Authentication and Credentials

The default, and simplest, means of authentication (that is, making sure that you are a person authorized to access a computer or other resource) is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging into to websites.

DigitalPersona credentials are defined as:

• Primary credentials which are considered stronger (more secure) than Secondary credentials, and include the following:

  • Password

  • Fingerprint

  • Certificate-based PKI Smart cards

  • Contactless Writable cards

  • Contactless ID cards (when enabled as a single (Primary) credential by GPO)

  • One-Time Passwords

  • Face (requires a separate Face Authentication License and is not supported in web-based components)

  • Passkey (device-bound and synced)

• The following Secondary credentials can only be used in combination with a Primary credential:

  • Contactless ID card (except when enabled as Single (Primary) by GPO)

  • PIN

  • Bluetooth device

An additional Self Password Recovery credential can be used solely for recovering access to a managed client computer in place of a forgotten password.

PKI Smart Cards

If you would like to use PKI Smart Cards for DigitalPersona Windows Logon or to log in to services federated with the DigitalPersona Identity Provider (including the HID DigitalPersona Administration Console and HID DigitalPersona Enrollment), the cards must be initialized outside of the DigitalPersona platform and have a Windows Logon Certificate provisioned on the card.

To use PKI Smart Cards, you must have a PKI infrastructure as part of your environment. Setting up this environment is beyond the scope of this documentation. However, you can refer to Microsoft documentation for Microsoft Windows Server 2012 (the steps for later versions should be similar).