Using DigitalPersona Web-Based Enrollment

HID DigitalPersona Enrollment is a web-based application that provides both attended (supervised) and unattended (self) enrollment and management of DigitalPersona credentials.

It is compatible with most web browsers on popular desktop and mobile platforms.

HID DigitalPersona Enrollment is an optional component included in the DigitalPersona Web Management Components package. For instructions on installing the package, see Installing the Web Management Components.

By default, HID DigitalPersona Enrollment is configured to allow both attended enrollment and self enrollment by end users.

Domain Administrators, DigitalPersona Administrators and Local Administrators on the machine where the Web Management Components package was installed are automatically assigned permissions to enroll other users.

Additional persons or groups can be assigned the Register/Delete Fingerprint (DigitalPersona) permission to enroll other users as well, and permission can be removed from any of the default groups.

Note: The Register/Delete Fingerprint (DigitalPersona) permission actually affects all DigitalPersona credentials, not just fingerprints. The ability for end-users to enroll and manage their own credentials can also be disabled (see Customizing HID DigitalPersona Enrollment).
Prerequisites: To use HID DigitalPersona Enrollment to enroll credentials that require a peripheral device (such as a fingerprint or card reader) a DigitalPersona client must also be installed on the same (Windows) computer such as:

Use of the One-Time Password (OTP) Push Notification features with the One-Time Password credential requires the administrator to create an account on the Push Notification Server and then enable and configure the OTP GPO in Active Directory.

Accessing HID DigitalPersona Enrollment

Access to HID DigitalPersona Enrollment is through a URL created during installation and provided on the final page of the Web Management Components installation wizard.

Navigating to the URL will first display the DigitalPersona Identity Server page for authentication, and upon successful authentication will then open the HID DigitalPersona Enrollment application.

Prior to enrolling any credentials, users can log in with the Active Directory account name and password.

Once additional credentials have been enrolled, they can use any of those credentials or credential combinations to log in (as specified by any authentication policy in force).

Selecting a User for Attended Enrollment

Any domain user with the Register/Delete Fingerprint (DigitalPersona) privilege assigned can select a user for credential enrollment or modification either from within the HID DigitalPersona Administration Console (described in Managing Your Users) or directly from the HID DigitalPersona Enrollment component.

To select a user for credential enrollment or modification:

  1. After authentication through the DigitalPersona Identity Server, enter the username in the domain\username or username@domain.com format (for example, mycompany\john or john@mycompany.com) of the user you want to manage.

  2. Click Manage user.

    The Credential Manager page displays.

Self Enrollment

To self enroll (that is, manage a user’s own credentials through HID DigitalPersona Enrollment):

  1. Navigate to the URL provided for HID DigitalPersona Enrollment.

  2. After authentication through the DigitalPersona Identity Server, click Enroll your credentials.

The Credential Manager page displays.

Credential Enrollment

Once a user is either selected by an administrator or logged in (if self-enrollment has been enabled), the Credential Manager page displays.

The Credential Manager page is the central location within HID DigitalPersona Enrollment where a user’s credentials can be enrolled and managed.

The tiles on the page, representing credentials and other information that may be captured by DigitalPersona in relation to a specific user, give access to pages where this information may be provided.

The first time, within a browser session, that a user clicks a credential tile, they will be asked to verify their identity by submitting a previously enrolled credential. This may be their password or any other DigitalPersona credential that has been enrolled for their account.

Password Credential

The Password tile enables user to change their Microsoft Windows password.

  1. Click the Password tile to display the Change password window.

  2. Enter the Current password.

  3. Enter and confirm a New password.

  4. Click Change password.

Fingerprints Credential

If there is a supported fingerprint reader built into or connected to your computer, you can enroll and manage a user’s fingerprints.

Enroll a Fingerprint

  1. Click the Fingerprints tile to display the Manage fingerprints window.

  2. Select a finger in the displayed hand image.

  3. Scan the selected finger as many times as necessary to enroll the fingerprint.

    Successful scans will show a temporary blue background on the fingerprint icon.

    When an adequate number of images have been captured, this window will close automatically and the Enroll your Fingerprints window will redisplay.

    Note: Verification by both the Security Officer and the user may be required before the fingerprint credential is saved

  4. Click Complete to return to the Credential Manager page.

Important: If any fingerprint being enrolled during this session, prior to clicking Save, is found to be a duplicate of an existing fingerprint for another user, the other user’s matched fingerprint will be deleted and the current user’s pending fingerprints will not be saved. An error message will display: The fingerprint cannot be enrolled. Contact your administrator for more information.

Delete a Fingerprint

To delete a single fingerprint:

  1. Click any highlighted finger.

  2. Confirm the deletion by clicking Yes in the message box that displays.

To delete the entire fingerprint credential:

  1. Once the credential has been enrolled, a Delete All Fingerprints button is added to the Enroll your fingerprints window.

  2. Click Delete All Fingerprints and then click Yes in the message box that displays to confirm the deletion.

Cards Credential

The Cards tile allows enrolling a user’s Contactless Writable or Contactless ID Card credential.

Enroll a Contactless Card Credential

  1. Click the Cards tile to display the Manage your Cards window.

  2. Place your Contactless Card very close to the reader.

  3. Click Enroll on the tile for the detected card.

  4. Click Complete.

Delete All Enrolled Cards

Click the delete icon to delete all the enrolled cards.

Individual enrolled cards cannot be deleted separately.

PIN Credential

A PIN is a credential composed of user-selected characters. A PIN is often used in combination with another credential to easily enhance its security.

A PIN may be used as a credential for authentication, when combined with an additional supported credential as defined by the Logon or Session Policy in force.

Note:  

  • You cannot enroll weak PINs in DigitalPersona, similarly to Windows Hello for Business. According to Microsoft, a weak PIN has a constant delta from one digit to the next (for example, 1111 or 2468)

    This algorithm does not apply to alphanumeric PINs.

  • This PIN should not be confused with a PKI Smart Card PIN which is used as part of a PKI Smart Card credential.

To enroll a PIN credential:

  1. Click the PIN tile to display the Enroll PIN window.

  2. Enter and confirm a four-digit PIN.

  3. Click Enroll PIN.

One-Time Password Credential

A One-Time Password (OTP) credential uses an automatically generated time-sensitive numeric code for authentication.

The OTP credential can be used for authentication to the DigitalPersona Identity Server, for providing access to the HID DigitalPersona Administration Console and HID DigitalPersona Enrollment, as well as for verifying your identity when enrolling or managing credentials.

Note: Starting with the DigitalPersona 4.3 release, support for HMAC-SHA256 was added for TOTP-compliant hardware devices.

A QR Code scanner app on your device will greatly simplify the enrollment process for the software-based tokens, by automating the entry of required account information.

The verification code may be generated in one of the following ways:

  • Authenticator app - a software token is generated by a special authenticator app on a user’s mobile device, and the resulting time-sensitive code is used for authentication.

  • OTP Push Notification - a software token is generated by DigitalPersona and sent to a mobile device where the user can Accept or Deny its use for authentication. This feature is only available through the DigitalPersona authentication app. Although generation of the OTP is supported in third party authentication apps, Push Notification is only available through the DigitalPersona app.

  • Hardware token - a dedicated hardware device generates a time-sensitive code used for authentication. The hardware token must be an OATH-compliant TOTP (Time-based One-Time Password) device.

  • OTP via email - a software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to the user’s email address. By default, this option is not configured (and therefore unavailable to users), but can be enabled by the administrator through the Send OTP by email GPO setting.

    Also a valid SMTP server must be specified during configuration of the DigitalPersona Web Management Components package.

OTP Enrollment

The steps in the enrollment of an OTP credential differ slightly based on the type of OTP credential described above.

Authenticator App and Push Notification

Enrollment of an OTP credential to be used with an authenticator app will also automatically include the ability to make use of OTP Push Notification (when using the DigitalPersona app only), after the following steps have been taken:

  • The implementation team has created a tenant record for you in the CPNS service.

  • The associated OTP GPO settings have been enabled and configured by a DigitalPersona administrator as described in OTP policy settings.

  • Each user must allow notification during the app installation, or enable notifications for the DigitalPersona app in Settings/Notifications/DigitalPersona after installation.

During enrollment, you may choose not to use OTP Push Notification by selecting Decline on the Push Authentication page, in which case, you can still use regular (non-push) OTP.

Important: If you do not select ACCEPT on the Push Notification page, Push Notification will not be enabled. If you want to enable it in the future, you can do so by navigating to the DigitalPersona App in Settings/Notifications on your iOS device or the equivalent location on your Android device,

From a link in the One-Time Password window, you can download an OTP authentication app from various platform-centric app stores. You then enroll the OTP credential for use with the authenticator app (and OTP Push Notification, if configured and in the DigitalPersona app only) by scanning the QR Code shown on the screen.

The steps to enrolling a software-based OTP token to be used with an authenticator app or OTP Push Notification are:

  1. Download an authenticator app

  2. Set Up a DigitalPersona Account on Your Device

  3. Sign in to the DigitalPersona Mobile app

  4. Enroll the credential in the DigitalPersona Console

Download an authenticator app

  1. Click the One-time passwordtile to display the Enroll a one-time password window.

  2. Click the Download app link to download and install the DigitalPersona mobile app for your device.

    A new QR Code for downloading the app and a means to choose which app store to download it from is displayed.

  3. Scan the QR code or click the button for your device's app store.

    • The DigitalPersona app is currently available from the Apple® Store and Google® Play.

    • For the Microsoft® Windows® mobile platform, the Microsoft and Google Authenticator apps provide nearly identical functionality, although setup and enrollment steps may vary slightly.

    Scanning the QR code with a QR Code scanner app on your device is the simplest procedure. It will automatically open your device’s default web browser and display the product page for the selected Authenticator app so that you can download and install the app.

    Clicking the store download buttons will open the selected app store in your computer’s default browser. Some app stores may require signing in and/or downloading the app and copying it to your device.

Set Up a DigitalPersona Account on Your Device
Note: The following instructions are for the DigitalPersona app as installed on an Apple iPhone®. Instructions for the use of other authentication apps and devices may differ slightly.

  1. Launch the authentication app on your device.

    The first time the app is launched, the Register screen displays.

  2. Click OK to allow the DigitalPersona app to send you notifications. Then click Register.

  3. Enter and verify a six-digit passcode.

  4. On the Diagnostic and Usage page, accept the defaults or tap an option to deselect it.

  5. On the Accounts screen, click the Plus sign (+). You will be asked for permission to access your device’s camera.

    Tap OK if you want to use the camera to scan the QR Code for automatically creating your DigitalPersona Mobile account.

    If you click Don’t Allow, you will not be able to create an account or use the Authenticator app.

  6. You can create the required account on your device automatically by scanning the QR Code displayed in the Enroll a one-time password window:

    1. In the Enroll a one-time password window, scan the displayed QR code.

      Important: Do not scan the QR code that was used to download the app.

      If the Push Authentication Server has been previously setup by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you Accept the associated Privacy Policy.

      If you Decline the Privacy Policy, Push Authentication will not be enabled.

    2. Once the account information is displayed, tap Save.

      The DigitalPersona Mobile account will be created and the Accounts screen displayed with the new account and your first One-Time Password shown.

Sign in to the DigitalPersona Mobile app

Once you have registered as described above, you can sign in to the app as follows:

  1. Launch the DigitalPersona app.

  2. Sign in:

    • Fingerprint-enabled devices - you can enable fingerprint authentication to the DigitalPersona mobile app by selecting Enable TouchID on the Sign In screen or later in the DigitalPersona Mobile Settings.

      Then touch the fingerprint sensor to sign in.

    • Non-fingerprint-enabled devices - tap Sign In and then enter your six-digit DigitalPersona Mobile passcode.

Enroll the credential in the DigitalPersona Console

  1. On your computer, open the Enroll a one-time password window.

  2. On your device, sign in to the DigitalPersona mobile app.

  3. On your computer, in the Verification code field at the bottom of the window, enter the six-digit One-Time Password displayed in the app and click Enroll.

OTP Hardware Token

On the Credential Manager, One-Time Password page, you can enroll a hardware token as a DigitalPersona credential. The hardware device can then be used to generate a code for authentication.

Note: Hardware tokens must be OATH compliant TOTP (Time-based One-Time Password) devices.

Typical hardware tokens:

To enroll an OTP credential using a hardware token:

  1. From the Enroll a One-Time Password window, click the here link to display the hardware token enrollment page.

  2. Enter the Serial number for your hardware token which is usually found on the back of the device.

    Note: A vendor supplied seed file that is associated with a specific set of hardware tokens must have been previously imported to the DigitalPersona Server before the hardware token can be enrolled (see Hardware Tokens Management Utility).

  3. Activate your hardware device.

    On some hardware tokens, you will simply need to press a button to do so, on others you will need to enter a preselected PIN to display the valid code on your device.

  4. Enter the verification Code displayed on your device and click Enroll.

OTP via Email Enrollment

Prerequisites: To authenticate using OTP via email, the user’s workstation must be able to connect to the DigitalPersona AD Server, either within the network, through a VPN or using the VPN-less (web proxy) feature which is enabled through the Allow VPN-less access GPO setting.

If enabled by the administrator, a software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to the user’s Active Directory email address. By default, this option is not configured (and therefore unavailable to users), but can be enabled by the administrator through the Send OTP by email GPO setting.

Also a valid SMTP server must be specified during configuration of the DigitalPersona Web Management Components package or through the Security\SMTP GPO setting.

Once enabled, the option to have a One-Time Password sent to the user’s email address is automatically available (enrolled) upon completing the enrollment of any of the other types of OTP credentials described above.

Authentication with a One-Time Password

To authenticate with your One-Time Password, use one of the following options depending on from where you are authenticating:

  • At Windows logon, select Sign-in options and then select the One-Time Password (or OTP) tile to display One-Time Password options.

  • On the DigitalPersona Identity Server or Verify your Identity screen, select the One-Time Password (or OTP) tile.

You can use an OTP credential in any of the following ways:

  • Select Send push notification to send a One-Time Password to your enrolled mobile device allowing you to Approve or Deny authentication.

  • Launch your previously registered authentication app on your mobile device and enter the resulting One-Time Password into the entry field on your computer.

  • Activate the display on an enrolled hardware token, and enter the displayed One-Time Password on your computer.

In most cases, enter your One-Time Password into the One-Time Password field on your computer screen and select the arrow button. When using push notification, you do not need to enter the code on your computer, as tapping Approve or Deny on your mobile device automatically authenticates to your computer.

Note: The OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration by your administrator.

To change your OTP credential:

  1. Select the One-time password credential tile.

  2. In the credential page, click the delete icon .

  3. In the dialog, click Delete to confirm deletion of your OTP credential.

  4. You can now re-enroll your OTP credential.

To delete your OTP credential:

  1. Select the One-time password credential tile.

  2. In the credential page, click the delete icon .

  3. In the dialog, click Delete to confirm deletion of your OTP credential.

Recovery Questions Credential

The Recovery Questions credential allows a DigitalPersona user to regain access to their Windows account by answering a series a questions that have been previously configured.

The Recovery Questions page provides a means to set up a user’s Recovery Questions.

Administrators can configure the list of security questions displayed or create custom questions through the Recovery Questions GPO setting.

To use this recovery credential to gain access to a computer, a user must have previously logged on to the same computer at least once with another valid credential.

Note:  

  • For DigitalPersona Workstation, this feature is optional and must be explicitly configured by the DigitalPersona Administrator through the Recovery Questions GPO setting.

  • This feature is not available in the DigitalPersona Kiosk products.

To set up a user’s Recovery Questions:

  1. Click the Recovery Questions tile to display the Recovery Questions window.

  2. Select the questions from those available from the drop-down menus, and enters the unique answers.

    You can also write your own Custom questions by selecting the Custom question from the menu.

    Important:  

    • Each answer must be unique. Providing the same answer for different questions is not supported.

    • The answers to Recovery Questions are not case-sensitive.

  3. Click Save questions.

Passkey (Device-Bound) Credential

A passkey is a type of passwordless digital credential that is used as an authentication method. From a technical standpoint, passkeys are FIDO-based credentials that are discoverable by browsers or housed within native applications, or security keys for passwordless authentication.

Passkeys that are synced between a user's devices via a cloud service are generally referred to as "synced passkeys", while ones that never leave a single device are referred to as "device-bound passkeys".

The device-bound passkey credential is represented by the Passkey (device-bound) tile .

Note:  

  • Beginning with DigitalPersona version 3.4, passkey devices are supported via the FIDO2 protocol.

  • FIDO UTF is no longer supported, and any previously enrolled passkeys need to be re-enrolled with DigitalPersona 3.4 or a newer version.

Enroll a Passkey (Device-Bound) Credential

  1. In the DigitalPersona Enrollment window, click the Passkey (device-bound) tile.

    Note: User authentication may be required.

  2. Insert your passkey and click Enroll to begin enrolling your device.

    A device selection dialog may be displayed next.

  3. If you are prompted to select where to save the passkey, select the option to use a Security key.

  4. Then follow any onscreen instructions provided in the following Windows dialogs.

    Depending on your passkey, you may be prompted to provide or create a PIN and to touch your security key.

To delete a Passkey (device-bound) credential:

  1. Click the Passkey (device-bound) tile.

  2. In the credential page, click the delete icon .

  3. In the dialog, click Delete to confirm deletion of your passkey.

To change a Passkey (device-bound) credential:

  1. First delete the previously enrolled Passkey (device-bound) credential.

  2. Then enroll a new Passkey (device-bound) as described above.

Authenticate with a Passkey (Device-Bound) Credential

  1. In the DigitalPersona Identity Server or Verify your Identity window, select the Passkey (device-bound) tile.

  2. Follow any onscreen instructions.

    Depending on your passkey and any authentication settings, you may be prompted to provide your PIN and to touch your Security Key.

After touching your enrolled passkey, you will be automatically signed in.

Passkey Biometrics Support

Passkey Biometrics is an authentication system that leverages a user's biometric characteristics, such as their fingerprints, to enable true passwordless access to protected resources.

To enroll a Passkey Biometrics device with an embedded fingerprint reader (YubiKey Bio, TrustKey G320, etc.):

  1. Enroll your fingerprint using the program supplied with the Passkey Biometrics device.

  2. Then enroll the Passkey (device-bound) credential using the steps as described above.

To authenticate with a Passkey Biometrics device:

  1. Insert the device into a USB port.

  2. When prompted, touch the device's fingerprint reader with a previously enrolled finger.

Note: After multiple fingerprint authentication failures, you will be prompted to type your passkey's PIN to proceed.

Face Credential

This tile provides a means for enrolling a user’s Face credential.

Note: The Face credential is not enabled by default. In order to use this credential:

  • A separate Face credential license must be purchased and installed on the same machine as the DigitalPersona Server.

  • The Enrollment GPO must be enabled and the Face credential selected.

  • Your computer must have a built-in or connected camera to enroll a Face credential.

Note: Enrollment of your Face credential using an IR (infrared) camera in bright daylight is not recommended. If the camera being used to enroll your Face credential is an IR camera, and it is being used in bright daylight, the Face credential will still be enrolled, but the image shown after enrollment may be too dark to see any features.

To enroll a Face credential:

  1. Click the Face tile to display the Enroll your Face dialog.

  2. If multiple cameras are available, select a camera from the drop-down list that will be displayed.

  3. Click Enroll and look straight into the camera.

  4. Wait until the system completes capturing your image. When successful, the process should look like this.

During the capture process, various messages may appear if the lighting is not adequate, you are too near or too far away, or when multiple faces are detected.

To change your Face credential:

  1. Select the Face credential tile.

  2. In the credential page, click the delete icon .

  3. In the dialog, click Delete to confirm deletion of your Face credential.

  4. You can now re-enroll your Face credential.

To delete your Face credential:

  1. Select the Face credential tile.

  2. In the credential page, click the delete icon .

  3. In the dialog, click Delete to confirm deletion of your Face credential.

Passkey (Synced) Credential

A passkey is a type of passwordless digital credential that is used as an authentication method. From a technical standpoint, passkeys are FIDO-based credentials that are discoverable by browsers or housed within native applications, or security keys for passwordless authentication.

Passkeys that are synced between a user's devices via a cloud service are generally referred to as "synced passkeys", while ones that never leave a single device are referred to as "device-bound passkeys".

The synced passkey credential is represented by the Passkey (synced) tile .

Note:  

  • Beginning with DigitalPersona version 3.4, passkey devices are supported via the FIDO2 protocol.

  • FIDO UTF is no longer supported, and any previously enrolled passkeys need to be re-enrolled with DigitalPersona 3.4 or a newer version.

Enroll a Passkey (Synced) Credential

  1. In the HID DigitalPersona Enrollment window, click the Passkey (synced) tile.

  2. Click Enroll to begin enrolling your passkey.

  3. If the dialog on the above right displays, select the option to use a phone or tablet.

  4. On the next dialog, scan the displayed QR code using the camera on the mobile device where you want to create a passkey.

To delete a Passkey (synced) credential:

  1. Click the Passkey (synced) tile.

  2. In the credential page, click the delete icon .

  3. In the confirmation dialog, click Delete. Your current passkey will be deleted immediately.

To change a Passkey (synced) credential:

  1. First delete the previously enrolled Passkey (synced) credential.

  2. Then enroll a new passkey as described in Enroll a Passkey (Synced) Credential.

Authenticate with a Passkey (Synced) Credential

  1. In an HID DigitalPersona Identity Server or Verify your Identity window, click the Passkey (synced) tile.

  2. On the dialog that displays, scan the displayed QR code using the camera on the mobile device that has your enrolled passkey on it.

Upon a successful scan, the Passkey authentication is completed.

RADIUS Credential

Important: RADIUS enrollment is needed only when the RADIUS user name differs from the Windows user name.
Prerequisites: RADIUS enrollment is not available by default and must be enabled using the policy settings.

To enroll a RADIUS credential:

  1. In the HID DigitalPersona Enrollment window, click the RADIUS tile.

  2. Enter and confirm your user name for RADIUS authentication.

  3. Click Change to complete the enrollment.

To authenticate with your RADIUS credential at Windows Logon, select the RADIUS Sign-in option and enter your RADIUS password:

To authenticate with RADIUS in the DigitalPersona AD applications, select the RADIUS tile and enter your RADIUS password: