Fingerprint Adjudication and Deduplication

The DigitalPersona Adjudication and deduplication is a process of identifying and processing situations where one or more users have fingerprints that are significantly similar (duplicates).

During fingerprint identification and during fingerprint enrollment, if the matching score between a fingerprint being enrolled and one existing in the DigitalPersona database for another user is higher than the specified threshold, the result of the query is treated as a genuine match. This is called a false accept.

Setting the FAR (false accept rate) policy setting higher can mitigate this somewhat (see the Fingerprint verification setting), but it also has the effect of increasing the FRR (false reject rate) whereby some genuine users are not matched when presenting a fingerprint. So there is always a tradeoff between the FAR and the FRR.

When a duplicate is identified, what happens next depends on whether identification or enrollment is being performed.

Identification

The default DigitalPersona client behavior is to perform identification locally first through the local cache, and if it fails (and a connection to the DigitalPersona Server is available) identification is attempted on the server. If multiple candidates are found, the response is a no match and an error message is written to the appropriate event log.

Note: Possible duplicates are not deleted. You can also disable local caching for domain users via GPO (see the Cache user data on local computer setting).

Enrollment

When a user enrolls a fingerprint that is a duplicate of a fingerprint already in the DigitalPersona database, the following events occur:

  • The fingerprint data (template) for the finger being enrolled will be discarded.

  • The record (template) for the matched fingerprint will be deleted from the database.

    This means that the original user of the matched fingerprint will no longer be able to authenticate with that finger and may need to enroll another finger to meet any minimum number of enrolled fingerprints defined by the Fingerprint Enrollment policy in force.

  • A message displays, The fingerprint cannot be enrolled. Contact your administrator for more information.

  • The DigitalPersona Administrator is notified by the system writing two duplicate fingerprint found events to the event log on the DigitalPersona LDS Server.

    One event with the new enrollee name and the number of the finger being enrolled, and another with the same information for the matched fingerprint.

The administrator needs to review the event log on a regular basis and follow up to determine the cause of the duplication. In most cases, they should delete the duplicate fingerprints from the database and re-enroll them.

Cautions

Note: Whenever a fingerprint is enrolled, it may take a few minutes for it to be added to the identification set. Therefore, enrolling a duplicate fingerprint within that timespan may not trigger the duplicate fingerprint found event, since the first fingerprint may not have been added to the identification set yet.

Even after a duplicate fingerprint has been identified, when local caching is enabled (the default), the original user may in some cases be able to continue using their fingerprint for authentication and identification, for example when providing User Name+Fingerprint. In most cases, upon successful logon, the cache will be refreshed and that original user’s duplicated fingerprint will no longer be valid.

Fingerprint Identifiers

In events written to the event log, fingerprints and duplicate fingerprints are identified using the numbers in the following table.

Finger #

Left pinky finger

0

Left ring finger

1

Left middle finger

2

Left index finger

3

Left thumb

4

Right thumb

5

Right index finger

6

Right middle finger

7

Right ring finger

8

Right pinky finger

9