MFA Guides

Biometric Method

The Biometric content area enables administrators to establish, configure, assign and maintain biometrics so users can authenticate to a system using fingerprint-based based biometric authentication.

method_11.png

There are four Biometric content areas.

Table 14. four biometric content areas

Content area

Description

Profile List

Profile List summarizes the configured Contactless Profiles, including the configured PIN policy, card behavior options, and the settings for whether a PIN is required.

PIN Policies

The PIN Policies content area provides the ability for organizations to establish PIN usage policies and selection criteria for securing contactless cards protected with a PIN.

New Profile

The New Profile content area provides the ability for organizations to create custom profiles that can pair PIN policy with Sets and assigned to users.

New PIN Policy

New PIN PolicyThe New PIN Policy provides the ability to create custom PIN policies for contactless card authentication.



Biometric - Profile List

By default, RapidIdentity Server has a single profile for biometrics.

The Default profile contains a default PIN Policy with these settings.

Table 15. Default profile

Setting

Value

Attempts before PIN becomes blocked

3

Minimum PIN Length

4

Repeated character limit

3

Consecutive character limit

3

Number of fingers user is required to enroll

3

Require PIN

User must provide PIN in addition to fingerprint to login but not to unlock a locked session.

Secure Logon Password (required)

No. If set to “Yes”, a user’s password will be randomized and unknown to the user upon enrollment.



Administrators can remove a profile by clicking Delete or edit a profile by clicking Edit.

Biometric - Edit Profile

After updating the profile, click Save or Discard to cancel.

method_12.png
Biometric - PIN Policies

PIN Policies enables administrators to create custom PIN policies and edit out-of-the-box PIN policies.

method_13.png

Initially, there are four PIN policies with varying degrees of security and the default PIN Policy is based on best practices.

Each PIN Policy can be edited or administrators can create new PIN policies and each PIN policy is assigned to a Profile that can then be assigned to a Set. Sets are then assigned to users.

PIN Policies can be removed by clicking Delete or edited by clicking Edit.

Biometric - Edit PIN Policy

To edit a PIN Policy, click Edit.

method_14.png

After updating the policy criteria, click Save or Cancel to discard.

Table 16. policy criteria

Field

Description

Attempts until PIN is Blocked

This number represents how many incorrect attempts can be made before the RapidIdentity Windows Client will block the user’s login process.

Number of PINs to Keep in History

This number determines the number of PINs we would remember before allowing those previous PINs to repeat.

Minimum/Maximum PIN Length

Determines the length of the PIN that is used on enrollment and logging into the system.

PIN Expiration Days

Determines how long the registered PIN will last before expiring.

PIN must meet complexity requirements

Determines how complex the PIN must be.

Use Windows Password as PIN

The user’s Active Directory password will be used as PIN.

No more than three repeated characters

PIN cannot have three repeated characters. (Example: 111, 444)

No more than three consecutive characters

PIN cannot have consecutive characters. (Example: 123, 456)

Must contain alpha and numeric characters

PIN must have both a letter and number. (Example: A1B, C2D)

Must only contain numeric characters

PIN can only have numbers. (Example: 159, 753)

Must contain special characters

PIN must have a special character. (Example: !23, @34)

Risk-Based PIN

Risk-based authentication will prompt when the RapidIdentity Client detects a different type of authentication upon login.



Biometric - New Profile

In order to assign a new Profile to a Set, administrators must first create the new Profile.

Follow these 3 steps to create a new Profile:

  1. Click New Profile.

  2. Enter a Name and Description and modify the criteria as needed.

    method_15.png
    1. Choose Require a PIN for Workstation Logon if the user is to be prompted for a password when presenting their authentication method.

    2. Choose Do NOT Require PIN for Workstation Unlock when the system is locked and the user presents their authentication method. The user will NOT be asked to enter a password.

    3. Choose Secure Logon Password has a default set to No. If this is enabled, when the user presents their finger to the reader the user’s password will be randomized and unknown to the user.

  3. Click Save or Cancel to discard.

Biometric - New PIN Policy

To create a new PIN Policy, click New PIN Policy.

Name the new policy and adjust the criteria as necessary. When complete, click Save or Cancel to discard.

Table 17. name the new policy

Field

Description

Attempts until PIN is Blocked

This number represents how many incorrect attempts can be made before the RapidIdentity Windows Client will block the user’s login process.

Number of PINs to Keep in History

This number determines the number of PINs we would remember before allowing those previous PINs to repeat.

Minimum/Maximum PIN Length

Determines the length of the PIN that is used on enrollment and logging into the system.

PIN Expiration Days

Determines how long the registered PIN will last before expiring.

PIN must meet complexity requirements

Determines how complex the PIN must be.

Use Windows Password as PIN

The user’s Active Directory password will be used as PIN.

No more than three repeated characters

PIN cannot have three repeated characters. (Example: 111, 444)

No more than three consecutive characters

PIN cannot have consecutive characters. (Example: 123, 456)

Must contain alpha and numeric characters

PIN must have both a letter and number. (Example: A1B, C2D)

Must only contain numeric characters

PIN can only have numbers. (Example: 159, 753)

Must contain special characters

PIN must have a special character. (Example: !23, @34)

Risk-Based PIN

RBA will prompt when the RapidIdentity Windows Client detects a different type of authentication upon login.



Special Configuration for Biometric Authentication

Required Biometric Configuration

Fingerprint biometric authentication requires additional configuration beyond RapidIdentity MFA Server Methods, Sets, and Profiles, and beyond RapidIdentity Windows Client enrollment.

The specific configuration depends on the RapidIdentity MFA implementation, and the additional configuration can include updating the Windows Group Policy Object (GPO), RapidIdentity MFA Server Side settings, and the Standalone RapidIdentity Windows Client.

Advisory

Administrators should also consider the biometric authentication use case relative to the supported RapidIdentity MFA Hardware and the hardware-software combination specific to their environment to ensure compatibility and a high probability of authenticating successfully.

Windows GPO Updates

The Windows GPO settings apply to a standalone machine, however, administrators can choose to push these GPO settings with the Domain Group Policy by using the Group Policy Management snap-in on a Domain Controller.

To update the Windows GPO settings, follow these 5 steps:

  1. Navigate to the Start Menu and type gpedit.msc. Press Enter.

  2. Navigate to Computer Configuration | Administrative Templates | Windows Components | Biometrics.

    method_17.png
  3. Right-click Allow the use of biometrics and select Edit.

  4. Select Enabled and click OK.

    method_18.png
  5. Repeat this process for Allow users to logon using biometrics, but select Disabled.

MFA Server updates

When RapidIdentity MFA Server and RapidIdentity Windows Client are configured to work together, it is necessary to update the MFA Server to facilitate biometric authentication with these 5 steps:

  1. Navigate to the Administrator’s Portal and access the Policies tab.

  2. Enter the corresponding DN or machine name(s) for which RapidIdentity Windows Client is installed.

  3. Define the policy and click Edit.

  4. Navigate to the Hardware tab, check Bio Device, and select WBF from the drop-down list.

    method_19.png
  5. Click Save.

Standalone Client updates

To enable biometric authentication with RapidIdentity Windows Client in standalone mode, follow these steps:

  1. On the machine in which RapidIdentity Windows Client is installed, authenticate as an administrator and access the Registry Editor (i.e. regedit).

  2. Navigate to HKEY_Local_Machine\Software\Foray.

  3. Create a new String with the Value name BioDevice and the Value data wbf.

    method_20.png
  4. Click OK and exit the Registry Editor.

Context

RapidIdentity MFA Server pushes this registry value to RapidIdentity Windows Client when the Client is not configured in Standalone mode, as illustrated in the preceding configuration.