Authentication and Credentials

The default, and simplest, means of authentication (that is, making sure that you are a person authorized to access a computer or other resource) is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging into to websites.

DigitalPersona credentials are defined as:

Primary credentials which are considered stronger (more secure) than Secondary credentials, and include the following:
- Password
- Fingerprint
- PKI Smart cards
- Contactless Writable cards
- Contactless ID cards (when enabled as a single (Primary) credential by GPO)
- One-Time Passwords
- Face (requires a separate Face Authentication License)
- Passkey (device-bound and synced)
- RADIUS

The following Secondary credentials can only be used in combination with a Primary credential:
- Contactless ID card (except when enabled as Single (Primary) by GPO)
- PIN
- Bluetooth device

An additional Password Recovery credential can be used solely for recovering access to a managed client computer when other credentials fail, are forgotten password or are unavailable.

Note: Starting with the DigitalPersona 4.3 release, support for HMAC-SHA256 was added for TOTP-compliant hardware devices.

Note: By default:

User credentials are cached on the local DigitalPersona Workstation client, and not cached on a computer running the DigitalPersona Kiosk client
This means that DigitalPersona Workstation users will be authenticated without a connection to the DigitalPersona LDS Server, but DigitalPersona Kiosk users will not be authenticated if there is no connection to the DigitalPersona LDS Server (although caching can be enabled for the Kiosk client if desired).
Initial enrollment of end-user credentials is provided through the DigitalPersona Attended Enrollment component, which requires the supervising logged on user to have been previously assigned the permission to enroll Non AD users (see Using DigitalPersona Attended Enrollment)

PKI Smart Cards

If you would like to use PKI Smart Cards for DigitalPersona Windows Logon or to log in to services federated with the DigitalPersona Identity Provider (including the HID DigitalPersona Web Administration Console and HID DigitalPersona Enrollment), the cards must be initialized outside of the DigitalPersona platform and have a Windows Logon Certificate provisioned on the card.

To use PKI Smart Cards, you must have a PKI infrastructure as part of your environment. Setting up this environment is beyond the scope of this documentation. However, you can refer to Microsoft documentation for Microsoft Windows Server 2012 (the steps for later versions should be similar).

Note: PKI card support in DigitalPersona 3.2 is not compatible with our previously used Smart Card solution in DigitalPersona 3.1 and earlier versions.

Cards enrolled using DigitalPersona 3.1 cannot be used with a DigitalPersona 3.2 client, and cannot be used when a DigitalPersona 3.1 client communicates with a DigitalPersona 3.2 server, unless there is a Windows Logon Certificate on the card.