Digital Person A Online Administrator Guide 20131009

DigitalPersona, Inc.
DigitalPersona Online
Version 5.5.0
Administrator Guide
19962013 DigitalPersona, Inc. All Rights Reserved.
All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation included with or
described in this guide are owned by DigitalPersona or its suppliers and are protected by United States copyright laws,
other applicable copyright laws, and international treaty provisions. DigitalPersona and its suppliers retain all rights not
expressly granted.
DigitalPersona, One Touch, and U.are.U are trademarks of DigitalPersona, Inc., registered in the United States and other
countries. Microsoft, ActiveX, Internet Explorer, JScript, Windows, Windows NT, and Windows Server are registered
trademarks and SQL Server is a trademark of Microsoft Corporation in the United States and other countries. Oracle, Java
and JavaScript are trademarks or registered trademarks of Oracle America, Inc. in the United States and other countries. All
other trademarks are the property of their respective owners.
This document and the software it describes are furnished under license as set forth in the License Agreement screen(s)
may be shown during the installation process.
Except as permitted by such license or by the terms of this guide, no part of this document may be reproduced, stored,
transmitted, and translated, in any form and by any means, without the prior written consent of DigitalPersona. The
contents of this guide are furnished for informational use only and are subject to change without notice. Any mention of
third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a
recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party
products. DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or
liability for any errors or inaccuracies that may appear in it.
Technical Support
Upon your purchase of a Developer Support package (available from http://buy.digitalpersona.com), you are entitled to a
specified number of hours of telephone and email support.
Feedback
Although the information in this guide has been thoroughly reviewed and tested, we welcome your feedback on any
errors, omissions, or suggestions for future improvements. Please contact us at
TechPubs@digitalpersona.com
or
720 Bay Road, Suite 100
Redwood City, California 94063
USA
(650) 474-4000
(650) 298-8313 Fax
Document Publication Date: October 9, 2013
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Whats new in this version? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Migrating from version 4.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Functional Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploying DigitalPersona Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using a DigitalPersona Online-Secured Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registering User Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticating with DigitalPersona Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional client features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
13
13
14
16
17
17
Online Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set up the Online Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure IIS (Internet Information Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create the Authentication Server databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application ID and Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tracking System Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operation Field Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Operation Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database Security and Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application ID and Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Distributing Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
18
18
18
19
21
22
24
26
26
26
27
27
27
28
29
Online Client Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Developer Sample Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
30
30
30
30
31
DigitalPersona Online | Administrator Guide
Table of Contents
Online Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Installing the sample Online Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring IIS (Internet Information Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
32
32
32
33
34
35
Code Integration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Initializing and Embedding the ActiveX Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ActiveX Control Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Listening for events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding and configuring AppControl.ASP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrating DigitalPersona Online in Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
36
36
37
38
39
39
42
49
ActiveX Control API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DpOnlineClient.DpOnline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Event Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Event Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SysError Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
55
55
55
55
56
57
59
59
A Warranties and General Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Limited Warranties and Warranty Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
General Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Table of Contents
Table of Contents
Table of Contents
Introduction
The DigitalPersona Online Administrator Guide provides instructions on installing, configuring and utilizing
DigitalPersona Online, an end-to-end server and client software solution that enables businesses to provide
increased security to customers, partners and employees by adding the security of advanced fingerprint
authentication to their Web-based applications.
DigitalPersona Online also provides a sample website demonstrating its features and contains detailed
instructions showing developers how to quickly and easily integrate fingerprint authentication functionality
into a Web application using the DigitalPersona Online ActiveX control and its API.
There is also a companion document, the DigitalPersona Online Quick Start Guide, located in the Docs
directory within the product package. It may be used to quickly set up a prototype or demonstration site, and
can be used as a general reference when setting up your production environment. More detailed instructions
for setting up your production environment are provided later in this document.
Target Audience
This guide provides information and procedures for those who will install, configure and administer
DigitalPersona Online, as well as the developers who will create web-based applications incorporating
fingerprint authentication using this software.
Developers should have
A high-degree of familiarity with Microsoft Internet Information Server, which is required not only to
serve Web applications to users, but to run the code that provides the fingerprint authentication
functionality.
Basic knowledge of Microsoft SQL Server in order to create the required databases, tables, and fields
needed for DigitalPersona Online.
Strong programming skills in languages supported by Microsoft Internet Information Server (IIS) such as
Actie Server Pages (ASP), JScript and VBScript.
Basic knowledge of HTML, JavaScript and ActiveX is also required in order to embed Online Client
components into your web application using the sample code provided with the DigitalPersona Online
Application Server SDK.
Chapter 1: Introduction
System Requirements
System Requirements
The major components may all be installed on the same computer for testing purposes. However, in most
scenarios, each major component (i.e. the Authentication Server, the sample Application Server and the SQL
Server) will be installed on separate computers. The list below shows recommended or minimum requirements
for the entire system. For specific requirements for each component, see the chapter on that component.
Microsoft Windows 2008 or later
Microsoft SQL Server (or SQL Server Express) 2005 or later
Microsoft Internet Information Server (IIS) 7 or 8 (Optional install requiring OS install disc)
JRE (Java Runtime Environment) x86, 1.7 or later
.NET Framework 2.0 or later
Classic ASP (not ASP.NET)
DigitalPersona Online client
Microsoft Windows XP/7/8
Internet Explorer 8 - 11
Chapter Overview
Chapter 1, Introduction (this chapter), describes the target audience for this guide, lists system requirements
and provides an overview of each chapter in this document.
Chapter 2, Functional Overview, describes the software and hardware components that interoperate to provide
the fingerprint authentication functionality of DigitalPersona Online and an overview of a typical
DigitalPersona Online server and client deployment. It demonstrates how DigitalPersona Online operates from
an end-users perspective and describes the functionality developers must incorporate in Web applications to
achieve fingerprint authentication functionality.
Chapter 3, Online Authentication Server, describes the Authentication Server, its installation and configuration.
Chapter 5, Online Application Server, describes the sample Application Server, its installation and configuration.
Chapter 4, Online Client Installation, describes the Online Client and the Developer Sample Site, including
installation instructions and an overview of the DigitalPersona Online ActiveX Control features.
Chapter 6, Code Integration Guidelines, describes how to use the ActiveX control, HTML and JavaScript to
facilitate the registration and authentication processes at the API level.
Chapter 7, ActiveX Control API Reference, provides the API documentation for properties, methods and events of
the ActiveX control that facilitates the authentication and registration process.
Compatibility
Appendix 8, Warranties and General Provisions, contains the DigitalPersona limited warranties and warranty
service and the general provisions statements.
An index is also included for your reference.
Compatibility
This product is compatible with DigitalPersona Pro Enterprise 5.5 and later.
DigitalPersona Online 5.5.0 Authentication and sample Application Servers are compatible with the
DigitalPersona Online Client, versions 4.4.1 and 5.5.0.
Whats new in this version?

Database changes
A new Templates table has been added to the UareUOnlineUsers database to store fingerprints templates
for multiple fingers. Update script provides automatic migration of all existing fingerprint data to the new
table.
Structural integrity of database is improved using foreign keys.
Direct access to tables is eliminated, all data access logic is moved to stored procedures.
Performance is improved with data indexing.
SQL server security is improved by using Windows Integrated Security for all database connections.
Application Server SDK sample changes
Safe password authentication - Uses better practices for safe password authentication (password hashing
vs clear text passwords) while keeping the sample code simple.
ASP programming - Uses better practices for ASP programming (master pages, server includes) to reduce
sample code base and get you closer to the essential logic.
Web programming - Uses better practices for web programming (CSS vs direct page scripting) to further
reduce the sample code base.
Online Client changes
Support for multiple finger enrollment.
Simplified configuration of the ActiveX component, while supporting backward compatibility.
10
Migrating from version 4.4.1
Migrating from version 4.4.1

The recommended procedure for migrating from version 4.4.1 to version 5.5.0 is provided below. For versions
previous to 4.4.1, you should upgrade to 4.4.1 and then migrate to 5.5.0.
1. Install DigitalPersona Online Authentication Server 5.5.0 on a computer that meets the minimum
recommended requirements for the server. (see Chapter 3, Online Authentication Server, on page 18). Do
not remove or attempt to upgrade the 4.4.1 Authentication Server at this time.
2. Copy your existing UareUOnlineUsers database containing fingerprint data to the SQL Server on the new
computer and and upgrade it by running the UareUOnlineUsers.db.5.5.0.upd.sql and
UareUOnlineUsers.sp.5.5.0.sql scripts provided in the DigitalPersona Online Authentication Server\Database
scripts folder within the product package.
3. Create a new UareUOnlineSessions database by running the UareUOnlineSessions.db.5.5.0.sql and
UareUOnlineSessions.sp.5.5.0.sql scripts provided in the DigitalPersona Online Authentication
Server\Database scripts folder within the product package. (Note that the previous data in this database
does not need to be copied as there is no permanent user data that needs to be migrated.)
4. Configure the new Authentication Server 5.5.0 and its database connection as described in Chapter 3,
Online Authentication Server, on page 18.
5. Set up a staging environment containing a copy of your current web application and a snapshot of your
current user database (or a test database).
6. Reconfigure your staging web application by modifying the AuthServerAddress parameter of the Online
Client ActiveX, so that it starts using the new Authentication Server (See page 36.)
7. Test your web application in the staging environment to ensure that it is working with the new Online
Authentication Server.
8. When configuration has been tested and is ready to deploy, you may need to repeat step 2 again to
synchronize with the existing UareUOnlineUsers database.
9. Deploy the web application and Online Authentication Server to the production environment by
switching from the current production server to the staging one. If any problem arises, you can safely
switch back with a minimal service interruption.
10. Upgrade the DigitalPersona Online Client on all computers that will be accessing your Online-secured
application.
11. After you are sure that the production environment is stable, you can remove the 4.4.1 Online
Authentication Server.
11
Additional Resources
Additional Resources
The following additional resources are available to assist you in using this product.
Description
Document or URL
Fingerprint recognition, including the history and basics

of fingerprint identification and the advantages of
DigitalPersonas Fingerprint Recognition Algorithm
The DigitalPersona White Paper: Guide to Fingerprint

Recognition (Fingerprint Guide.pdf located in the Docs
folder in the DigitalPersona Online SDK product package)
Late-breaking news about the product
The Readme.txt files provided in the root directory of the

product package as well as in some subdirectories
Web Portal & Forum for DigitalPersona Developers
http://devportal.digitalpersona.com
Latest updates for DigitalPersona software products
http://www.digitalpersona.com/support/updates
12
Functional Overview
The DigitalPersona Online SDK allows you to control access to protected Web applications using fingerprint
authentication functionality. A DigitalPersona Online-secured application allows users to register
authentication credentialsincluding a user name, password and fingerprintand provides a way for a user
to authenticate to the application using those credentials.
This chapter provides an overview of how DigitalPersona Online components are deployed to provide
fingerprint authentication functionality. In addition, it demonstrates the end-user experience when interacting
with a DigitalPersona Online-secured application.
Deploying DigitalPersona Online

Any DigitalPersona Online deployment must contain at least one authentication server, an application server
and a client workstation, as illustrated in the following figure.
DigitalPersona Online Deployment
Authentication Server performs authentication for authorized DigitalPersona Online-secured web applications
Application Server hosts DigitalPersona Online-secured web application and stores authentication credentials
Client software with reader allows user to authenticate to DigitalPersona Online-secured web applications
Authentication Server
Application Server
Client Workstation with Reader
The authentication server performs the authentication for authorized DigitalPersona Online-secured Web
applications, which are hosted on the application server. The client workstation must have the DigitalPersona
Online Client software and a U.are.U Fingerprint Reader to provide fingerprint authentication functionality to
users accessing DigitalPersona Online-secured Web applications.
Using a DigitalPersona Online-Secured Web Application

This section illustrates the functionality of DigitalPersona Online by describing a simple Web site that integrates
fingerprint authentication functionality, demonstrating how DigitalPersona Online could be used in your
application.
13
Chapter 2: Functional Overview
Registering User Credentials
Our sample implementation contains three Web pages. The first is where users can register their credentials,
such as fingerprints and/or passwords, to later be used for accessing a protected section of the Web site. Then,
in order to actually access the protected section, the site provides another Web page that allows a user to
authenticate to the site using their supplied credentials prior to accessing the protected section. Finally, a third
page gives registered users the ability to modify their credentials by registering another fingerprint.
NOTE: The examples described in this section are for instructional purposes only; they are not intended to
recommend any particular installation, configuration or deployment. DigitalPersona Online fingerprint
authentication functionality can be integrated in a variety of ways to suit the needs of any Web
application.

Any DigitalPersona Online-secured Web application must allow a user to register their credentials, fingerprints
and passwords. In the following figure, a Web page was created with user name and password fields and a
button the user can click to register fingerprints with the Web application. In addition, this Web page allows the
user to determine their authentication policy.
Users must first register their

credentials with their Web site to
access protected sections or
functions of their online application.
NOTE: A typical Web application will determine the authentication policynot the user.
When presented with this page, the users can type their user name and password in the appropriate fields and
click the Register for DigitalPersona Online button to start the fingerprint registration process.
NOTE: Web applications can, of course, request other credential information, such as a PIN number.
14
When the DigitalPersona Online button is clicked, the Fingerprint Registration wizard launches, allowing the
users to choose a fingerprint to register. Then on-screen instructions guide them through the registration
process.
Users choose the finger they want to use to log on
and then follow the on-screen instructions to register it.
When users supply all required authentication credentials and submits the form, the registration data must be
processed by a component of the Web application to
Evaluate the supplied credentials against the authentication policy to ensure validity and completeness.
Determine whether the user is permitted to register with the Web application in order to gain access to
protected data or functions.
Add the authentication credentials to a database for later use during authentication.
A Web page that implements DigitalPersona Online registration functionality must also contain event handlers
to listen for events related to the registration process, as described in Fingerprint Registration Event Handler on
page 41.
15
Authenticating with DigitalPersona Online
Authenticating with DigitalPersona Online

A DigitalPersona Online-secured Web application must provide a way for users who have registered their
credentials to log on to protected sections of the application.
When users register their credentials,

they can log on to the protected
sections of their online application.
Any Web page implementing fingerprint authentication must contain the necessary authentication credential
fields, which include the user name and any other field needed to fulfill the requirements of the authentication
policy.
The example in the previous figure allows a user to type their password and click the Logon with Password Only
button or simply touch the fingerprint reader to gain access to the protected section of the Web site. This
assumes the authentication policy permits these methods of authentication.
When the form is submitted, a component of the Web application must process the authentication data in the
following ways:
Evaluate the supplied credentials against the credentials required by the authentication policy for validity
and completeness.
Perform the authentication process to determine whether there is a match between the supplied
credentials and the stored credentials.
Grant access to the DigitalPersona Online-secured portions of the Web application.
A Web page that implements DigitalPersona Online authentication functionality should contain event handlers
to listen for authentication events, which is described in detail in Fingerprint Authentication Event Handlers on
page 46.
16
Account Modification
The DigitalPersona Online SDK allows developers to provide account modification functionality for registered
users, where they can specify a new authentication policy or even change the fingerprint they use for
authentication.
A DigitalPersona Online SDK allows registered

users of a Web application to change their
authentication policy and the fingerprint they use.
The Web component that processes the new credential information must do the following:
Evaluate the supplied credentials against the credentials required by the authentication policy for validity
and completeness.
Add the new credentials to the database, ensuring that the records being updated correspond to the
appropriate user.
Similar to the registration process described in Registering User Credentials on page 14, event handlers should
be added to the account modification Web page to help facilitate the fingerprint registration process.
Additional client features

Additional features available through the DigitalPersona Online ActiveX Control are described in Chapter 7,
ActiveX Control API Reference.
17
Online Authentication Server
The DigitalPersona Online Authentication Server is a reliable and scalable back-end authentication server built
to provide fingerprint authentication for any DigitalPersona-secured web application.
This chapter provides instructions on the installation of the DigitalPersona Online Authentication Server,
including system requirements, setting up the requisite databases, configuring your web server to work with
DigitalPersona Online and uninstallation of the component.
This chapter covers the following topics relating to the DigitalPersona Online Authentication Server.
System Requirements
Set up the Online Authentication Server
Configure IIS (Internet Information Server)
Create the Authentication Server databases
Tracking System Usage
Deployment Considerations
Uninstallation
System Requirements
Before installing the DigitalPersona Online Authentication Server, ensure that your target computer meets the
minimum hardware and software requirements specified below.
Hardware Requirements
Following are the minimum hardware requirements:
Processor: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)
Memory: 4 GB RAM on both the authentication database server and authentication server PCs
5 GB available hard-disk space on both the database and server PCs
Software Requirements
Following are the minimum software requirements:
DigitalPersona Online servers
Microsoft Windows 2008 or later
Microsoft SQL Server (or SQL Server Express) 2005 or later
18
Chapter 3: Online Authentication Server
Microsoft Internet Information Server (IIS) 7 or 8 (Optional install requiring OS install disc)
.NET Framework 2.0 or later
Classic ASP (not ASP.NET)
DigitalPersona Online client
Microsoft Windows XP/7/8
Internet Explorer 8 - 11

To install and set up the Online Authentication Server
1. Install the DigitalPersona Online Authentication Server by running Setup.exe from the following
location within the product package: DigitalPersona Online Authentication Server\.
2. The Installation Wizard will launch.
19
3. Follow the online instructions to complete the wizard.
4. When requested, enter the name of the database server you will be using with DigitalPersona Online.
5. Upon completion of the wizard, you will be asked to restart your system.
6. Create the Online database - During the installation of the Online Authentication Server, several SQL
scripts are copied to the target computer. They are also available in the DigitalPersona Online
Authentication Server\Database scripts folder of the product package.
These scripts can be used to create the databases used by the Online Authentication Server and the
Online Developer Sample Site. Alternatively, you can create the tables manually by following the detailed
instructions in the section Create the Authentication Server databases on page 22
In your Microsoft SQL Server management tool, select File, Open and navigate to the following
directory on your computer: C:\Program Files\DigitalPersona\Online Server\SQLScripts
For new installations, execute the provided SQL scripts in the following order.
UareUOnlineSessions.db.5.5.0.sql
UareUOnlineSessions.sp.5.5.0.sql
UareUOnlineUsers.db.5.5.0.sql
UareUOnlineUsers.sp.5.5.0.sql
For upgrading an installation (from version 4.4.1 only), execute the provided SQL scripts in the
following order.
UareUOnlineSessions.db.5.5.0.upd.sql
UareUOnlineUsers.db.5.5.0.upd.sql
7. Configure IIS (refer to the section Configure IIS (Internet Information Server) on page 21.
20

In IIS, you will need to enable Anonymous Authentication.
1. Enable Anonymous Authentication - In IIS Manager, select the website. In Features View, under the IIS
heading, open the Authentication feature.
2. Select Anonymous Authentication in the list. Then click Enable in the Actions pane. Click Edit, and in the
resulting dialog, select Application pool identity.
21

You must create two databases used by the server software for authentication service operations, on the
authentication server database computer.
These databases may be created using the SQL scripts provided with the software package (see step 6 of Set up
the Online Authentication Server on page 19), or you may create them manually by following the detailed
instructions provided in the following sections.
UareUOnlineUsers Database
Create the UareUOnlineUsers database, and then add the specified tables and their respective fields according
to the details provided in the following sections.
Applications Table
The Applications table contains the Application ID and Application Key used by application providers when
integrating DigitalPersona Online Server into their applications. In addition, you must specify the maximum
number of users allowed for a given application provider.
Create the Applications table, and then add these fields to it.
Fieldname
Type
Size
App_Id
char
100
App_Key
char
100
Max_Users
int
Nulls
Default
Key
no
Primary, clustered
Records table
The Records table contains data used in the authentication process. It stores the Record ID and the associated
fingerprint template and private key for use during the authentication and account modification processes. It
also stores the Application ID to associate a user record with an application provider.
Create the Records table, and then add these fields to it.
Fieldname
Type
RecordId
int
HexPrivKey
varchar
1400
HexPubKey
varchar
1400
Size
4
Nulls
Default
Key
no
identity(1,1)
primary key, clustered
22
Fieldname
Type
App_Id
char
Status
tinyint
Size
Nulls
Default
100
1
Key
foreign key, references Applications (App_Id)
no
The RecordId field of the records table is a key field. It auto-increments (identity if set to true), starting at 1 (seed
equals 1), and increments by 1 (increment equals 1).
Templates table
The Templates table contains fingerprint templates required for fingerprint matching.
Fingerprint template data is stored in the Data field.
The Finger field keeps a finger number (N) as a bit field with 1 in the Nth position (I.e. 2N). The finger numbers
go from 1 (left pinky) to 10 (right pinky).
The RecordId field associates the fingerprint template with an authentication record. There may be up to 10
templates stored for every record.
Create the Templates table, and then add these fields to it.
Fieldname
Type
RecordId
int
Data
text
Finger
int
Size
Nulls
4
no
no
Default
Key
Foreign key, references Records (RecordId)
64
UsageLog table
The UsageLog table contains data that allows you to monitor registration and authentication activity on your
DigitalPersona Online Server.
NOTE: Monitoring activity using the data in this table, as well a description of each field, is described in the
section Tracking System Usage on page 26.
Create the UsageLog table, and then add these fields to it.
Fieldname
Type
RecordId
int
no
LogNow
datetime
no
Size
Nulls
Default
Key
foreign key, references Records (RecordId)
GetDate()
23
Application ID and Key Generation
Fieldname
Type
Size
LogAgent
char
24
LogOper
char
SerialNum
char
48
Nulls
Default
Key
UareUOnlineSessions Database
The UareUOnlineSessions database consists of only one table that contains information used by the
authentication server software to establish sessions between the client and the authentication server.
Session Table
Create the Session table, and then add these fields to it.
Fieldname
Type
SessionId
int
Nonce
DateTime
Size
Nulls
Default
Key
no
identity(1,1)
primary key
int
no
datetime
no
GetDate()
The SessionId field of the session table is a key field. It auto-increments (identity is set to true), starting at 1
(seed equals 1), and increments by 1 (increment equals 1).

Every application is identified by Application ID, and it must be provided with a unique Application Key which
will be used for encryption together with user keys. The key must be generated at the moment when the
Application ID is added to the Online Authentication Server database. The key is generated in the
AddApplication stored procedure of the UareUOnlineUsers database.
A sample key generator is provided in the DigitalPersona Online Server software package to demonstrate how
software can be written to generate IDs and keys automatically and store them in the authentication server
database. The sample generator uses an Application ID and concatenates it with a random 9-digit decimal
number. You may want to modify this algorithm or/and increase the key length to improve security.
Following are the specifications for application IDs and keys:
Application keys are case-sensitive
Application IDs and keys cannot contain spaces
When an application key is generated, it must be added to the appropriate fields in the authentication
server database.
24
Connecting to the Databases

When both databases are created, connect to them by registering an ODBC data source with Windows for each
on the authentication server computer.
To create a DSN for each database on the authentication server computer
1. Click Start, and then point to Programs. Point to Administrative Tools, and then click Data Sources
(ODBC).
2. Click the System DSN tab.
3. Click the Add button.
4. Select SQL Server in the list, and then click Finish.
5. In the Name text box, type UareUOnlineUsers.
If you are creating a DSN for the second database, type UareUOnlineSessions.
6. In the Server list, click the name of the database server computer, and then click Next.
7. Click the first option button, indicating that Integrated Windows authentication will be used when
connecting to the database.
Choose Integrated Windows authentication
8. Click Next. Click the Change the default database to button, and then in the list, click the database
name: UareUOnlineUsers or UareUOnlineSessions.
9. Click Next, and then click Finish.
10. Click the Test Data Source button to ensure the settings are correct. If they are not, repeat the steps in
this section; otherwise, click OK on each subsequent dialog box to close it.
25

This chapter explains how data involved in three operationsregistration, authentication, and account
modificationcan be used to track the usage of your DigitalPersona Online Server.
When users register their credentials, authenticate with your server, or modify their registered credentials,
certain data is logged in the usagelog table of the UareUOnlineUsers database: the record ID, date, and time of
the operation, and the type of operation performed.
NOTE: The data is logged only when the operation is successfully completed; there is no data recorded when
any of these operations fails, and, as a result, the failure cannot be traced.
How this data is used depends on your needs as an authentication service provider. Typically, it can be used to
bill application providers who subscribe to your service. Reports can be compiled based on the total number of
new registrations, registered users, or authentications performed, for example. To acquire data for a report, SQL
queries can be issued to the authentication server database that obtains data meeting the criteria required for
the report.
Operation Field Data

The following describes the data logged after successful completion of the registration, authentication, and
account modification operation:
Record ID. The record ID is logged in the recordid field after each operation and is associated with the
application ID in the records table of the UareUOnlineUsers database. This is beneficial if you are
providing authentication service to multiple application providers and require a way to identify which
operations belong to a specific application provider.
Event date and time. The date and time an operation is completed is logged in the lognow field.
Specifying a date range in a SQL query using the values in this field can group operations that correspond
to billing cycles, for example.
Operation type. The type of operation is logged in the logoper field, indicated by one of three
characters R, A, or Uwhich indicates registration, authentication, or update (account modification),
respectively.
Other Operation Data

There is an additional field in the usagelog table that is used to ensure that the client making the request for an
operation is permitted to do so:
HTTP agent component name. Logged in the logagent field, the HTTP agent component name is used
in conjunction with the client IP address in the operation permission process described previously.
NOTE: These fields are not used to track system usage; they are only included in this table because they are
associated with each operation.
26
This chapter discusses some of the areas that should be considered when planning the deployment of
DigitalPersona Online Server, such as security, privacy, application key generation, and software distribution. It
is intended for anyone who manages and is responsible for the deployment of the DigitalPersona Online
Server.
Database Security and Privacy by Design

You should design methods that ensure database security and the privacy of end users when deploying
DigitalPersona Online Server.
Following are two suggested methods for ensuring security and privacy:
Maintain separate application provider and authentication server databases. Information in the
authentication server database can be directly linked to end-user personal information stored in an
application providers database. By separating the data, the security of two databases must be
compromised instead of one, effectively doubling security.
Store the authentication server database on a computer that is only accessible by the authentication
server computer and not by the Internet. This will reduce the risk of unauthorized access to your
authentication server database by reducing remote access options. As an added security measure, you
should install firewall software between them.

Every application is identified by Application ID, and it must be provided with a unique Application Key which
will be used for encryption together with user keys. The key must be generated at the moment when the Application ID is added to the Online Authentication Server database. The key is generated in the AddApplication
stored procedure of the UareUOnlineUsers database.
A sample key generator is provided in the DigitalPersona Online Server software package to demonstrate how
software can be written to generate IDs and keys automatically and store them in the authentication server
database. The sample generator uses an Application ID and concatenates it with a random 9-digit decimal
number. You may want to modify this algorithm or/and increase the key length to improve security.
Following are the specifications for application IDs and keys:
Application keys are case-sensitive
Application IDs and keys cannot contain spaces
When an application key is generated, it must be added to the appropriate fields in the Online
Authentication Server database
27
Distributing Client Software
Distributing Client Software

In order for end users to use your authentication serverin conjunction with the online application provided
by the application providerthey will need a U.are.U Fingerprint Reader and DigitalPersona Online Client
software that is compatible with the authentication server software installed on your site. End users can acquire
the reader from resellers listed on the DigitalPersona Web site at www.digitalpersona.com.
You are solely responsible for devising a method, such as a download or CD, to distribute versions of the
DigitalPersona Online Client software to your application providers who, in turn, distribute it to their end users.
28
Uninstallation
Uninstallation
This section provides instructions for removing the Online Authentication Server software.
To remove the Online Authentication Server software
1. Open Control Panel, and then open Add/Remove Programs.
2. Click DigitalPersona Online Authentication Server, and then click the Change/Remove button.
A dialog box prompts you to confirm that you want to remove the software.
3. Click Yes to proceed.
A dialog box prompts you to close all open applications before proceeding with the removal of the
software.
4. Click OK.
When the software is removed, you are prompted to restart the computer.
5. Click OK to restart the computer and to complete removal of the authentication server software.
29
Online Client Installation
The DigitalPersona Online Client provides the user interface for fingerprint enrollment and matching, and
secure communications between the client, Online Authentication Server and the web server.
System Requirements
Pentium processor
USB port for peripheral fingerprint reader, or built-in reader
Microsoft Windows XP or later
Internet Explorer 8-11
Installation
Installation of the DigitalPersona Online client provides your web application with the support files necessary
to display a basic functional UI for fingerprint enrollment, management and authentication. It does not provide
you with a complete client web application.
Your web application, developed using the Online API (see Chapter 7, ActiveX Control API Reference), will use
these files in conjunction with the code that you develop.
A sample web application/site demonstrating this UI is included in the installation of the DigitalPersona Online
sample Application Server. In order to test that the installed sample site is working correctly, you will need to
install the DigitalPersona Online client and connect a supported fingerprint reader to the client computer.
When deploying your web application, end-users will need to have the DigitalPersona Online Client and a
supported fingerprint reader installed on their computers in order to enable biometric authentication.
Although the Online client can be installed on the same computer as the Authentication and/or Application
Server for testing purposes, we suggest that you install this on a separate computer in order to verify
functionality over your network.
30
Chapter 4: Online Client Installation
Developer Sample Site
1. Install the DigitalPersona Online Client by running Setup.exe from the following location within the
product package: DigitalPersona Online Client\.
2. When the installation wizard launches, click Next.
3. Next, read the License Agreement. If you agree to its terms, click I accept the terms of this agreement
and then click Next.
4. On the next page, indicate the directory in which to install the client software and then click Next.
The installer copies the necessary client software files to the path you specified.
5. After the files are copied, click Finish to close the installer.
6. Reboot the PC when prompted.
7. Attach a supported fingerprint reader.
8. Open the Developer Sample Site in Internet Explorer by entering
http://<host_IP_Address>/Application.Server.Site, or
http://<host_name>/Application.Server.Site
9. Test the functionality of the sample site, or your own web application, including enrolling and deleting
fingerprints and using your fingerprints for authentication as applicable.
Developer Sample Site

The features of the DigitalPersona Online client are demonstrated through a sample site included in the
product package and installed as part of the Online sample Application Server installation.
In order to create a fully functioning sample site, you first need to have installed and configured the Online
Authentication Server, Online sample Application Server and the Online Client as described in the previous
chapters.
For an overview of the features implemented in the Developer Sample Site, see Using a DigitalPersona OnlineSecured Web Application on page 13.
31
Online Application Server
The DigitalPersona Online Application Server that you will install is a sample server component that works with
Microsoft IIS (Internet Information Services) Application Server to host web applications that utilize fingerprint
authentication provided by DigitalPersona Online.
Note that this sample component is for educational purposes only, and shows how the DigitalPersona Online
SDK may be used to create your application server and website. It is not intended for use in a production
environment.
This chapter covers the following topics relating to the sample DigitalPersona Online Application Server.
System Requirements
Installing the sample Online Application Server
Configuring IIS (Internet Information Server)
Uninstallation
System Requirements
Processor: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)
Memory: 4 GB RAM
5GB available hard-disk space
Additional processors, memory and HD space may be required depending on application needs.
Microsoft Windows Server 2008, 2008 R2 or 2012
Microsoft SQL Server 2005/2008
Microsoft Internet Information Server (IIS) 7/8
32
Chapter 5: Online Application Server

1. Install the sample DigitalPersona Online Application Server - Run Setup.msi from the following location
within the product package: DigitalPersona Online Application SDK\.
2. Create the required database - In your SQL management tool, navigate to the following directory on your
computer: C:\Program Files\DigitalPersona\Online Server\SQLScripts. Execute the provided SQL script.
UareUExampleUsers.sql
3. Create the system DSN for the database - In Windows Explorer, navigate to C:\Program
Files\DigitalPersona\Online Server\SQLScripts and double click on UareUExampleUsers.reg to create the
DSN.
4. Configure IIS (refer to the section Configuring IIS (Internet Information Server) on page 34.
5. Configure the sample Application Server - Navigate to C:\inetpub\wwwroot\Application.Server.Site, and edit
the file AppConfig.js, changing "localhost" in the AuthServer and AppServer parameters to the name of
the computer where your database server is located. For external access, use the fully qualified computer
name.
33

In IIS, you will need to enable Anonymous Authentication.
1. Enable Anonymous Authentication - In IIS Manager, select the website. In Features View, under the IIS
heading, open the Authentication feature.
2. Select Anonymous Authentication in the list. Then click Enable in the Actions pane. Click Edit, and in the
resulting dialog, select Application pool identity.
34
Uninstallation
Uninstallation
This section provides instructions for removing the sample Online Application Server component.
To remove the sample Online Application Server software
1. Open Control Panel, and then open Add/Remove Programs.
2. Click DigitalPersona Online Application Server, and then click the Change/Remove button.
A dialog box prompts you to confirm that you want to remove the software.
3. Click Yes to proceed.
A dialog box prompts you to close all open applications before proceeding with the removal of the
software.
4. Click OK.
When the component is removed, you are prompted to restart the computer.
Click OK to restart the computer and to complete removal of the component.
35
Code Integration Guidelines
This chapter describes the registration, authentication and account modification processes at the API level and
provides guidelines for using ActiveX, HTML and JavaScript to integrate DigitalPersona Online functionality in
your Web application.
Initializing and Embedding the ActiveX Control

Every Web page that implements DigitalPersona Online functionality must initialize and embed the ActiveX
control. To use the control, acquire the following information:
URL of the authentication server

Note: The previous Online Client 4.4.1 allowed use of only a host name without its schema and path, and
used a hardcoded path (/uareuonlineserver/request.asp) and additional Flags property to define the
schema (HTTP or HTTPS).
The Online Client 5.5.0 supports the previous URL format, but also accepts a fully-defined URL with
schema, host name and path. This adds flexibility to specifying the location of an Authentication Server
and simplifies configuration. It is preferable to use the fully defined URL over the previous URL form,
although the new format is not supported by older clients.
Application ID, which is used by the authentication server to verify that your online application is
permitted to use the authentication service and is supplied by the authentication service provider.
The absolute URL of the online application component, appcontrol.asp, on the Web server.
Note: The previous Online Client 4.4.1 allowed use of only a host name and path without schema, and
used an additional Flag property to define the schema (HTTP or HTTPS).
The Online Client 5.5.0 supports the previous URL format, but also accepts a fully-defined URL with
schema, host name and path. This allows you to embed schema information in one place and simplifies
configuration. It is preferable to use the fully defined URL over the previous URL form, although the new
format is not supported by older clients.
Using this information, embed the code shown in the next two sections in every Web page that implements
DigitalPersona Online functionality.
ActiveX Control Initialization

To initialize the ActiveX control for the Microsoft Internet Explorer Web browser:
<OBJECT classid="clsid:77A21B6A-38C4-427F-A53F-1E33EA6AF83D"
id="uareuonline" width="0" height="0">
<param name="AuthServerAddress value="[authentication server address]">
<param name="AppAddress" value="[application address]">
<param name="Appid" value="[application ID]">
</OBJECT>
36
Chapter 6: Code Integration Guidelines
Listening for events
Listening for events

Following is the JavaScript code that listens for the events generated by the ActiveX control:
<script type="text/javascript">
function isIE { return (ActiveXObject in window); }
</script>
..
<script type="text/javascript" for="uareuonline" event="CredentialsComplete()">
isIE() && OnCredComplete();
</script>
<script type="text/javascript" for="uareuonline" event="RegistrationCancelled()">
isIE() ? OnRegistrationCancelled() : false;
</script>
<script type="text/javascript" for="uareuonline" event="RegistrationComplete(recid,pubkey)">
isIE() ? OnRegistrationComplete(recid, pubkey) : false;
</script>
<script type="text/javascript" for="uareuonline"
event="AuthenticationComplete(otp)">
isIE() && OnAuthComplete(otp);
</script>
<script type="text/javascript" for="uareuonline" event="AuthServerReady(uname)">
isIE() && OnAuthServerReady(uname);
</script>
<script type="text/javascript" for="uareuonline" event="AuthenticationFailed()">
isIE() && OnAuthFailed();
</script>
<script type="text/javascript" for="uareuonline" event="NotRegistered()">
isIE() && OnNotRegistered();
</script>
<script language="javascript1.1" for="uareuonline" event="SysError(code,desc)">
isIE() && OnSysError(code,desc);
</script>
<script type="text/javascript" for="uareuonline" event="BadVersion()">
isIE() && OnBadVersion();
</script>
<script language="javascript1.1" for="uareuonline" event="InvalidUser()">
isIE() && OnInvalidUser();
</script>
<script type="text/javascript" for="uareuonline" event="InvalidPassword()">
isIE() && OnInvalidPassword();
</script>
<script type="text/javascript" for="uareuonline" event="EnterPassword()">
isIE() && OnEnterPassword();
</script>
<script type="text/javascript" for="uareuonline" event="EnterUser()">
isIE() && OnEnterUser();
</script>
37
Adding and configuring AppControl.ASP
Adding and configuring AppControl.ASP

Every Web application that integrates DigitalPersona Online functionality must include an ASP page which will
handle HTTP requests from Online Client. URL to this page must be provided to the Online Clients using the
AppAddress parameter.
It is recommended to follow the pattern of AppControl.asp provided with Application Server sample. The
AppControl.asp page must handle HTTP POST requests with the following parameters:
HTTP POST:
HTPP POST:
?request=auth&username=<username>&password=<password>
?request=update&username=<username>&password=<password>
When ?request=auth is received, the handler ASP must generate an encrypted one-time password (OTP) using
the AppSvr.Nonce COM helper object. The helper accepts a users public key stored in database, application
key, and produces the OTP (plain and hex-encoded) and ephemeral encryption key (hex-encoded). The plain
OTP must be stored in user database record and validated during the next logon. The hex-encoded OTP and
encryption key must be returned with a record ID in response headers:
/* Find the user and retrieve associated Online record ID and public key.
db.GetUser(username, /*out*/ user);
var recordId = Trim(user("RecordId").Value+"");
var pubkey = user("PublicKey").Value || "";
...
var appControl = Server.CreateObject("AppSvr.Nonce");
/* Note: Jscript doesnt support [out] parameters, so we pass nulls and retrieve data via
properties. VBasic supports [out] parameters, so you may pass references directly into the
Generate function.*/
appControl.Generate(
pubkey,
//
$Config.AppKey,
// your application key stored in configuration file/object
null,
// [out] hexNonce
null,
// [out] hexEncKey
null
// [out] otp
);
var otp = appControl.Nonce || "";
var hexNonce = appControl.HexNonce || "";
var hexEncKey = appControl.HexEncKey || "";
// store users one-time password in database for further logon verification
db.SetOTPassword(username, otp);
// return hex-encoded OTP, record ID and encryption key
Response.AddHeader("return1", hexNonce);
Response.AddHeader("return2", recordId);
Response.AddHeader("return3", hexEncKey);
38
Integrating DigitalPersona Online in Web Applications
IMPORTANT
The application key is case-sensitive. Failing to use proper case will result in the inability of the Web
application to connect to the authentication server.
Dont forget to delete the one-time password from database after it was successfully used.
When ?request=update is received, the handler ASP should update a password.
This is not a one-time password but a regular one. It is less secure as it is passed within POST request
parameters as a clean text every time user logons with a regular password and opens a possibility for
replay attacks.
Integrating DigitalPersona Online in Web Applications

The following three sections show the HTML code used in the registration, authentication and account
modification forms.
Registration
The function of the registration process is to acquire a fingerprint template from the user to be used as a
credential for authentication and store it, along with other data used during authentication, on the
authentication server.
The following figure shows the events and methods called during the registration process.
Register()
User closes
the registration
dialog box
Events
User completes
fingerprint registration process
Methods
User
Interaction
RegistrationComplete()
RegistrationCancelled()
The Register method is called when a user (or the application) starts the registration process. When called,
the Registration dialog box opens, allowing a user to register a fingerprint.
When the user successfully completes the registration process, the fingerprint template generated by the
client software from samples acquired by the readeris stored on the authentication server database.
39
Registration
The authentication server generates a record ID and a public/private key pair. The private key and record ID are
stored on the authentication server database. Then, the public key and record ID are sent through the
RegistrationComplete event to the client.
Upon receiving the event, the client sends the public key and record IDplus the username supplied on the
registration Web page to the provider site database where it is stored.
If the user closes the Registration dialog box at any time during the registration process, the
RegistrationCancelled method is fired and registration is cancelled.
Implementing the Registration Process in Web Pages

Web applications that facilitate the registration process must provide a mechanism for starting the registration
process and allowing the user to supply other authentication credentials, such as user name and password,
and, if desired, authentication policy settings.
Following is HTML code for a FORM on a Web page where users register fingerprints, their user name and
password and specifies the desired authentication policy:
<FORM method="POST" id="regform" name="regform"
action="[registration form processor]">
<input name="username" id="username" size=25>
<input name="password" id="password" size=50>
<input type="hidden" name="recordid" id="recordid">
<input type="hidden" name="pubkey" size="800" id="pubkey">
<select size="1" name="policy" id="policy">
<option selected>Password or Fingerprint</option>
<option>Fingerprint Only</option>
<option>Fingerprint and Password</option>
</select></p>
<input type="button" value=Register id="startreg" name="startreg"
onClick="[registration event handler()]">
<input type="button" value="Submit" id="submit" name="submit"
onClick="[form processor handler()]">
</FORM>
The HTML code creates a form that allows a user to supply their user name, password and the authentication
policy to use when authenticating to a DigitalPersona Online-enabled Web application. There are two buttons:
the first for initiating the fingerprint registration process and the second for submitting the registration form
data, for example, both the registered fingerprints and the user name, password and authentication policy
setting.
When the first button is clicked, the event handler that starts the fingerprint registration process is called, as
described in Fingerprint Registration Event Handler on page 41.
When the FORM is submitted, an event handler is called to ensure the supplied credentials match the required
authentication policy setting. For example, if the authentication policy requires both a fingerprint and
40
Registration
passwordbut only a fingerprint was registeredthe event handler should inform the user and stop the form
from being submitted to the form processor application component. An example of such an event handler is
described in Registration Form Event Handler on page 42.
If the supplied credentials are complete, the form forwards the request data to the Web application component
(supplied by the action attribute in the FORM tag), which then should store the username, password, recordid,
pubkey, and policy data in the DigitalPersona Online database.
NOTE: In the example code in the previous figure, the user is given the option to choose the authentication
policy; however, the authentication policy can be set explicitly in the Web component handling the
registration process request data.
The credentials in the form should be added to the table created in the DigitalPersona Online database.
Fingerprint Registration Event Handler

When a user initiates the registration process, the handler of the OnClick event is called and its associated
function ensures that the DigitalPersona Online Client software is loaded and runs the Register method:
function startEnrollment(theForm) {
var loaded = isIE() ? uareuonline.loaded : window["uareuonline"];
if (loaded) {
uareuonline.Register();
} else {
/* Online Client is not installed, handle the error */
}
}
In the startEnrollment event handler code, you must write the error handling routine for instances where the
DigitalPersona Online Client software is not installed.
If the registration process was successfully completed, the OnRegistrationComplete function is called:
function OnRegistrationComplete(recid, pubkey)
{
if (recid != 0) {
document.forms.updateform.pubkey.value = pubkey;
document.forms.updateform.recordid.value = recid;
}
}
The OnRegistrationComplete function stores in hidden fields the public key and record ID received by the
event for later reference by the application provider site script, for example, RegisterExisting.asp.
If the registration process was cancelled, the OnRegistrationCancelled() function is called, which resets the
record ID and public key values:
41
Authentication
function OnRegistrationCancelled() {
document.forms.regform.pubkey.value = "";
document.forms.regform.recordid.value = "";
}
Registration Form Event Handler

If the user did not cancel registration and the registration process was completed successfully, then the
checkresults function is called when the user clicks the Submit button:
function checkresults(inpform)
{
if ((inpform.policy.selectedIndex == 1 || inpform.policy.selectedIndex == 2) &&
inpform.startreg.checked == false) {
/* display an error; policy requires a fingerprint */
}
if (inpform.username.value == "" || inpform.password.value == "") {
/* display an error; user name or password missing */
}
inpform.submit();
window.status = "submit done";
}
The checkresults function ensures that the username and password fields are not empty and that a
fingerprint was supplied if it is required by the authentication policy.
Authentication
The process of authentication involves matching the fingerprint template stored on the authentication server
(which is acquired at registration) to a fingerprint template acquired by the client at the time of authentication.
The events and methods are illustrated in the following figure and are followed by a description of their roles in
the authentication process.
42
Authentication
InitAuthentication()
BadVersion()
AuthServerReady()
Events
Methods
User
Interaction
User supplies
fingerprint
credential
InvalidPassword()*
CredentialsComplete()
InvalidUser()
CompleteAuthentication()
EnterPassword()*
EnterUser()
NotRegistered()
AuthenticationFailed()
AuthenticationComplete()
* set mpassword
set muser
Before the user authenticates, the InitAuthentication method is called by either the user or Web
application. This method checks the version of DigitalPersona Online running on the client with the version on
the authentication server to verify compatibility. If the versions are compatible, then the AuthServerReady
event is fired and authentication proceeds; otherwise, the BadVersion event is fired.
When the user is prompted for (and supplies) a registered fingerprint, the CredentialsComplete event is
fired and the fingerprint template and the username (and password, if applicable) are passed to the
CompleteAuthentication method.
43
Authentication
If credentials or other information are missing or invalid, five events can be fired, depending on the nature of
the error:
The EnterUser event is fired if a username was not supplied. If this occurs, you can supply a method for
the user to supply their username and set the Muser property to that value to resume authentication.
The EnterPassword event is fired if the password was not supplied and is required by the
authentication policy. In this case, you can supply a method for the user to supply their password and set
the Mpassword property to this value to resume authentication.
The InvalidUser event is fired if the user is not registered with the application provider site. The
application can set the Muser property to empty to cancel authentication or set it to the name of an
existing account. The control then fires the CredentialsComplete event again to restart
authentication without acquiring a new fingerprint template.
The InvalidPassword event is fired if the password, which is required by the authentication policy,
was checked but found to be invalid. The application can set the Mpassword property to empty to
cancel authentication or set it to a valid password for the given user. The control then fires the
CredentialsComplete event again to restart authentication without acquiring a new fingerprint
template.
The NotRegistered event is fired if the user has an account but has not registered a fingerprint. The
application can prompt the user to register a fingerprint by redirecting them to the registration page.
If the credentials supplied are not missing or invalid, this method retrieves the associated record ID from
application provider site and generates a one-time password which is then encrypted with two keys: one is the
Application Key (provided by the authentication server provider) and one that is a session key encrypted using
the public key which was generated at registration, as described in Registration on page 39. The client forwards
the record ID, one-time password and session keyplus the fingerprint template to the authentication
server.
The authentication server compares the stored fingerprint template with the one sent by the client. If the
fingerprint templates do not match, the AuthenticationFailed event is fired.
If the fingerprint templates match, the authentication server decrypts the session key using the stored private
key (acquired at registration, as described in Registration on page 39) and then decrypts the one-time password
with the decrypted session key in conjunction with the application key. The decrypted one-time password is
then sent to the client through the AuthenticationComplete event. The client then forwards the one-time
password to the application provider site. The application provider site compares the one-time password it
generated to the one it just received from the client. If they match, authentication is successful.
Implementing the Authentication Process in Web Pages

To enable DigitalPersona Online authentication in a Web application, a Web page must initiate the
authentication process by calling the InitAuthentication method after the Online Client component is
loaded. This function is typically called when the page loads; however, it may be initiated by the user clicking a
button. For example:
44
Authentication
<body onLoad="OnLoad();">
<script type="text/javascript" for="uareuonline" event="CredentialsComplete()">
function isIE { return (ActiveXObject in window); }
function OnLoad() {
if (!isIE()) {
/* This browser doesnt support ActiveX, handle the error */
return;
}
if (!uareuonline) {
/* The Online Client is not loaded, handle the error*/
return;
}
uareuonline.InitAuthentication();
}
</script>
Following is the HTML code for a form the Web page that implements authentication functionality:
<form method="POST" id="logonform" action="[authentication processor component]">
<input type="hidden" name="otp" />
<input type="text" name="username" size="25" />
<input type="password" name="password" size="50" />
<input type="button" value="Submit" name=submit onClick="[handler()]" />
</form>
When submitted, the form should forward the request data to the Web application component that processes
authentication, which then should compare the request data with credentials stored in the database created in
the DigitalPersona Online database. The comparison should not only be based on a credential match, but also
the authentication policy applied to the user account.
The authentication processor Web component should check the DigitalPersona Online database for the
existence of the user, get the authentication policy and then query the database based on the policy for the
authentication credentials to use for a match.
45
Authentication
Fingerprint Authentication Event Handlers

When the InitAuthentication method is called and a session with the authentication server has been
successfully established, the AuthServerReady event is fired and the associated handler,
OnAuthServerReady, runs:
function OnAuthServerReady(uname)
{
document.forms.logonform.username.value=uname;
}
The OnAuthServerReady function displays the username of the last person to authenticate (with the
uname property) and provides the developer an opportunity to indicate to the user that authentication is
ready, such as displaying a graphical animation, an alert or other indication.
Then, the DigitalPersona Online Client software version is checked to ensure that it matches the version of the
authentication server software. If they do not match, the BadVersion event is fired, which calls the
OnBadVersion function, in which you must write code that displays the error message for this event:
function OnBadVersion()
{
/* display a message telling that the client is obsolete and that a new one needs
to be downloaded */
}
Otherwise, when users submit a registered fingerprint, the CredentialsComplete event is fired, which is
handled by the OnCredComplete function:
function OnCredComplete()
{
uareuonline.CompleteAuthentication(
document.forms.logonform.username.value,
document.forms.logonform.pwd.value);
}
The hndCredComplete function calls the CompleteAuthentication method with the username and
password.
If authentication fails because the acquired fingerprint template does not match a template on the
authentication server, the AuthFailed event runs the OnAuthFailed function, in which can inform the
user that authentication failed:
function OnAuthFailed()
{
/* display a message telling the client that a match was not found */
}
46
Authentication
If authentication is successful, the AuthComplete event is fired, which calls the OnAuthComplete handler
function to submit the form to the authentication processor component:
function OnAuthComplete(otp)
{
document.forms.logonform.otp.value = otp;
// submit immediately
// document.logonform.submit();
// or show a visual feedback to notify about successful match
// and delay submit so the user can see the good fingerprint checkmark
setStatus("good");
setTimeout("document.logonform.submit();", 1000);
}
The decrypted one-time password sent to this function is stored in a hidden field and the handler calls the
submit method of the form to pass the authentication credentials to the authentication processor
component.
While the CompleteAuthentication method executes, one of five events could be fired in the case of
missing or invalid credentials and other information.
If the user name is empty, the EnterUser event is fired, which runs the OnEnterUser function:
function OnEnterUser()
{
var elname = prompt("Please enter your username:", "") || "";
document.forms.logonform.username.value = elname;
uareuonline.muser = elname;
}
This function prompts the user for their username and sets the muser property to this value so the
authentication process can resume.
If the password is not supplied, but the authentication policy requires it, the EnterPassword event is fired,
which calls the OnEnterPassword function:
function OnEnterPassword()
{
var pwd = prompt("In addition, your password is required for logon. Password:",
"") || "";
document.forms.logonform.password.value = pwd;
uareuonline.mpassword = pwd;
}
47
Authentication
The OnEnterPassword function prompts the user for the password and sets the mpassword property to
the supplied value and resumes authentication.
If the supplied username is invalid, the InvalidUser event is fired, which calls the OnInvalidUser
function:
function OnInvalidUser()
{
var elname = prompt("INVALID USERNAME - Please enter your username:", "") || "";
}
The OnInvalidUser function prompts the user for a valid username and sets the muser property to this
value and resumes authentication.
If a password is required by the authentication policy and the supplied password is invalid, the
InvalidPassword event is fired, which calls the OnInvalidPassword function:
function OnInvalidPassword()
{
var pwd = prompt("Your password did not match, please try again. Password:", "")
|| "";
}
The OnInvalidPassword function prompts the user for a valid password and set the mpassword
property to this value and resumes authentication.
If the user supplies a fingerprint and it is not registered, the NotRegistered event is fired, which calls the
OnNotRegistered function:
function OnNotRegistered()
{
if (confirm(
"This account is not registered for use with the U.are.U Online authentication
server.\n\n" +
"Click OK to proceed with registration.")
){
window.location = "[existing registration component]"
}
}
48
The OnNotRegistered function displays a dialog box, allowing the user to specify whether they want to
register a fingerprint or cancel authentication using the existing registration component, as described in
Account Modification on page 49.
Account Modification allows an already registered user to replace an existing registered fingerprint with a new
one. The following illustration shows the events and methods of the account modification process.
InvalidUser()
InvalidPassword()
Update()
EnterUser()
EnterPassword()
Events
User supplies
fingerprint
credential
User closes
the registration
dialog box
RegistrationComplete()
Methods
User
Interaction
When a Web application calls the Update method, which passes the use name and password as parameters,
the ActiveX control acquires the record ID from the application provider site and ensures the password is valid.
49
If the information supplied to the Update method is incomplete or invalid, four events are fired:
The EnterUser event is fired if a username was not supplied. If this occurs, you can supply a method for
the user to supply their username and set the muser property to that value to resume authentication.
The EnterPassword event is fired if the password was not supplied and is required by the
authentication policy. In this case, you can supply a method for the user to supply their password and set
the Mpassword property to this value to resume authentication.
The InvalidUser event is fired if the user is not registered with the application provider site. The
application can set the muser property to empty to cancel authentication or set it to the name of an
existing account. The control then fires the CredentialsComplete event again to restart
authentication without acquiring a new fingerprint template.
The InvalidPassword event is fired if the password, which is required by the authentication policy,
was checked but found to be invalid. The application can set the Mpassword property to empty to
cancel authentication or set it to a valid password for the given user. The control then fires the
CredentialsComplete event again to restart authentication without acquiring a new fingerprint
template.
If the user closes the Registration dialog box at any time, the RegistrationCancelled event is fired.
If the information supplied is complete and valid, the Registration dialog box opens, allowing the user to select
and register a new fingerprint. When the user completes the fingerprint registration successfully, the
RegistrationComplete event is fired and the client forwards the acquired fingerprint template and the
record ID to the authentication server.
The authentication server replaces the stored fingerprint template associated with the record ID with the one
sent by the client. If no record ID exists, the authentication server generates a new record ID and a new key pair.
The public key is then reused as a parameter in the event function.
Implementing the Account Modification Process in Web Pages

Web applications that allow users to modify account credentials must provide a mechanism for starting the
account modification process and allow the user to supply new authentication credentials.
50
Following is HTML code for a FORM on a Web page where users register new fingerprints, their user name and
password and specify a new authentication policy (if allowed by the developer):
<form method="POST" id="updateform" action="[account modification processor Web
component]">
<input type="hidden" name="recordid" />
<input type="hidden" name="pubkey" size="800" />
<input name="username" size=25 />
<input name="password" size=50 />
<select size="1" name="policy">
<option selected>Password or Fingerprint</option>
<option>Fingerprint Only</option>
<option>Fingerprint and Password</option>
</select>
<input type="button" value=Register name="startreg"
onClick="startEnrollment(this.form);" />
<input type="button" value="Submit" name=submit onClick="[handler()]" />
</form>
Before modification the credential database, the account modification processor component should check for
the existence of the user and the validity of the credentials submitted. If valid, the credentials can be updated in
the DigitalPersona Online database, where the user name in the database and the FORM are identical.
Account Modifications Event Handlers

When the user clicks the Register button, the registration event handler (in the following example, the
startEnrollment function) is called:
function startEnrollment(theForm) {
var loaded = isIE() ? uareuonline.loaded : window["uareuonline"];
if (loaded) {
uareuonline.Update(theForm.username.value, theForm.pwd.value);
} else {
/* Online Client is not installed, handle the error */
}
}
The startEnrollment function ensures the ActiveX control is loaded (with code specific to each browser) and
calls the Update method to initiate the registration process.
Account Modification Fingerprint Registration Event Handlers

If the user cancels the registration process, the RegistrationCancelled event is fired, which calls the
OnRegistrationCancelled function.
51
function OnRegCancelled()
{
document.updateform.startreg.checked = false;
document.updateform.pubkey.value = "";
document.updateform.recordid.value = "";
window.status = "Registration cancelled";
}
The OnRegistrationCancelled function resets the public key and record ID fields.
If the user successfully completed the registration process, the RegistrationComplete event is fired, which
calls the OnRegistrationComplete function:
function hndRegDone(recid,pubkey)
{
if (recid != 0) {
document.updateform.startreg.checked = true;
document.updateform.pubkey.value = pubkey;
document.updateform.recordid.value = recid;
}
}
The hndRegDone function stores in hidden fields the public key and record ID received by the event for later
reference by the application provider site script, for example, registerexisting.asp or registerexisting.jsp.
52
Account Modification Form Event Handlers

When the user submits the form, the checkresults function is called:
function checkresults(inpform)
{
if ((inpform.policy.selectedIndex == 1 || inpform.policy.selectedIndex == 2) &&
inpform.startreg.checked == false) {
/* display an error; policy requires a fingerprint */
}
if (inpform.username.value == "" || inpform.password.value == "") {
/* display an error; user name or password missing */
}
inpform.submit();
}
The checkresults function checks the validity of the supplied credentials and other information before
proceeding with the account modification process. If a fingerprint is required by the authentication policy and
it was supplied and the username and password are not missing, the submit method of the form object is
called, which triggers the addexisting.asp (or .jsp) script.
While the Update method executes, one of five events could be fired in the case of missing or invalid
credentials and other information.
If the user name is empty, the EnterUser event is fired, which calls the OnEnterUser method:
function hndEnterUser()
{
var elname = prompt("Please enter your username:", "") || "";
}
This function prompts the user for their username and set the muser property to this value so that the
account modification process can resume.
53
If a password is not supplied, but the authentication policy reuires on, the EnterPassword event is fired,
which calls the OnEnterPassword function:
function OnEnterPassword()
{
var pwd = prompt("In addition, your password is required for logon. Password:",
"") || "";
}
The OnEnterPassword function prompts the user for the password, sets the mpassword property to the
supplied value and resumes authentication.
If the supplied username is invalid, the InvalidUser event is fired, which calls the OnInvalidUser
function:
function OnInvalidUser()
{
var elname = prompt("INVALID USERNAME - Please enter your username:", "") || "";
}
The OnInvalidUser function prompts the user for a valid username, sets the muser property to this value
and resumes authentication.
If a password is required by the authentication policy and the supplied password is invalid, the
InvalidPassword event is fired, which calls the OnInvalidPassword method:
function OnInvalidPassword()
{
var pwd = prompt("Your password did not match, please try again. Password:", "")
|| "";
}
The OnInvalidPassword function prompts the user for a valid password, sets the mpassword property
to this value and resumes authentication.
54
ActiveX Control API Reference
This chapter describes the functions, events, properties and error codes associated with the DigitalPersona
Online ActiveX Control.
DpOnlineClient.DpOnline
This component facilitates communication between the application provider site and authentication server
site to DigitalPersona Online Server functionality. It contains methods and properties to register fingerprint
templates and provides a way for registered fingerprint templates to be used for authentication and to update
the fingerprint template for an already registered one.
Interface
IDpOnline
Event Interface
_IDpOnlineEvents
Methods
InitAuthentication()
Initializes the authentication process, verifies the compatibility of the client version with that of the
authentication server and initiates the authentication session. If the session is established, then the
AuthServerReady event is fired.
CompleteAuthentication([in]BSTR username,[in]BSTR password)
This method is called after the CredentialComplete event has been received, which notifies the caller
that a fingerprint template has been acquired. When this method is called, the authentication process takes
place, the session is verified (established when the InitAuthentication method is called), the supplied
template is matched against the one stored in the authentication server database and the one-time password
is decrypted and returned to the caller through the AuthenticationComplete event. This event is fired
only if a successful matching occurs; otherwise, the AuthenticationFailed event is fired. The
username parameter contains the name of the user whose fingerprint has to be verified and the password
parameter is the password for the same user. The password parameter is mandatory only if the specified
user has a policy for the authentication that requires fingerprint and password together.
Register()
Starts the fingerprint registration process. Calling this method displays the registration dialog and creates a
session with the authentication server. When the fingerprint template is generated, it is stored in the
55
Chapter 7: ActiveX Control API Reference
Properties
authentication server database and a new recordid and public key are returned to the caller when the
RegistrationComplete event is fired. If the user cancels registration, the RegistrationCanceled
event is fired.
Update([in]BSTR username,[in]BSTR password)
Starts the account modification process. Calling this method displays the registration dialog and creates a
session with the authentication server. When the fingerprint template is generated, it is sent to the
authentication server together with the recordid associated with the existing account and the new fingerprint
template replaces the existing one in the authentication server database. The recordid can be null if the
Update function is used with an account for which no fingerprint was registered at the time it was created.
When the account modification process is completed successfully, the RegistrationComplete event is
fired to the caller. If the user cancels registration, the RegistrationCanceled event is fired. The
username parameter is the name of the user whose account needs to be updated and password is the
password the user supplied at the time the account was created. The password parameter is mandatory in
order to successfully complete the account update function.
Properties
AuthServerAddress(BSTR)
The URL of the authentication server.
Compatibility note:
Online Client 4.4.1 allowed to use only a host name without schema and path, and used hardcoded path (/
uareuonlineserver/request.asp) and additional Flags property to define schema (HTTP or HTTPS).
Online Client 5.5.0 supports the previous URL format but also accepts fully-defined URL with schema, host
name and path. This adds flexibility to location of Authentication server and simplify configuration. It is
preferred to use full URL over the old URL form, though it is not supported by older Clients.
AppId(BSTR)
The ID of your application given by the authentication service provider.
AppAddress(BSTR)
The full path to the AppControl.asp or AppControl.jsp script, for example, www.yourwebsite.com/yourappdir/
AppControl.asp.
Compatibility note:
Online Client 4.4.1 allowed to use only a host name and path without schema, and uses an additional Flag
property to define schema (HTTP or HTTPS).
56
Event Methods
Online Client 5.5.0 supports the previous URL format but also accepts fully-defined URL with schema, host
name and path. This allows to embed schema information in one place and simplify configuration. It is not
supported by older Clients.
Flags(int)
This property defines the operational modes of the ActiveX control. There are two values defined for this
property, 256 and 2048, on which the OR operand can be applied. If set to 256, the ActiveX control uses the
HTTPS protocol to communicate with the authentication server. If set to both 256 and 2048, the ActiveX control
will use the HTTPS protocol to communicate with both the authentication server and the Web server. The
default value is 0 and indicates that HTTP protocol is used for both servers.
Note:
Online Client 5.5.0 allows providing HTTP protocol via URL. This allows to embed schema information in one
place and simplify configuration. It is not supported by older Clients.
Loaded(VARIANT_BOOL)
This is a read-only property that can be used to check whether the control has been successfully loaded and
initialized.
Muser(BSTR)
The Muser property can be set upon receiving the EnterUser or InvalidUser event. These events
are fired when the information supplied with the CompleteAuthentication or Update methods are
either missing or invalid. Handling these events gives the programmer a chance to prompt the user to correct
the error; setting this property within the handler allows the control to resume the authentication or the
update process. Setting the property to the empty string cancels the operation.
Mpassword(BSTR)
The Mpassword property can be set upon receiving the EnterPassword or InvalidPassword
events. These events are fired when the information supplied with the CompleteAuthentication or
Update methods are either missing or incomplete. The password is always checked during the account
update procedure whereas during the authentication it is checked only if the policy for that user is Fingerprint
And Password. Handling these events gives the programmer a chance to prompt the user to correct the error;
setting this property within the handler allows the control to resume the authentication or the update process.
Setting the property to the empty string cancels the operation.
Event Methods
AuthenticationComplete([in] BSTR otp)
The server has completed the authentication process, the fingerprint match is successful and the one-time
password otp has been decrypted. This one-time password now has to be sent to your site to be checked by
the logon script (processlogon.asp or .jsp in the sample site).
57
Event Methods
AuthenticationFailed()
The authenticate operation has failed because the fingerprint matching was unsuccessful.
AuthServerReady([in] BSTR username)
After the InitAuthentication method has been called, the client version is checked against the version
required by the authentication server, the fingerprint reader is ready to acquire a fingerprint and a session has
been established with the authentication server. At this point, if everything is ok, the event is fired and the
username parameter contains the name of the last user that performed an authentication.
BadVersion()
After the InitAuthentication method has been called, the client version is checked against the version
required by the authentication server. If the two do not match, the BadVersion event is fired.
CredentialsComplete()
This event is fired when the reader has acquired a fingerprint sample and a fingerprint template has been
successfully created out of it. At this point the code of the handler must call the
CompleteAuthentication method in order for the authentication to take place.
EnterPassword()
This event is fired during the authentication when the password is missing but is required by the account you
are trying to authenticate or always during the account update when the password is missing.
EnterUser()
This is event is fired during the authentication or the account update when the username is missing.
InvalidPassword()
This event is fired during the authentication when the password is invalid and it is required by the account you
are trying to authenticate or always during the account update when the password is invalid.
InvalidUser()
This event is fired during the authentication or the account update when the username is invalid.
NotRegistered()
This event is fired during the authentication when the account exists but there is no fingerprint stored in the
authentication server database.
58
SysError Codes
This event is fired when, during the registration or the account update process, the user clicks on the close
button of the enrollment dialog.
RegistrationComplete([in] BSTR recordid, [in] BSTR pubkey)
This event is fired when the registration or the account update process has been completed. In case of a
registration of a new account, the recordid parameter contains the recordid generated for the new user in
the authentication server database and the pubkey parameter contains the public key associated with it.
This two pieces of information must be sent to your site to be stored together with the username of the new
user, the policy and the password. In case of an account update, the recordid parameter is the one that was
initially assigned to the existing user and the pubkey parameter is empty because the public key does not
change. The only update is done in the authentication server database where the new fingerprint template is
stored. You can call your site anyway to update the password and the policy for the account (addexisiting.asp or
jsp).
SysError([in] int code, [in] BSTR descr)
An error condition occurred during the execution of one of the methods. The code parameter is the error
code and the descr parameter contains a brief description of the error condition. See the next section for
details of the error codes.
SysError Codes
1. The authentication server cannot be contacted. Ensure the authentication server is up and running and
that the AuthServerAddress property is initialized with the URL of the authentication server you
want to use.
2. No session has been established with the authentication server. Contact your authentication service
provider.
3. The AppAddress property has not been initialized.
4. The application provider site (your site) cannot be contacted or the AppControl.asp (or AppControl.jsp)
script cannot be executed. Make sure your Web server is set up correctly and that the AppAddress
property has been initialized with the correct path to the script.
5. An exception occurred during the execution of the control.
6. The maximum number of registered users has been reached based on the agreement with the
authentication service provider.
7. The fingerprint reader is not connected. Connect the reader. Make sure that the fingerprint reader is
plugged in and that the software is installed.
Library
DpOnlineClient.dll
59
Library
60
Warranties and General Provisions
Limited Warranties and Warranty Service

The DigitalPersona Online Server Package (the SYSTEM) you acquired may include: the U.are.U Fingerprint
Reader, (the READER); and the DigitalPersona Online Server software, DigitalPersona Online SDK and
DigitalPersona Online Client software, the software embedded in the READER and their associated media,
printed material and online or electronic documentation (the SOFTWARE PRODUCT). The SOFTWARE
PRODUCT is licensed, not sold, as set forth in the Installation Software screen License Agreement.
LIMITED WARRANTY; LIMITATION OF REMEDIES
The warranties provided by DigitalPersona in this statement of limited warranty apply only to SYSTEMS you
originally purchased from DigitalPersona or an authorized reseller for your personal or business use, and not for
resale.
DigitalPersona warrants that the SOFTWARE PRODUCT will perform substantially in accordance with the
applicable documentation and that its media will be free from defects in material and workmanship for a
period of ninety (90) days from the date of original purchase. DigitalPersona does not warrant that use of the
SOFTWARE PRODUCT will be uninterrupted or error-free. DigitalPersona warrants that the READER will be free
from defects in materials and workmanship for a period of one (1) year from the original date of purchase.
If you discover an error or defect covered under this limited warranty, DigitalPersonas sole obligation, and your
exclusive remedy, shall be, at DigitalPersonas option, either (a) to return the price paid, if any; or (b) to replace
the SOFTWARE PRODUCT or the READER using new or remanufactured components. Any replacement
SOFTWARE PRODUCT will be warranted for the remainder of the original warranty period or thirty (30) days,
whichever is longer. Any replacement of the READER will be warranted for the remainder of the original
warranty period.
Warranty Service. To obtain your remedy under this warranty you must deliver the defective product and the
original sales receipt to the place of purchase. For purchases made directly from DigitalPersona, you must first
contact DigitalPersona Customer Service and obtain a Return Merchandise Authorization (RMA) number before
returning the product to DigitalPersona. You must pre-pay shipping charges to return the product to
DigitalPersona and insure the shipment or accept the risk of loss or damage during shipment. DigitalPersona
shall not be responsible for any returned product that is not packaged properly or is returned without a valid
and visible RMA number.
Product Failures Not Covered By This Warranty. The READERS are designed and warranted for use as access
control devices in an office environment and are capable of optimum performance when properly maintained.
Industrial, heavy-duty use, or use in extreme environmental conditions will void this warranty. This warranty
covers defects in manufacturing that arise during normal use and proper care in an office environment. It does
not cover damage caused by any misuse, improper maintenance, including physical abuse to the SOFTWARE
PRODUCT or to the READER (for example, but not limited to, cuts or scratches to the READER window), or use of
corrosive, abrasive, or improper cleaning materials, or any misapplication, improper modifications or repair,
activity intended to circumvent the security devices incorporated into the READER or SOFTWARE PRODUCT,
61
Chapter :
General Provisions
criminal activity, moisture, shipping, or high voltage surges from external sources such as power lines or other
connected equipment. This warranty also does not apply to any product with an altered or defaced serial
number. Opening the READER automatically voids this warranty.
Disclaimer of Warranties. EXCEPT FOR THE FOREGOING LIMITED WARRANTIES, DIGITALPERSONA MAKES NO
OTHER EXPRESS OR IMPLIED WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY LAW AND SPECIFICALLY
DISCLAIMS THE WARRANTIES OF QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND
NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH REGARDS TO THE SYSTEM AS WELL AS ANY PROVISION OF
OR FAILURE TO PROVIDE SUPPORT SERVICES. IF SUCH DISCLAIMER OF ANY IMPLIED WARRANTY IS NOT
PERMITTED BY LAW, THE DURATION OF ANY SUCH IMPLIED WARRANTY IS LIMITED TO NINERY (90) DAYS FROM
THE DATE OF DELIVERY. SOME JURISDICTIONS DO NOT ALLOW SUCH EXCLUSIONS OR LIMITATIONS, SO THEY
MAY NOT APPLY TO YOU. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO
HAVE OTHER RIGHTS, WHICH VARY FROM JURISDICTION TO JURISDICTION.
General Provisions
Limitation on Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL
DIGITALPERSONA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE
OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF
BUSINESS PROFITS, GOODWILL, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, BREACH OF
COMPUTER SECURITY SYSTEMS OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY
TO USE THE SYSTEM EVEN IF DIGITALPERSONA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE ENTIRE RISK OF ACCURACY AND SATISFACTORY PERFORMANCE OF THE SYSTEM IS WITH YOU.
DIGITALPERSONA DOES NOT GUARANTEE THAT THE SYSTEM WILL MEET ALL YOUR REQUIREMENTS OR ALL
REQUIREMENTS OF THE SOFTWARE OR HARDWARE WITH WHICH IT INTERACTS. IN NO EVENT WILL
DIGITALPERSONA'S LIABILITY FOR ANY CLAIM, WHETHER IN CONTRACT, TORT OR ANY OTHER THEORY OF
LIABILITY, EXCEED THE PURCHASE PRICE OF THE SYSTEM PAID BY YOU. Some jurisdictions do not allow these
exclusions or limitations, so such exclusions or limitations may not apply to you. The above limitations will not
apply in case of personal injury in countries other than U.S.A. and Canada only if and to the extent that such
limitations are expressly prohibited by applicable law.
Hazardous Use. The SYSTEM is not designed, made, or intended for use in an application where failure,
malfunction or inaccuracy of the SYSTEM may cause death, serious bodily injury, including, without limitation,
medical equipment, nuclear facilities, aircraft operation, air traffic control, life support. Any such use is
prohibited without the prior written consent of DigitalPersona. You agree that neither DigitalPersona nor its
suppliers, distributors or resellers will be liable, in whole or in part, for any claims, losses, costs or damages
arising out of or in connection with the use and performance of the SYSTEM in such applications. If you use the
SYSTEM for such applications without DigitalPersona's consent, you agree to indemnify, defend and hold
DigitalPersona harmless from all claims, actions, losses, liabilities, damages, costs and expenses (including
attorney fees) arising out of or relating to such prohibited uses.
Reverse Engineering. You may not reverse engineer, de-compile, or dis-assemble the SYSTEM in whole or in
part; nor shall you attempt to recreate the source code from the object code of the SOFTWARE PRODUCT. Any
other activity regarding the form or substance of the SYSTEM will be allowed only to the extent such activity is
expressly permitted by applicable law.
62
Chapter :
General Provisions
Export Controls. You agree that you will not directly or indirectly export the SYSTEM and related technical data
in violation of Export Administration regulations of the U.S. Department of Commerce and other applicable
laws. You further agree that you will not export, re-export, divert or transfer the SYSTEM (a) into, or to a national
or resident of any country to which the United States has embargoed goods, (b) or to anyone included in the
U.S. government List of Specially Designated Nationals, the Table of Denial Orders, the Entity List, (c) or to
anyone involved in the manufacturing and proliferation of weapons in violation of U.S. applicable laws. By
using the SYSTEM you are representing and warranting that you are not located in, or under the control of, or a
national resident of any such country or on any such lists, or involved in any such activity.
U.S. Government Rights. If you are an agency or instrumentality of the United States Government, the
Software and Documentation included in the SOFTWARE PRODUCT are commercial computer software and
commercial computer software documentation, and pursuant to FAR 12.212 or DFARS 227.7202, and their
successors, as applicable, use, reproduction and disclosure of the Software and Documentation are governed
by the terms of the End User License Agreement.
63
Index
Symbols
_IDpOnlineEvents event interface 55
EnterPassword event method 58

EnterUser event method 58
event interfaces
DpOnlineClient.DpOnline component 55
event methods
See also individual event methods by name 57
account modification 17, 49

account modification fingerprint registration event
handlers 51
account modification form event handlers 53
account modifications event handler 51
ActiveX Control API reference 55
adding the AppControl ASP or JSP file 38
additional resources 12
API reference for ActiveX Control 55
AppAddress property 56
AppId property 56
applications table 22
audience for this guide 8, 30
authenticating with DigitalPersona Online 16
authentication 42
authentication server database 22
AuthenticationComplete event method 57
AuthenticationFailed event method 58
AuthServerAddress property 56
AuthServerReady event method 58
B
BadVersion event method 58
C
chapters, overview of 9
code integration guidelines 36
CompleteAuthentication method 55
connecting to databases 25
CredentialsComplete event method 58
D
database security and privacy by design 27
deploying DigitalPersona Online 13
DigitalPersona Developer Connection Forum, URL to 12
distributing client software 28
DpOnlineClient.dll 59
event interface 55
event methods 57
See also individual event methods by name 57
interface 55
library 59
methods 55
See also individual methods by name
properties 56
See also individual properties by name 56
syserror codes 59
F
fingerprint authentication event handlers 46
fingerprint recognition, guide to 12
fingerprint registration event handler 41
Flags property 57
functional overview 13
hardware requirements 18, 30, 32
I
IDpOnline interface 55
implementing account modification process in Web
pages 50
implementing the authentication process in Web
pages 44
implementing the registration process in Web pages 40
InitAuthentication method 55
initializing and embedding the ActiveX control 36
integrating DigitalPersona Online in Web applications 39
interfaces
InvalidPassword event method 58
InvalidUser event method 58
L
library, DpOnlineClient.DpOnline component 59
limited warranties and service 61
Loaded property 57
M
methods
See also individual methods by name
Mpassword property 57
Muser property 57
N
NotRegistered event method 58
O
operation data, other 26
operation field data 26
overview
64
Index
of chapters 9
P
privacy by design and database security 27
properties, DpOnlineClient.DpOnline component 56
See also individual properties by name
R
records table 22
Register method 55
registering user credentials 14
registration 39
registration form event handler 42
RegistrationCancelled event method 59
RegistrationComplete event method 59
resources, additional
See additional resources
S
session table 24
software requirements 18, 30, 32
syserror codes, DpOnlineClient.DpOnline component 59
SysError event method 59
target audience for this guide 8, 30
U
uareuonlinesessions database 24
uareuonlineusers database 22
uninstalling authentication server software 29, 35
Update method 56
updates for DigitalPersona software products, URL for
downloading 12
URL
DigitalPersona Developer Connection Forum 12
Updates for DigitalPersona Software Products 12
usagelog table 23
using a DigitalPersona Online-Secured Web
application 13
W
warranties and general provisions 61
Web site
DigitalPersona Developer Connection Forum 12
Updates for DigitalPersona Software Products 12
65

Digital Person A Online Administrator Guide 20131009

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Digital Person A Online Administrator Guide 20131009

Hochgeladen von

Copyright:

Verfügbare Formate

DigitalPersona, Inc.

Document Publication Date: October 9, 2013

Online Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Online Client Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DigitalPersona Online | Administrator Guide

Online Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Code Integration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ActiveX Control API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A Warranties and General Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

DigitalPersona Online | Administrator Guide

DigitalPersona Online | Administrator Guide

DigitalPersona Online | Administrator Guide

DigitalPersona Online | Administrator Guide

DigitalPersona Online | Administrator Guide

Microsoft Windows 2008 or later

Microsoft SQL Server (or SQL Server Express) 2005 or later

JRE (Java Runtime Environment) x86, 1.7 or later

.NET Framework 2.0 or later

Classic ASP (not ASP.NET)

DigitalPersona Online client

Microsoft Windows XP/7/8

DigitalPersona Online | Administrator Guide

Whats new in this version?

Structural integrity of database is improved using foreign keys.

Performance is improved with data indexing.

Application Server SDK sample changes

Online Client changes

Support for multiple finger enrollment.

Simplified configuration of the ActiveX component, while supporting backward compatibility.

DigitalPersona Online | Administrator Guide

Migrating from version 4.4.1

Migrating from version 4.4.1

DigitalPersona Online | Administrator Guide

Fingerprint recognition, including the history and basics

The DigitalPersona White Paper: Guide to Fingerprint

Late-breaking news about the product

The Readme.txt files provided in the root directory of the

Web Portal & Forum for DigitalPersona Developers

Latest updates for DigitalPersona software products

DigitalPersona Online | Administrator Guide

Deploying DigitalPersona Online

Client Workstation with Reader

Using a DigitalPersona Online-Secured Web Application

DigitalPersona Online | Administrator Guide

Chapter 2: Functional Overview

Registering User Credentials

Registering User Credentials

Users must first register their

DigitalPersona Online | Administrator Guide

Chapter 2: Functional Overview

Registering User Credentials

Users choose the finger they want to use to log on

and then follow the on-screen instructions to register it.

DigitalPersona Online | Administrator Guide

Chapter 2: Functional Overview

Authenticating with DigitalPersona Online

Authenticating with DigitalPersona Online

When users register their credentials,

Grant access to the DigitalPersona Online-secured portions of the Web application.

DigitalPersona Online | Administrator Guide

Chapter 2: Functional Overview

A DigitalPersona Online SDK allows registered

Additional client features