the authentication server database on a computer that is only accessible by the authentication
server computer and not by the Internet. This will reduce the risk of unauthorized access to your
authentication server database by reducing remote access options. As an added security measure, you
should install firewall software between them.
When an application key is generated, it must be added to the appropriate fields in the Online
Authentication Server database
27
28
Uninstallation
Uninstallation
This section provides instructions for removing the Online Authentication Server software.
To remove the Online Authentication Server software
1. Open Control Panel, and then open Add/Remove Programs.
2. Click DigitalPersona Online Authentication Server, and then click the Change/Remove button.
A dialog box prompts you to confirm that you want to remove the software.
3. Click Yes to proceed.
A dialog box prompts you to close all open applications before proceeding with the removal of the
software.
4. Click OK.
When the software is removed, you are prompted to restart the computer.
5. Click OK to restart the computer and to complete removal of the authentication server software.
29
The DigitalPersona Online Client provides the user interface for fingerprint enrollment and matching, and
secure communications between the client, Online Authentication Server and the web server.
System Requirements
Before installing the DigitalPersona Online Authentication Server, ensure that your target computer meets the
minimum hardware and software requirements specified below.
Hardware Requirements
Following are the minimum hardware requirements:
Pentium processor
Software Requirements
Following are the minimum software requirements:
Installation
Installation of the DigitalPersona Online client provides your web application with the support files necessary
to display a basic functional UI for fingerprint enrollment, management and authentication. It does not provide
you with a complete client web application.
Your web application, developed using the Online API (see Chapter 7, ActiveX Control API Reference), will use
these files in conjunction with the code that you develop.
A sample web application/site demonstrating this UI is included in the installation of the DigitalPersona Online
sample Application Server. In order to test that the installed sample site is working correctly, you will need to
install the DigitalPersona Online client and connect a supported fingerprint reader to the client computer.
When deploying your web application, end-users will need to have the DigitalPersona Online Client and a
supported fingerprint reader installed on their computers in order to enable biometric authentication.
Although the Online client can be installed on the same computer as the Authentication and/or Application
Server for testing purposes, we suggest that you install this on a separate computer in order to verify
functionality over your network.
30
1. Install the DigitalPersona Online Client by running Setup.exe from the following location within the
product package: DigitalPersona Online Client\.
2. When the installation wizard launches, click Next.
3. Next, read the License Agreement. If you agree to its terms, click I accept the terms of this agreement
and then click Next.
4. On the next page, indicate the directory in which to install the client software and then click Next.
The installer copies the necessary client software files to the path you specified.
5. After the files are copied, click Finish to close the installer.
6. Reboot the PC when prompted.
7. Attach a supported fingerprint reader.
8. Open the Developer Sample Site in Internet Explorer by entering
http://<host_IP_Address>/Application.Server.Site, or
http://<host_name>/Application.Server.Site
9. Test the functionality of the sample site, or your own web application, including enrolling and deleting
fingerprints and using your fingerprints for authentication as applicable.
31
The DigitalPersona Online Application Server that you will install is a sample server component that works with
Microsoft IIS (Internet Information Services) Application Server to host web applications that utilize fingerprint
authentication provided by DigitalPersona Online.
Note that this sample component is for educational purposes only, and shows how the DigitalPersona Online
SDK may be used to create your application server and website. It is not intended for use in a production
environment.
This chapter covers the following topics relating to the sample DigitalPersona Online Application Server.
System Requirements
Uninstallation
System Requirements
Before installing the DigitalPersona Online Authentication Server, ensure that your target computer meets the
minimum hardware and software requirements specified below.
Hardware Requirements
Following are the minimum hardware requirements:
Memory: 4 GB RAM
Additional processors, memory and HD space may be required depending on application needs.
Software Requirements
Following are the minimum software requirements:
32
UareUExampleUsers.sql
3. Create the system DSN for the database - In Windows Explorer, navigate to C:\Program
Files\DigitalPersona\Online Server\SQLScripts and double click on UareUExampleUsers.reg to create the
DSN.
4. Configure IIS (refer to the section Configuring IIS (Internet Information Server) on page 34.
5. Configure the sample Application Server - Navigate to C:\inetpub\wwwroot\Application.Server.Site, and edit
the file AppConfig.js, changing "localhost" in the AuthServer and AppServer parameters to the name of
the computer where your database server is located. For external access, use the fully qualified computer
name.
33
2. Select Anonymous Authentication in the list. Then click Enable in the Actions pane. Click Edit, and in the
resulting dialog, select Application pool identity.
34
Uninstallation
Uninstallation
This section provides instructions for removing the sample Online Application Server component.
To remove the sample Online Application Server software
1. Open Control Panel, and then open Add/Remove Programs.
2. Click DigitalPersona Online Application Server, and then click the Change/Remove button.
A dialog box prompts you to confirm that you want to remove the software.
3. Click Yes to proceed.
A dialog box prompts you to close all open applications before proceeding with the removal of the
software.
4. Click OK.
When the component is removed, you are prompted to restart the computer.
Click OK to restart the computer and to complete removal of the component.
35
This chapter describes the registration, authentication and account modification processes at the API level and
provides guidelines for using ActiveX, HTML and JavaScript to integrate DigitalPersona Online functionality in
your Web application.
Application ID, which is used by the authentication server to verify that your online application is
permitted to use the authentication service and is supplied by the authentication service provider.
The absolute URL of the online application component, appcontrol.asp, on the Web server.
Note: The previous Online Client 4.4.1 allowed use of only a host name and path without schema, and
used an additional Flag property to define the schema (HTTP or HTTPS).
The Online Client 5.5.0 supports the previous URL format, but also accepts a fully-defined URL with
schema, host name and path. This allows you to embed schema information in one place and simplifies
configuration. It is preferable to use the fully defined URL over the previous URL form, although the new
format is not supported by older clients.
Using this information, embed the code shown in the next two sections in every Web page that implements
DigitalPersona Online functionality.
36
37
?request=auth&username=<username>&password=<password>
?request=update&username=<username>&password=<password>
When ?request=auth is received, the handler ASP must generate an encrypted one-time password (OTP) using
the AppSvr.Nonce COM helper object. The helper accepts a users public key stored in database, application
key, and produces the OTP (plain and hex-encoded) and ephemeral encryption key (hex-encoded). The plain
OTP must be stored in user database record and validated during the next logon. The hex-encoded OTP and
encryption key must be returned with a record ID in response headers:
/* Find the user and retrieve associated Online record ID and public key.
db.GetUser(username, /*out*/ user);
var recordId = Trim(user("RecordId").Value+"");
var pubkey = user("PublicKey").Value || "";
...
var appControl = Server.CreateObject("AppSvr.Nonce");
/* Note: Jscript doesnt support [out] parameters, so we pass nulls and retrieve data via
properties. VBasic supports [out] parameters, so you may pass references directly into the
Generate function.*/
appControl.Generate(
pubkey,
//
$Config.AppKey,
// your application key stored in configuration file/object
null,
// [out] hexNonce
null,
// [out] hexEncKey
null
// [out] otp
);
var otp = appControl.Nonce || "";
var hexNonce = appControl.HexNonce || "";
var hexEncKey = appControl.HexEncKey || "";
// store users one-time password in database for further logon verification
db.SetOTPassword(username, otp);
// return hex-encoded OTP, record ID and encryption key
Response.AddHeader("return1", hexNonce);
Response.AddHeader("return2", recordId);
Response.AddHeader("return3", hexEncKey);
38
IMPORTANT
The application key is case-sensitive. Failing to use proper case will result in the inability of the Web
application to connect to the authentication server.
Dont forget to delete the one-time password from database after it was successfully used.
This is not a one-time password but a regular one. It is less secure as it is passed within POST request
parameters as a clean text every time user logons with a regular password and opens a possibility for
replay attacks.
Registration
The function of the registration process is to acquire a fingerprint template from the user to be used as a
credential for authentication and store it, along with other data used during authentication, on the
authentication server.
The following figure shows the events and methods called during the registration process.
Register()
User closes
the registration
dialog box
Events
User completes
fingerprint registration process
Methods
User
Interaction
RegistrationComplete()
RegistrationCancelled()
The Register method is called when a user (or the application) starts the registration process. When called,
the Registration dialog box opens, allowing a user to register a fingerprint.
When the user successfully completes the registration process, the fingerprint template generated by the
client software from samples acquired by the readeris stored on the authentication server database.
39
Registration
The authentication server generates a record ID and a public/private key pair. The private key and record ID are
stored on the authentication server database. Then, the public key and record ID are sent through the
RegistrationComplete event to the client.
Upon receiving the event, the client sends the public key and record IDplus the username supplied on the
registration Web page to the provider site database where it is stored.
If the user closes the Registration dialog box at any time during the registration process, the
RegistrationCancelled method is fired and registration is cancelled.
The HTML code creates a form that allows a user to supply their user name, password and the authentication
policy to use when authenticating to a DigitalPersona Online-enabled Web application. There are two buttons:
the first for initiating the fingerprint registration process and the second for submitting the registration form
data, for example, both the registered fingerprints and the user name, password and authentication policy
setting.
When the first button is clicked, the event handler that starts the fingerprint registration process is called, as
described in Fingerprint Registration Event Handler on page 41.
When the FORM is submitted, an event handler is called to ensure the supplied credentials match the required
authentication policy setting. For example, if the authentication policy requires both a fingerprint and
40
Registration
passwordbut only a fingerprint was registeredthe event handler should inform the user and stop the form
from being submitted to the form processor application component. An example of such an event handler is
described in Registration Form Event Handler on page 42.
If the supplied credentials are complete, the form forwards the request data to the Web application component
(supplied by the action attribute in the FORM tag), which then should store the username, password, recordid,
pubkey, and policy data in the DigitalPersona Online database.
NOTE: In the example code in the previous figure, the user is given the option to choose the authentication
policy; however, the authentication policy can be set explicitly in the Web component handling the
registration process request data.
The credentials in the form should be added to the table created in the DigitalPersona Online database.
In the startEnrollment event handler code, you must write the error handling routine for instances where the
DigitalPersona Online Client software is not installed.
If the registration process was successfully completed, the OnRegistrationComplete function is called:
function OnRegistrationComplete(recid, pubkey)
{
if (recid != 0) {
document.forms.updateform.pubkey.value = pubkey;
document.forms.updateform.recordid.value = recid;
}
}
The OnRegistrationComplete function stores in hidden fields the public key and record ID received by the
event for later reference by the application provider site script, for example, RegisterExisting.asp.
If the registration process was cancelled, the OnRegistrationCancelled() function is called, which resets the
record ID and public key values:
41
Authentication
function OnRegistrationCancelled() {
document.forms.regform.pubkey.value = "";
document.forms.regform.recordid.value = "";
}
The checkresults function ensures that the username and password fields are not empty and that a
fingerprint was supplied if it is required by the authentication policy.
Authentication
The process of authentication involves matching the fingerprint template stored on the authentication server
(which is acquired at registration) to a fingerprint template acquired by the client at the time of authentication.
The events and methods are illustrated in the following figure and are followed by a description of their roles in
the authentication process.
42
Authentication
InitAuthentication()
BadVersion()
AuthServerReady()
Events
Methods
User
Interaction
User supplies
fingerprint
credential
InvalidPassword()*
CredentialsComplete()
InvalidUser()
CompleteAuthentication()
EnterPassword()*
EnterUser()
NotRegistered()
AuthenticationFailed()
AuthenticationComplete()
* set mpassword
set muser
Before the user authenticates, the InitAuthentication method is called by either the user or Web
application. This method checks the version of DigitalPersona Online running on the client with the version on
the authentication server to verify compatibility. If the versions are compatible, then the AuthServerReady
event is fired and authentication proceeds; otherwise, the BadVersion event is fired.
When the user is prompted for (and supplies) a registered fingerprint, the CredentialsComplete event is
fired and the fingerprint template and the username (and password, if applicable) are passed to the
CompleteAuthentication method.
43
Authentication
If credentials or other information are missing or invalid, five events can be fired, depending on the nature of
the error:
The EnterUser event is fired if a username was not supplied. If this occurs, you can supply a method for
the user to supply their username and set the Muser property to that value to resume authentication.
The EnterPassword event is fired if the password was not supplied and is required by the
authentication policy. In this case, you can supply a method for the user to supply their password and set
the Mpassword property to this value to resume authentication.
The InvalidUser event is fired if the user is not registered with the application provider site. The
application can set the Muser property to empty to cancel authentication or set it to the name of an
existing account. The control then fires the CredentialsComplete event again to restart
authentication without acquiring a new fingerprint template.
The InvalidPassword event is fired if the password, which is required by the authentication policy,
was checked but found to be invalid. The application can set the Mpassword property to empty to
cancel authentication or set it to a valid password for the given user. The control then fires the
CredentialsComplete event again to restart authentication without acquiring a new fingerprint
template.
The NotRegistered event is fired if the user has an account but has not registered a fingerprint. The
application can prompt the user to register a fingerprint by redirecting them to the registration page.
If the credentials supplied are not missing or invalid, this method retrieves the associated record ID from
application provider site and generates a one-time password which is then encrypted with two keys: one is the
Application Key (provided by the authentication server provider) and one that is a session key encrypted using
the public key which was generated at registration, as described in Registration on page 39. The client forwards
the record ID, one-time password and session keyplus the fingerprint template to the authentication
server.
The authentication server compares the stored fingerprint template with the one sent by the client. If the
fingerprint templates do not match, the AuthenticationFailed event is fired.
If the fingerprint templates match, the authentication server decrypts the session key using the stored private
key (acquired at registration, as described in Registration on page 39) and then decrypts the one-time password
with the decrypted session key in conjunction with the application key. The decrypted one-time password is
then sent to the client through the AuthenticationComplete event. The client then forwards the one-time
password to the application provider site. The application provider site compares the one-time password it
generated to the one it just received from the client. If they match, authentication is successful.
44
Authentication
<body onLoad="OnLoad();">
<script type="text/javascript" for="uareuonline" event="CredentialsComplete()">
function isIE { return (ActiveXObject in window); }
function OnLoad() {
if (!isIE()) {
/* This browser doesnt support ActiveX, handle the error */
return;
}
if (!uareuonline) {
/* The Online Client is not loaded, handle the error*/
return;
}
uareuonline.InitAuthentication();
}
</script>
Following is the HTML code for a form the Web page that implements authentication functionality:
<form method="POST" id="logonform" action="[authentication processor component]">
<input type="hidden" name="otp" />
<input type="text" name="username" size="25" />
<input type="password" name="password" size="50" />
<input type="button" value="Submit" name=submit onClick="[handler()]" />
</form>
When submitted, the form should forward the request data to the Web application component that processes
authentication, which then should compare the request data with credentials stored in the database created in
the DigitalPersona Online database. The comparison should not only be based on a credential match, but also
the authentication policy applied to the user account.
The authentication processor Web component should check the DigitalPersona Online database for the
existence of the user, get the authentication policy and then query the database based on the policy for the
authentication credentials to use for a match.
45
Authentication
The OnAuthServerReady function displays the username of the last person to authenticate (with the
uname property) and provides the developer an opportunity to indicate to the user that authentication is
ready, such as displaying a graphical animation, an alert or other indication.
Then, the DigitalPersona Online Client software version is checked to ensure that it matches the version of the
authentication server software. If they do not match, the BadVersion event is fired, which calls the
OnBadVersion function, in which you must write code that displays the error message for this event:
function OnBadVersion()
{
/* display a message telling that the client is obsolete and that a new one needs
to be downloaded */
}
Otherwise, when users submit a registered fingerprint, the CredentialsComplete event is fired, which is
handled by the OnCredComplete function:
function OnCredComplete()
{
uareuonline.CompleteAuthentication(
document.forms.logonform.username.value,
document.forms.logonform.pwd.value);
}
The hndCredComplete function calls the CompleteAuthentication method with the username and
password.
If authentication fails because the acquired fingerprint template does not match a template on the
authentication server, the AuthFailed event runs the OnAuthFailed function, in which can inform the
user that authentication failed:
function OnAuthFailed()
{
/* display a message telling the client that a match was not found */
}
46
Authentication
If authentication is successful, the AuthComplete event is fired, which calls the OnAuthComplete handler
function to submit the form to the authentication processor component:
function OnAuthComplete(otp)
{
document.forms.logonform.otp.value = otp;
// submit immediately
// document.logonform.submit();
// or show a visual feedback to notify about successful match
// and delay submit so the user can see the good fingerprint checkmark
setStatus("good");
setTimeout("document.logonform.submit();", 1000);
}
The decrypted one-time password sent to this function is stored in a hidden field and the handler calls the
submit method of the form to pass the authentication credentials to the authentication processor
component.
While the CompleteAuthentication method executes, one of five events could be fired in the case of
missing or invalid credentials and other information.
If the user name is empty, the EnterUser event is fired, which runs the OnEnterUser function:
function OnEnterUser()
{
var elname = prompt("Please enter your username:", "") || "";
document.forms.logonform.username.value = elname;
uareuonline.muser = elname;
}
This function prompts the user for their username and sets the muser property to this value so the
authentication process can resume.
If the password is not supplied, but the authentication policy requires it, the EnterPassword event is fired,
which calls the OnEnterPassword function:
function OnEnterPassword()
{
var pwd = prompt("In addition, your password is required for logon. Password:",
"") || "";
document.forms.logonform.password.value = pwd;
uareuonline.mpassword = pwd;
}
47
Authentication
The OnEnterPassword function prompts the user for the password and sets the mpassword property to
the supplied value and resumes authentication.
If the supplied username is invalid, the InvalidUser event is fired, which calls the OnInvalidUser
function:
function OnInvalidUser()
{
var elname = prompt("INVALID USERNAME - Please enter your username:", "") || "";
document.forms.logonform.username.value = elname;
uareuonline.muser = elname;
}
The OnInvalidUser function prompts the user for a valid username and sets the muser property to this
value and resumes authentication.
If a password is required by the authentication policy and the supplied password is invalid, the
InvalidPassword event is fired, which calls the OnInvalidPassword function:
function OnInvalidPassword()
{
var pwd = prompt("Your password did not match, please try again. Password:", "")
|| "";
document.forms.logonform.password.value = pwd;
uareuonline.mpassword = pwd;
}
The OnInvalidPassword function prompts the user for a valid password and set the mpassword
property to this value and resumes authentication.
If the user supplies a fingerprint and it is not registered, the NotRegistered event is fired, which calls the
OnNotRegistered function:
function OnNotRegistered()
{
if (confirm(
"This account is not registered for use with the U.are.U Online authentication
server.\n\n" +
"Click OK to proceed with registration.")
){
window.location = "[existing registration component]"
}
}
48
Account Modification
The OnNotRegistered function displays a dialog box, allowing the user to specify whether they want to
register a fingerprint or cancel authentication using the existing registration component, as described in
Account Modification on page 49.
Account Modification
Account Modification allows an already registered user to replace an existing registered fingerprint with a new
one. The following illustration shows the events and methods of the account modification process.
InvalidUser()
InvalidPassword()
Update()
EnterUser()
EnterPassword()
Events
User supplies
fingerprint
credential
User closes
the registration
dialog box
RegistrationComplete()
RegistrationCancelled()
Methods
User
Interaction
When a Web application calls the Update method, which passes the use name and password as parameters,
the ActiveX control acquires the record ID from the application provider site and ensures the password is valid.
49
Account Modification
If the information supplied to the Update method is incomplete or invalid, four events are fired:
The EnterUser event is fired if a username was not supplied. If this occurs, you can supply a method for
the user to supply their username and set the muser property to that value to resume authentication.
The EnterPassword event is fired if the password was not supplied and is required by the
authentication policy. In this case, you can supply a method for the user to supply their password and set
the Mpassword property to this value to resume authentication.
The InvalidUser event is fired if the user is not registered with the application provider site. The
application can set the muser property to empty to cancel authentication or set it to the name of an
existing account. The control then fires the CredentialsComplete event again to restart
authentication without acquiring a new fingerprint template.
The InvalidPassword event is fired if the password, which is required by the authentication policy,
was checked but found to be invalid. The application can set the Mpassword property to empty to
cancel authentication or set it to a valid password for the given user. The control then fires the
CredentialsComplete event again to restart authentication without acquiring a new fingerprint
template.
If the user closes the Registration dialog box at any time, the RegistrationCancelled event is fired.
If the information supplied is complete and valid, the Registration dialog box opens, allowing the user to select
and register a new fingerprint. When the user completes the fingerprint registration successfully, the
RegistrationComplete event is fired and the client forwards the acquired fingerprint template and the
record ID to the authentication server.
The authentication server replaces the stored fingerprint template associated with the record ID with the one
sent by the client. If no record ID exists, the authentication server generates a new record ID and a new key pair.
The public key is then reused as a parameter in the event function.
50
Account Modification
Following is HTML code for a FORM on a Web page where users register new fingerprints, their user name and
password and specify a new authentication policy (if allowed by the developer):
<form method="POST" id="updateform" action="[account modification processor Web
component]">
<input type="hidden" name="recordid" />
<input type="hidden" name="pubkey" size="800" />
<input name="username" size=25 />
<input name="password" size=50 />
<select size="1" name="policy">
<option selected>Password or Fingerprint</option>
<option>Fingerprint Only</option>
<option>Fingerprint and Password</option>
</select>
<input type="button" value=Register name="startreg"
onClick="startEnrollment(this.form);" />
<input type="button" value="Submit" name=submit onClick="[handler()]" />
</form>
Before modification the credential database, the account modification processor component should check for
the existence of the user and the validity of the credentials submitted. If valid, the credentials can be updated in
the DigitalPersona Online database, where the user name in the database and the FORM are identical.
The startEnrollment function ensures the ActiveX control is loaded (with code specific to each browser) and
calls the Update method to initiate the registration process.
51
Account Modification
function OnRegCancelled()
{
document.updateform.startreg.checked = false;
document.updateform.pubkey.value = "";
document.updateform.recordid.value = "";
window.status = "Registration cancelled";
}
The OnRegistrationCancelled function resets the public key and record ID fields.
If the user successfully completed the registration process, the RegistrationComplete event is fired, which
calls the OnRegistrationComplete function:
function hndRegDone(recid,pubkey)
{
if (recid != 0) {
document.updateform.startreg.checked = true;
document.updateform.pubkey.value = pubkey;
document.updateform.recordid.value = recid;
}
}
The hndRegDone function stores in hidden fields the public key and record ID received by the event for later
reference by the application provider site script, for example, registerexisting.asp or registerexisting.jsp.
52
Account Modification
The checkresults function checks the validity of the supplied credentials and other information before
proceeding with the account modification process. If a fingerprint is required by the authentication policy and
it was supplied and the username and password are not missing, the submit method of the form object is
called, which triggers the addexisting.asp (or .jsp) script.
While the Update method executes, one of five events could be fired in the case of missing or invalid
credentials and other information.
If the user name is empty, the EnterUser event is fired, which calls the OnEnterUser method:
function hndEnterUser()
{
var elname = prompt("Please enter your username:", "") || "";
document.forms.logonform.username.value = elname;
uareuonline.muser = elname;
}
This function prompts the user for their username and set the muser property to this value so that the
account modification process can resume.
53
Account Modification
If a password is not supplied, but the authentication policy reuires on, the EnterPassword event is fired,
which calls the OnEnterPassword function:
function OnEnterPassword()
{
var pwd = prompt("In addition, your password is required for logon. Password:",
"") || "";
document.forms.logonform.password.value = pwd;
uareuonline.mpassword = pwd;
}
The OnEnterPassword function prompts the user for the password, sets the mpassword property to the
supplied value and resumes authentication.
If the supplied username is invalid, the InvalidUser event is fired, which calls the OnInvalidUser
function:
function OnInvalidUser()
{
var elname = prompt("INVALID USERNAME - Please enter your username:", "") || "";
document.forms.logonform.username.value = elname;
uareuonline.muser = elname;
}
The OnInvalidUser function prompts the user for a valid username, sets the muser property to this value
and resumes authentication.
If a password is required by the authentication policy and the supplied password is invalid, the
InvalidPassword event is fired, which calls the OnInvalidPassword method:
function OnInvalidPassword()
{
var pwd = prompt("Your password did not match, please try again. Password:", "")
|| "";
document.forms.logonform.password.value = pwd;
uareuonline.mpassword = pwd;
}
The OnInvalidPassword function prompts the user for a valid password, sets the mpassword property
to this value and resumes authentication.
54
This chapter describes the functions, events, properties and error codes associated with the DigitalPersona
Online ActiveX Control.
DpOnlineClient.DpOnline
This component facilitates communication between the application provider site and authentication server
site to DigitalPersona Online Server functionality. It contains methods and properties to register fingerprint
templates and provides a way for registered fingerprint templates to be used for authentication and to update
the fingerprint template for an already registered one.
Interface
IDpOnline
Event Interface
_IDpOnlineEvents
Methods
InitAuthentication()
Initializes the authentication process, verifies the compatibility of the client version with that of the
authentication server and initiates the authentication session. If the session is established, then the
AuthServerReady event is fired.
CompleteAuthentication([in]BSTR username,[in]BSTR password)
This method is called after the CredentialComplete event has been received, which notifies the caller
that a fingerprint template has been acquired. When this method is called, the authentication process takes
place, the session is verified (established when the InitAuthentication method is called), the supplied
template is matched against the one stored in the authentication server database and the one-time password
is decrypted and returned to the caller through the AuthenticationComplete event. This event is fired
only if a successful matching occurs; otherwise, the AuthenticationFailed event is fired. The
username parameter contains the name of the user whose fingerprint has to be verified and the password
parameter is the password for the same user. The password parameter is mandatory only if the specified
user has a policy for the authentication that requires fingerprint and password together.
Register()
Starts the fingerprint registration process. Calling this method displays the registration dialog and creates a
session with the authentication server. When the fingerprint template is generated, it is stored in the
55
Properties
authentication server database and a new recordid and public key are returned to the caller when the
RegistrationComplete event is fired. If the user cancels registration, the RegistrationCanceled
event is fired.
Update([in]BSTR username,[in]BSTR password)
Starts the account modification process. Calling this method displays the registration dialog and creates a
session with the authentication server. When the fingerprint template is generated, it is sent to the
authentication server together with the recordid associated with the existing account and the new fingerprint
template replaces the existing one in the authentication server database. The recordid can be null if the
Update function is used with an account for which no fingerprint was registered at the time it was created.
When the account modification process is completed successfully, the RegistrationComplete event is
fired to the caller. If the user cancels registration, the RegistrationCanceled event is fired. The
username parameter is the name of the user whose account needs to be updated and password is the
password the user supplied at the time the account was created. The password parameter is mandatory in
order to successfully complete the account update function.
Properties
AuthServerAddress(BSTR)
The URL of the authentication server.
Compatibility note:
Online Client 4.4.1 allowed to use only a host name without schema and path, and used hardcoded path (/
uareuonlineserver/request.asp) and additional Flags property to define schema (HTTP or HTTPS).
Online Client 5.5.0 supports the previous URL format but also accepts fully-defined URL with schema, host
name and path. This adds flexibility to location of Authentication server and simplify configuration. It is
preferred to use full URL over the old URL form, though it is not supported by older Clients.
AppId(BSTR)
The ID of your application given by the authentication service provider.
AppAddress(BSTR)
The full path to the AppControl.asp or AppControl.jsp script, for example, www.yourwebsite.com/yourappdir/
AppControl.asp.
Compatibility note:
Online Client 4.4.1 allowed to use only a host name and path without schema, and uses an additional Flag
property to define schema (HTTP or HTTPS).
56
Event Methods
Online Client 5.5.0 supports the previous URL format but also accepts fully-defined URL with schema, host
name and path. This allows to embed schema information in one place and simplify configuration. It is not
supported by older Clients.
Flags(int)
This property defines the operational modes of the ActiveX control. There are two values defined for this
property, 256 and 2048, on which the OR operand can be applied. If set to 256, the ActiveX control uses the
HTTPS protocol to communicate with the authentication server. If set to both 256 and 2048, the ActiveX control
will use the HTTPS protocol to communicate with both the authentication server and the Web server. The
default value is 0 and indicates that HTTP protocol is used for both servers.
Note:
Online Client 5.5.0 allows providing HTTP protocol via URL. This allows to embed schema information in one
place and simplify configuration. It is not supported by older Clients.
Loaded(VARIANT_BOOL)
This is a read-only property that can be used to check whether the control has been successfully loaded and
initialized.
Muser(BSTR)
The Muser property can be set upon receiving the EnterUser or InvalidUser event. These events
are fired when the information supplied with the CompleteAuthentication or Update methods are
either missing or invalid. Handling these events gives the programmer a chance to prompt the user to correct
the error; setting this property within the handler allows the control to resume the authentication or the
update process. Setting the property to the empty string cancels the operation.
Mpassword(BSTR)
The Mpassword property can be set upon receiving the EnterPassword or InvalidPassword
events. These events are fired when the information supplied with the CompleteAuthentication or
Update methods are either missing or incomplete. The password is always checked during the account
update procedure whereas during the authentication it is checked only if the policy for that user is Fingerprint
And Password. Handling these events gives the programmer a chance to prompt the user to correct the error;
setting this property within the handler allows the control to resume the authentication or the update process.
Setting the property to the empty string cancels the operation.
Event Methods
AuthenticationComplete([in] BSTR otp)
The server has completed the authentication process, the fingerprint match is successful and the one-time
password otp has been decrypted. This one-time password now has to be sent to your site to be checked by
the logon script (processlogon.asp or .jsp in the sample site).
57
Event Methods
AuthenticationFailed()
The authenticate operation has failed because the fingerprint matching was unsuccessful.
AuthServerReady([in] BSTR username)
After the InitAuthentication method has been called, the client version is checked against the version
required by the authentication server, the fingerprint reader is ready to acquire a fingerprint and a session has
been established with the authentication server. At this point, if everything is ok, the event is fired and the
username parameter contains the name of the last user that performed an authentication.
BadVersion()
After the InitAuthentication method has been called, the client version is checked against the version
required by the authentication server. If the two do not match, the BadVersion event is fired.
CredentialsComplete()
This event is fired when the reader has acquired a fingerprint sample and a fingerprint template has been
successfully created out of it. At this point the code of the handler must call the
CompleteAuthentication method in order for the authentication to take place.
EnterPassword()
This event is fired during the authentication when the password is missing but is required by the account you
are trying to authenticate or always during the account update when the password is missing.
EnterUser()
This is event is fired during the authentication or the account update when the username is missing.
InvalidPassword()
This event is fired during the authentication when the password is invalid and it is required by the account you
are trying to authenticate or always during the account update when the password is invalid.
InvalidUser()
This event is fired during the authentication or the account update when the username is invalid.
NotRegistered()
This event is fired during the authentication when the account exists but there is no fingerprint stored in the
authentication server database.
58
SysError Codes
RegistrationCancelled()
This event is fired when, during the registration or the account update process, the user clicks on the close
button of the enrollment dialog.
RegistrationComplete([in] BSTR recordid, [in] BSTR pubkey)
This event is fired when the registration or the account update process has been completed. In case of a
registration of a new account, the recordid parameter contains the recordid generated for the new user in
the authentication server database and the pubkey parameter contains the public key associated with it.
This two pieces of information must be sent to your site to be stored together with the username of the new
user, the policy and the password. In case of an account update, the recordid parameter is the one that was
initially assigned to the existing user and the pubkey parameter is empty because the public key does not
change. The only update is done in the authentication server database where the new fingerprint template is
stored. You can call your site anyway to update the password and the policy for the account (addexisiting.asp or
jsp).
SysError([in] int code, [in] BSTR descr)
An error condition occurred during the execution of one of the methods. The code parameter is the error
code and the descr parameter contains a brief description of the error condition. See the next section for
details of the error codes.
SysError Codes
1. The authentication server cannot be contacted. Ensure the authentication server is up and running and
that the AuthServerAddress property is initialized with the URL of the authentication server you
want to use.
2. No session has been established with the authentication server. Contact your authentication service
provider.
3. The AppAddress property has not been initialized.
4. The application provider site (your site) cannot be contacted or the AppControl.asp (or AppControl.jsp)
script cannot be executed. Make sure your Web server is set up correctly and that the AppAddress
property has been initialized with the correct path to the script.
5. An exception occurred during the execution of the control.
6. The maximum number of registered users has been reached based on the agreement with the
authentication service provider.
7. The fingerprint reader is not connected. Connect the reader. Make sure that the fingerprint reader is
plugged in and that the software is installed.
Library
DpOnlineClient.dll
59
Library
60
61
Chapter :
General Provisions
criminal activity, moisture, shipping, or high voltage surges from external sources such as power lines or other
connected equipment. This warranty also does not apply to any product with an altered or defaced serial
number. Opening the READER automatically voids this warranty.
Disclaimer of Warranties. EXCEPT FOR THE FOREGOING LIMITED WARRANTIES, DIGITALPERSONA MAKES NO
OTHER EXPRESS OR IMPLIED WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY LAW AND SPECIFICALLY
DISCLAIMS THE WARRANTIES OF QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND
NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH REGARDS TO THE SYSTEM AS WELL AS ANY PROVISION OF
OR FAILURE TO PROVIDE SUPPORT SERVICES. IF SUCH DISCLAIMER OF ANY IMPLIED WARRANTY IS NOT
PERMITTED BY LAW, THE DURATION OF ANY SUCH IMPLIED WARRANTY IS LIMITED TO NINERY (90) DAYS FROM
THE DATE OF DELIVERY. SOME JURISDICTIONS DO NOT ALLOW SUCH EXCLUSIONS OR LIMITATIONS, SO THEY
MAY NOT APPLY TO YOU. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO
HAVE OTHER RIGHTS, WHICH VARY FROM JURISDICTION TO JURISDICTION.
General Provisions
Limitation on Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL
DIGITALPERSONA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE
OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF
BUSINESS PROFITS, GOODWILL, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, BREACH OF
COMPUTER SECURITY SYSTEMS OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY
TO USE THE SYSTEM EVEN IF DIGITALPERSONA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE ENTIRE RISK OF ACCURACY AND SATISFACTORY PERFORMANCE OF THE SYSTEM IS WITH YOU.
DIGITALPERSONA DOES NOT GUARANTEE THAT THE SYSTEM WILL MEET ALL YOUR REQUIREMENTS OR ALL
REQUIREMENTS OF THE SOFTWARE OR HARDWARE WITH WHICH IT INTERACTS. IN NO EVENT WILL
DIGITALPERSONA'S LIABILITY FOR ANY CLAIM, WHETHER IN CONTRACT, TORT OR ANY OTHER THEORY OF
LIABILITY, EXCEED THE PURCHASE PRICE OF THE SYSTEM PAID BY YOU. Some jurisdictions do not allow these
exclusions or limitations, so such exclusions or limitations may not apply to you. The above limitations will not
apply in case of personal injury in countries other than U.S.A. and Canada only if and to the extent that such
limitations are expressly prohibited by applicable law.
Hazardous Use. The SYSTEM is not designed, made, or intended for use in an application where failure,
malfunction or inaccuracy of the SYSTEM may cause death, serious bodily injury, including, without limitation,
medical equipment, nuclear facilities, aircraft operation, air traffic control, life support. Any such use is
prohibited without the prior written consent of DigitalPersona. You agree that neither DigitalPersona nor its
suppliers, distributors or resellers will be liable, in whole or in part, for any claims, losses, costs or damages
arising out of or in connection with the use and performance of the SYSTEM in such applications. If you use the
SYSTEM for such applications without DigitalPersona's consent, you agree to indemnify, defend and hold
DigitalPersona harmless from all claims, actions, losses, liabilities, damages, costs and expenses (including
attorney fees) arising out of or relating to such prohibited uses.
Reverse Engineering. You may not reverse engineer, de-compile, or dis-assemble the SYSTEM in whole or in
part; nor shall you attempt to recreate the source code from the object code of the SOFTWARE PRODUCT. Any
other activity regarding the form or substance of the SYSTEM will be allowed only to the extent such activity is
expressly permitted by applicable law.
62
Chapter :
General Provisions
Export Controls. You agree that you will not directly or indirectly export the SYSTEM and related technical data
in violation of Export Administration regulations of the U.S. Department of Commerce and other applicable
laws. You further agree that you will not export, re-export, divert or transfer the SYSTEM (a) into, or to a national
or resident of any country to which the United States has embargoed goods, (b) or to anyone included in the
U.S. government List of Specially Designated Nationals, the Table of Denial Orders, the Entity List, (c) or to
anyone involved in the manufacturing and proliferation of weapons in violation of U.S. applicable laws. By
using the SYSTEM you are representing and warranting that you are not located in, or under the control of, or a
national resident of any such country or on any such lists, or involved in any such activity.
U.S. Government Rights. If you are an agency or instrumentality of the United States Government, the
Software and Documentation included in the SOFTWARE PRODUCT are commercial computer software and
commercial computer software documentation, and pursuant to FAR 12.212 or DFARS 227.7202, and their
successors, as applicable, use, reproduction and disclosure of the Software and Documentation are governed
by the terms of the End User License Agreement.
63
Index
Symbols
B
BadVersion event method 58
C
chapters, overview of 9
code integration guidelines 36
CompleteAuthentication method 55
connecting to databases 25
CredentialsComplete event method 58
D
database security and privacy by design 27
deploying DigitalPersona Online 13
DigitalPersona Developer Connection Forum, URL to 12
distributing client software 28
DpOnlineClient.dll 59
DpOnlineClient.DpOnline component 55
event interface 55
event methods 57
See also individual event methods by name 57
interface 55
library 59
methods 55
See also individual methods by name
properties 56
See also individual properties by name 56
syserror codes 59
F
fingerprint authentication event handlers 46
fingerprint recognition, guide to 12
fingerprint registration event handler 41
Flags property 57
functional overview 13
I
IDpOnline interface 55
implementing account modification process in Web
pages 50
implementing the authentication process in Web
pages 44
implementing the registration process in Web pages 40
InitAuthentication method 55
initializing and embedding the ActiveX control 36
integrating DigitalPersona Online in Web applications 39
interfaces
DpOnlineClient.DpOnline component 55
InvalidPassword event method 58
InvalidUser event method 58
L
library, DpOnlineClient.DpOnline component 59
limited warranties and service 61
Loaded property 57
M
methods
DpOnlineClient.DpOnline component 55
See also individual methods by name
Mpassword property 57
Muser property 57
N
NotRegistered event method 58
O
operation data, other 26
operation field data 26
overview
64
Index
of chapters 9
P
privacy by design and database security 27
properties, DpOnlineClient.DpOnline component 56
See also individual properties by name
R
records table 22
Register method 55
registering user credentials 14
registration 39
registration form event handler 42
RegistrationCancelled event method 59
RegistrationComplete event method 59
resources, additional
See additional resources
S
session table 24
software requirements 18, 30, 32
syserror codes, DpOnlineClient.DpOnline component 59
SysError event method 59
U
uareuonlinesessions database 24
uareuonlineusers database 22
uninstalling authentication server software 29, 35
Update method 56
updates for DigitalPersona software products, URL for
downloading 12
URL
DigitalPersona Developer Connection Forum 12
Updates for DigitalPersona Software Products 12
usagelog table 23
using a DigitalPersona Online-Secured Web
application 13
W
warranties and general provisions 61
Web site
DigitalPersona Developer Connection Forum 12
Updates for DigitalPersona Software Products 12
65