Using DigitalPersona Web-Based Enrollment

HID DigitalPersona Enrollment is a web-based application that provides both attended (supervised) and unattended (self) enrollment and management of DigitalPersona credentials.

It is compatible with most web browsers on popular desktop and mobile platforms.

HID DigitalPersona Enrollment is an optional component included in the DigitalPersona Web Management Components package. For instructions on installing the package, see Installing the Web Management Components.

By default, HID DigitalPersona Enrollment is configured to allow both attended enrollment and self enrollment by end users.

The interface is slightly different depending on whether a user is self-enrolling their credentials or enrollment is attended:

  • Attended enrollment - If the Require enrolling or omitting each credential GPO is enabled, each tile displays both an Add and an Omit label. All displayed credentials must either be enrolled or specifically omitted with a reason given for the omission.

  • Self-enrollment - There is no Omit label, since the UI does not require specific credentials to be enrolled.

Domain Administrators, DigitalPersona Administrators and Local Administrators on the machine where the Web Management Components package was installed are automatically assigned permissions to enroll other users.

Additional persons or groups can be assigned the Register/Delete Fingerprint (DigitalPersona) permission to enroll other users as well, and permission can be removed from any of the default groups.

Note: The Register/Delete Fingerprint (DigitalPersona) permission actually affects all DigitalPersona credentials, not just fingerprints. The ability for end-users to enroll and manage their own credentials can also be disabled (see Customizing HID DigitalPersona Enrollment).
Prerequisites: To use HID DigitalPersona Enrollment to enroll credentials that require a peripheral device (such as a fingerprint or card reader) a DigitalPersona client must also be installed on the same (Windows) computer such as:

Use of the One-Time Password (OTP) Push Notification or SMS features with the One-Time Password credential requires the administrator to create an account on the Push Notification Server and then enable and configure the OTP GPO in Active Directory.

Accessing HID DigitalPersona Enrollment

Access to HID DigitalPersona Enrollment is through a URL created during installation and provided on the final page of the Web Management Components installation wizard.

Navigating to the URL will first display the DigitalPersona Identity Server page for authentication, and upon successful authentication will then open the HID DigitalPersona Enrollment application.

Prior to enrolling any credentials, users can log in with the Active Directory account name and password.

Once additional credentials have been enrolled, they can use any of those credentials or credential combinations to log in (as specified by any authentication policy in force).

Selecting a User for Attended Enrollment

Any domain user with the Register/Delete Fingerprint (DigitalPersona) privilege assigned can select a user for credential enrollment or modification either from within the HID DigitalPersona Administration Console (described in Managing Your Users) or directly from the HID DigitalPersona Enrollment component.

To select a user for credential enrollment or modification:

  1. After authentication through the DigitalPersona Identity Server, enter the name of the user to manage.

    As soon as the first character of the name is entered, the Manage user button is enabled.

  2. Click Manage user.

    The Credential Manager page displays.

Self Enrollment

To self enroll (that is, manage a user’s own credentials through HID DigitalPersona Enrollment):

  1. Navigate to the URL provided for HID DigitalPersona Enrollment.

  2. After authentication through the DigitalPersona Identity Server, click the Self enrollment button.

The Credential Manager page displays.

Credential Enrollment

Once a user is either selected by an administrator or logged in (if self-enrollment has been enabled), the Credential Manager page displays.

The Credential Manager page is the central location within HID DigitalPersona Enrollment where a user’s credentials can be enrolled and managed.

The tiles on the page, representing credentials and other information that may be captured by DigitalPersona in relation to a specific user, give access to pages where this information may be provided. Once a credential has been enrolled, the word ADD will be replaced with CHANGE.

The first time, within a browser session, that a user clicks a credential tile, they will be asked to verify their identity by submitting a previously enrolled credential. This may be their password or any other DigitalPersona credential that has been enrolled for their account.

Note: A Bluetooth credential is not available during HID DigitalPersona Enrollment. This is because Bluetooth enrollment pairs the associated device directly with the machine where it is being enrolled, and most users will not be using a Bluetooth device to authenticate on the HID DigitalPersona Enrollment machine. The user can self-enroll a Bluetooth device using the Credential Manager on the required workstation.

Password Credential

The Password tile launches the Change password window, where a user can change their Windows password by entering their current password, and then creating and confirming a new password.

Fingerprints Credential

If there is a supported fingerprint reader or ten-print scanner built into or connected to your computer, you can enroll and manage a user’s fingerprints.

Select the Fingerprints tile to display the Fingerprints page, where you can enroll a user’s fingerprints credential.

Enroll a Fingerprint

  1. Click the Fingerprints tile to display the Enroll your Fingerprints window.

  2. Select a finger in the displayed hand image.

  3. Scan the selected finger as many times as necessary to enroll the fingerprint. Successful scans will show a temporary blue background on the fingerprint icon.

    When an adequate number of images have been captured, this window will close automatically and the Enroll your Fingerprints window will redisplay.

    Note: Verification by both the Security Officer and the user may be required before the fingerprint credential is saved

  4. Click Close to return to the Credential Manager page.

Important: If any fingerprint being enrolled during this session, prior to clicking Save, is found to be a duplicate of an existing fingerprint for another user, the other user’s matched fingerprint will be deleted and the current user’s pending fingerprints will not be saved. An error message will display: The fingerprint cannot be enrolled. Contact your administrator for more information.

Delete a Fingerprint

To delete a single fingerprint:

  1. Click any highlighted finger.

  2. Confirm the deletion by clicking Yes in the message box that displays.

To delete the entire fingerprint credential:

  1. Once the credential has been enrolled, a Delete All Fingerprints button is added to the Enroll your fingerprints window.

  2. Click Delete All Fingerprints and then click Yes in the message box that displays to confirm the deletion.

Cards Credential

This tile provides a means for enrolling a user’s Contactless Writable or Contactless ID Card credential.

Enroll a Contactless Card Credential

  1. Click Add or Change on the Cards tile to display the Manage your Cards window.

  2. Place your Contactless Card very close to the reader.

  3. Click Enroll this card.

  4. Then click Close.

Delete all Enrolled Cards

Click Delete All Cards. Individual enrolled cards cannot be deleted separately.

PIN Credential

This tile provides a means for enrolling a user’s PIN credential.

A PIN is a credential composed of user-selected characters. A PIN is often used in combination with another credential to easily enhance its security.

A PIN may be used as a credential for authentication, when combined with an additional supported credential as defined by the Logon or Session Policy in force.

Note:  

  • You cannot enroll weak PINs in DigitalPersona, similarly to Windows Hello for Business. According to Microsoft, a weak PIN has a constant delta from one digit to the next, for example, 1111 or 2468. This algorithm does not apply to alphanumeric PINs.

  • This PIN should not be confused with a PKI Smart Card PIN which is used as part of a PKI Smart Card credential.

To enroll a PIN credential:

  1. Click the PIN tile to display the PIN window.

  2. Enter and confirm a four-digit PIN.

  3. Click Save.

One-Time Password Credential

A One-Time Password (OTP) credential uses an automatically generated time-sensitive numeric code for authentication.

The OTP credential can be used for authentication to the DigitalPersona Identity Server, for providing access to the HID DigitalPersona Administration Console and HID DigitalPersona Enrollment, as well as for verifying your identity when enrolling or managing credentials.

A QR Code scanner app on your device will greatly simplify the enrollment process for the software-based tokens, by automating the entry of required account information, but is not required as manual entry of the information is also possible.

The verification code may be generated in one of the following ways:

  • Authenticator app - a software token is generated by a special authenticator app on a user’s mobile device, and the resulting time-sensitive code is used for authentication.

  • OTP Push Notification - a software token is generated by DigitalPersona and sent to a mobile device where the user can Accept or Deny its use for authentication. This features is only available through the DigitalPersona authentication app. Although generation of the OTP is supported in third party authentication apps, Push Notification is only available through the DigitalPersona app.

  • OTP via SMS - a software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to a mobile device through SMS.

  • Hardware token - a dedicated hardware device generates a time-sensitive code used for authentication. The hardware token must be an OATH-compliant TOTP (Time-based One-Time Password) device.

  • OTP via email - a software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to the user’s email address. By default, this option is not configured (and therefore unavailable to users), but can be enabled by the administrator through the Send OTP by email GPO setting.

    Also a valid SMTP server must be specified during configuration of the DigitalPersona Web Management Components package.

OTP Enrollment

The steps in the enrollment of an OTP credential differ slightly based on the type of OTP credential described above.

Authenticator App and Push Notification

Enrollment of an OTP credential to be used with an authenticator app will also automatically include the ability to make use of OTP Push Notification (when using the DigitalPersona app only), after the following steps have been taken:

  • The implementation team has created a tenant record for you in the CPNS service.

  • The associated OTP GPO settings have been enabled and configured by a DigitalPersona administrator as described in OTP policy settings.

  • Each user must allow notification during the app installation, or enable notifications for the DigitalPersona app in Settings/Notifications/DigitalPersona after installation.

During enrollment, you may choose not to use OTP Push Notification by selecting Decline on the Push Authentication page, in which case, you can still use regular (non-push) OTP.

Important: If you do not select ACCEPT on the Push Notification page, Push Notification will not be enabled. If you want to enable it in the future, you can do so by navigating to the DigitalPersona App in Settings/Notifications on your iOS device or the equivalent location on your Android device,

From a link in the One-Time Password window, you can download an OTP authentication app from various platform-centric app stores, and then enroll the OTP credential for use with the authenticator app (and OTP Push Notification, if configured and in the DigitalPersona app only) by scanning the QR Code shown on the screen or by manually entering the information required to create a DigitalPersona account in the authentication app.

The steps to enrolling a software-based OTP token to be used with an authenticator app or OTP Push Notification are:

  1. Download an authenticator app

  2. Set up a DigitalPersona account on your device

  3. Sign in to the DigitalPersona Mobile app

  4. Enroll the credential in the DigitalPersona Console

Download an authenticator app

  1. From the Enroll a One-Time Password window, click the Download phone app link to display the QR Code for downloading and installing an authentication app for your device. The windows will display a new QR Code for downloading the app and a means to choose which app store to download it from.

  2. Select your device’s app store, and then scan the QR code provided or click the corresponding Download link.

    The DigitalPersona app is currently available in the Apple Store and on Google Play. For the Windows mobile platform, the Microsoft and Google Authenticator apps provide nearly identical functionality, although setup and enrollment steps may vary slightly.

  3. Scanning the QR code with a QR Code scanner app on your device is the simplest procedure. It will automatically open your device’s default web browser and display the product page for the selected Authenticator app so that you can download and install the app.

  4. Clicking the Download link shown above the QR Code will open the selected app store in your computer’s default browser. Some app stores may require signing in and/or downloading the app and copying it to your device.

    The instructions that follow are for the DigitalPersona app as installed on an iPhone. Instructions for the use of other authentication apps and devices may differ slightly.

Set up a DigitalPersona account on your device

  1. Launch the authentication app on your device. The first time the app is launched, the Register screen displays. Click OK to allow the DigitalPersona app to send you notifications. Then click Register.

  2. Enter and verify a six-digit passcode.

  3. On the Diagnostic and Usage page, accept the defaults or tap an option to deselect it.

  4. On the Accounts screen, click the Plus sign (+). You will be asked for permission to access your device’s camera. Tap OK if you want to use the camera to scan the QR Code for automatically creating your DigitalPersona Mobile account. If you click Don’t Allow, you will need to enter account information manually.

  5. You can create the required account on your device automatically by scanning the QR Code displayed in the Enroll a One-Time Password window, or by entering the account data manually.

    • Automatic account creation

      From the Scan QR Code tab, scan the displayed QR code. Do not scan the QR code that was used to download the app.

      If the Push Authentication Server has been previously setup by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you choose to Accept the associated Privacy Policy. If you choose to Decline the Privacy Policy, Push Authentication will not be enabled.

      Once the account information is displayed, tap Save. The DigitalPersona Mobile account will be created and the Accounts screen displayed with the new account and your first One-Time Password shown.

    • Manual account creation - manual account creation is not available in version 3.0 and above.

Sign in to the DigitalPersona Mobile app

Once you have registered as described in the previous pages, you can sign in to the app as follows:

  1. Launch the DigitalPersona app.

  2. Sign In:

    • Fingerprint enabled devices - you can enable fingerprint authentication to the DigitalPersona Mobile app by selecting Enable TouchID on the Sign In screen or later in the DigitalPersona Mobile Settings.

      Then touch the fingerprint sensor to sign in.

    • Non-fingerprint enabled devices - tap Sign In and then enter your six-digit DigitalPersona Mobile passcode.

Enroll the credential in the DigitalPersona Console

  1. On your computer, open the Enroll a One-Time Password window.

  2. On your device, sign in to the DigitalPersona Mobile app.

  3. On your computer, at the bottom of the window, enter the six-digit One-Time Password displayed in the app and click Save.

SMS OTP

On the Credential Manager, One-Time Password page, you can enroll an OTP credential that will transparently generate a time-sensitive code that is sent to your mobile device and display a notification asking you to Allow or Deny its use for authentication.

Note: The OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration (using the SMS GPO) by the administrator.

Enrollment of the SMS delivery feature requires that a DigitalPersona administrator has previously created a Nexmo (https://www.nexmo.com) account and entered Nexmo account information into the OTP setting on the DigitalPersona Server, as described Security\SMS.

To enroll the OTP via SMS credential:

  1. In the Enroll One-Time Password window, click the SMS OTP tab.

  2. Enter the number (country code and full phone number) for the mobile device where you would like to receive a One-Time Password through SMS delivery.

  3. Click the arrow next to the phone number field.

  4. You will receive an SMS message on your mobile device containing a six-digit One-Time Password.

  5. On your computer, enter the One-Time Password into the One-Time Password field and click Save.

    The Credential Manager page will re-display and the One-Time Password tile will now show a Change caption, indicating that a One-Time Password credential has been successfully enrolled.

OTP Hardware Token

On the Credential Manager, One-Time Password page, you can enroll a hardware token as a DigitalPersona credential. The hardware device can then be used to generate a code for authentication.

Note: Hardware tokens must be OATH compliant TOTP (Time-based One-Time Password) devices.

Typical hardware tokens:

To enroll an OTP credential using a hardware token:

  1. From the Enroll a One-Time Password window, select the Hardware Token tab.

  2. Enter the serial number for your hardware token, which is usually found on the back of the device.

    Note: A vendor supplied seed file that is associated with a specific set of hardware tokens must have been previously imported to the DigitalPersona Server before the hardware token can be enrolled (see Hardware Tokens Management Utility).

  3. Activate your hardware device. On some hardware tokens, you will simply need to press a button to do so, on others you will need to enter a preselected PIN to display the valid code on your device.

  4. Enter the verification code displayed on your device and click Save.

OTP via Email Enrollment

Prerequisites: To authenticate using OTP via SMS or OTP via email, the user’s workstation must be able to connect to the DigitalPersona AD Server, either within the network, through a VPN or using the VPN-less (web proxy) feature which is enabled through the Allow VPN-less access GPO setting.

If enabled by the administrator, a software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to the user’s Active Directory email address. By default, this option is not configured (and therefore unavailable to users), but can be enabled by the administrator through the Send OTP by email GPO setting.

Also a valid SMTP server must be specified during configuration of the DigitalPersona Web Management Components package or through the SMS Configuration GPO setting.

Once enabled, the option to have a One-Time Password sent to the user’s email address is automatically available (enrolled) upon completing the enrollment of any of the other types of OTP credentials described above.

Authentication with a One-Time Password

To authenticate with your One-Time Password, use one of the following options depending on from where you are authenticating:

  • At Windows logon, select Sign-in options and then select the One-Time Password (or OTP) tile to display One-Time Password options.

  • On the DigitalPersona Identity Server or Verify your Identity screen, select the One-Time Password (or OTP) tile.

You can use an OTP credential in any of the following ways:

  • Select Send push notification to send a One-Time Password to your enrolled mobile device allowing you to Approve or Deny authentication.

  • Select Send SMS to send an SMS message to your enrolled mobile device with a One-Time Password that you can enter on your computer for authentication.

  • Launch your previously registered authentication app on your mobile device and enter the resulting One-Time Password into the entry field on your computer.

  • Activate the display on an enrolled hardware token, and enter the displayed One-Time Password on your computer.

In most cases, enter your One-Time Password into the One-Time Password field on your computer screen and select the arrow button. When using push notification, you do not need to enter the code on your computer, as tapping Approve or Deny on your mobile device automatically authenticates to your computer.

Note: The OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration by your administrator.

To change your OTP credential:

Once the credential has been enrolled, the word CHANGE will display beneath the OTP tile.

  1. On the Credential Manager page, click CHANGE.

  2. Confirm that you want to delete the current OTP credential and enroll a new credential.

  3. Enroll the new OTP credential, or click Cancel to return to the Credential Manager page without enrolling a new OTP credential.

To delete your OTP credential:

  1. Once the credential has been enrolled, the word DELETE will display beneath the OTP tile.

  2. On the Credential Manager page, click DELETE.

  3. Confirm the deletion.

Recovery Questions Credential

The Recovery Questions credential allows a DigitalPersona user to regain access to their Windows account by answering a series a questions that have been previously configured.

The Recovery Questions page provides a means to set up a user’s Recovery Questions.

Administrators can configure the list of security questions displayed or create custom questions through the Recovery Questions GPO setting.

To use this recovery credential to gain access to a computer, a user must have previously logged on to the same computer at least once with another valid credential.

Note:  

  • For DigitalPersona Workstation, this feature is optional and must be explicitly configured by the DigitalPersona Administrator through the Recovery Questions GPO setting.

  • This feature is not available in the DigitalPersona Kiosk products.

To set up a user’s Recovery Questions:

  1. Click the Recovery Questions tile to display the Recovery Questions window.

  2. The user selects their questions from those available from the drop-down menus, and enters their unique answers.

    They can also write their own Custom questions by selecting the Custom question from the menu.

    Important:  

    • Each answer must be unique. Providing the same answer for different questions is not supported.

    • The answers to Recovery Questions are not case-sensitive.

  3. Click Save.

Passkey (Device-Bound) Credential

A passkey is a type of passwordless digital credential that is used as an authentication method. From a technical standpoint, passkeys are FIDO-based credentials that are discoverable by browsers or housed within native applications, or security keys for passwordless authentication.

Passkeys that are synced between a user's devices via a cloud service are generally referred to as "synced passkeys", while ones that never leave a single device are referred to as "device-bound passkeys".

The device-bound passkey credential is represented by the Passkey (device-bound) tile .

Note:  

  • Beginning with DigitalPersona version 3.4, passkey devices are supported via the FIDO2 protocol.

  • FIDO UTF is no longer supported, and any previously enrolled passkeys need to be re-enrolled with DigitalPersona 3.4 or a newer version.

Enroll a Passkey (Device-Bound) Credential

  1. In the DigitalPersona Enrollment window, click the Passkey (device-bound) tile.

    Note: User authentication may be required.

  1. Insert your passkey and click Enroll to begin enrolling your device.

    A device selection dialog may be displayed next.

  2. If you are prompted to select where to save the passkey, select the option to use a Security key.

  3. Then follow any onscreen instructions provided in the following Windows dialogs.

    Depending on your passkey, you may be prompted to provide or create a PIN and to touch your security key.

    Upon successful enrollment, CHANGE is added to the top of the passkey credential icon.

To delete a Passkey (device-bound) credential:

  1. In the DigitalPersona Enrollment window, click the Passkey (device-bound) tile.

    If a passkey has been enrolled, the following dialog will display.

  2. In the Delete Credential dialog, click OK to confirm deletion of your passkey.

To change a Passkey (device-bound) credential:

  1. First delete the previously enrolled Passkey (device-bound) credential.

  2. Then enroll a new Passkey (device-bound) as described above.

Authenticate with a Passkey (Device-Bound) Credential

  1. In the DigitalPersona Identity Server or Verify your Identity window, select the Passkey (device-bound) tile.

  2. Follow any onscreen instructions.

    Depending on your passkey and any authentication settings, you may be prompted to provide your PIN and to touch your Security Key.

After touching your enrolled passkey, you will be automatically signed in.

Passkey Biometrics Support

Passkey Biometrics is an authentication system that leverages a user's biometric characteristics, such as their fingerprints, to enable true passwordless access to protected resources.

To enroll a Passkey Biometrics device with an embedded fingerprint reader (YubiKey Bio, TrustKey G320, etc.):

  1. Enroll your fingerprint using the program supplied with the Passkey Biometrics device.

  2. Then enroll the Passkey (device-bound) credential using the steps as described above.

To authenticate with a Passkey Biometrics device:

  1. Insert the device into a USB port.

  2. When prompted, touch the device's fingerprint reader with a previously enrolled finger.

Note: After multiple fingerprint authentication failures, you will be prompted to type your passkey's PIN to proceed.

Face Credential

This tile provides a means for enrolling a user’s Face credential.

Note: The Face credential is not enabled by default. In order to use this credential:

  • A separate Face credential license must be purchased and installed on the same machine as the DigitalPersona Server.

  • The Enrollment GPO must be enabled and the Face credential selected.

  • Your computer must have a built-in or connected camera to enroll a Face credential.

To enroll a Face credential:

  1. Click the Face tile to display the Enroll your Face dialog.

  2. If multiple cameras are available, select a camera from the drop-down list that will be displayed.

  3. Click Enroll and look straight into the camera.

  4. Wait until the system completes capturing your image. When successful, the process should look like this.

During the capture process, various messages may appear if the lighting is not adequate, you are too near or too far away, or when multiple faces are detected.

To change your Face credential:

Once your Face credential has been enrolled, the label on the Face tile will be 'CHANGE.’

  1. Click CHANGE.

  2. In the Delete Credential dialog, click OK to delete your current credential.

    The following messages displays: The credential has been successfully removed.

  3. You can now re-enroll your Face credential.

To delete your Face credential:

  1. Click CHANGE on the Face tile.

  2. In the Delete Credential dialog, click OK to delete your current credential.

    The following messages displays: The credential has been successfully removed.

  3. Click Close.

Note: Enrollment of your Face credential using an IR (infrared) camera in bright daylight is not recommended. If the camera being used to enroll your Face credential is an IR camera, and it is being used in bright daylight, the Face credential will still be enrolled, but the image shown after enrollment may be too dark to see any features.

Passkey (Synced) Credential

A passkey is a type of passwordless digital credential that is used as an authentication method. From a technical standpoint, passkeys are FIDO-based credentials that are discoverable by browsers or housed within native applications, or security keys for passwordless authentication.

Passkeys that are synced between a user's devices via a cloud service are generally referred to as "synced passkeys", while ones that never leave a single device are referred to as "device-bound passkeys".

The synced passkey credential is represented by the Passkey (synced) tile .

Note:  

  • Beginning with DigitalPersona version 3.4, passkey devices are supported via the FIDO2 protocol.

  • FIDO UTF is no longer supported, and any previously enrolled passkeys need to be re-enrolled with DigitalPersona 3.4 or a newer version.

Enroll a Passkey (Synced) Credential

  1. In the HID DigitalPersona Enrollment window, click the Passkey (synced) tile.

  2. Click Enroll to begin enrolling your passkey.

  3. If the dialog on the above right displays, select the option to use a phone or tablet.

  4. On the next dialog, scan the displayed QR code using the camera on the mobile device where you want to create a passkey.

    Upon a successful scan, the Passkey enrollment is completed, and the top of the Passkey icon in the Web Enrollment window will now show the word CHANGE.

To delete a Passkey (synced) credential:

  1. In the HID DigitalPersona Enrollment window, click the Passkey (synced) tile.

    If a passkey is enrolled, the following dialog is shown.

  2. Click Delete Credential.

  3. In the confirmation dialog, click OK. Your current passkey will be deleted immediately.

To change a Passkey (synced) credential:

  1. First delete the previously enrolled Passkey (synced) credential.

  2. Then enroll a new passkey as described in Enroll a Passkey (Synced) Credential.

Authenticate with a Passkey (Synced) Credential

  1. In an HID DigitalPersona Identity Server or Verify your Identity window, click the Passkey (synced) tile.

  2. On the dialog that displays, scan the displayed QR code using the camera on the mobile device that has your enrolled passkey on it.

Upon a successful scan, the Passkey authentication is completed.