.NET Bio Solution for Windows XP
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.
• This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. © Copyright 2009-12 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.
GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
Printed in France. Document Reference: D1203442G (Formerly DOC117961) 17 January, 2012
Contents
Introduction ... iv
Who Should Read This Book ... iv
Typographical Conventions ... v
Contact .NET Bio Support ... v
Biometric Reader/Sensor Support ... v
Overview ... 1
Why Choose the Gemalto .NET Bio Solution? ... 1
Why Biometrics? ... 1
Why Biometrics Match-on-Card (MoC)? ... 2
Why Gemalto .NET Bio? ... 2
Key Features and Benefits ... 2
Installing .NET Bio ... 4
Software Requirements ... 4
Hardware Requirements ... 4
Compatible Smart Card Readers ... 4
Compatible Fingerprint Sensors ... 5
Installation ... 5
Uninstallation ... 5
.NET Bio Components ... 6
On-Card Components ... 7
Off-Card Components ... 7
Using the .NET Bio Solution ... 9
Using .NET Bio GINA and Bio & PIN Manager ... 10
Logging on to Windows XP in PIN-only mode ... 11
Changing the User Verification Mode... 12
Enrolling Fingerprints for Biometric Authentication ... 14
Adding or Deleting Biometrics ... 18
Logging on to Windows XP in Fingerprint-Only Mode ... 20
Logging on to Windows XP in PIN-or-Fingerprint Mode ... 21
Logging on to Windows XP in PIN-and-Fingerprint Mode ... 22
Locking/Unlocking the System ... 23
Unblocking Biometrics ... 24
Using .NET Bio Verification with Smart Card-enabled Applications ... 25
Applying a Digital Signature to an email using MS Outlook ... 25
Introduction
Gemalto .NET Bio is an innovative software solution that works with Gemalto .NET smart cards to seamlessly integrate biometrics technology into Windows XP®.
Organizations deploy Gemalto smart cards and tokens among their employees to be used for strong user authentication to their networks as well as for data encryption and digital signature services.
Gemalto .NET smart cards are:
integrated into the Windows® Smart Card Framework. This means that they not only work with Windows XP but any Microsoft and third-party applications that also support WSF architecture
supported in Windows XP. This enables the devices to work seamlessly with Microsoft Terminal Services, Active Directory®, Active Directory Federation Services and Windows smart card login.
the first commercial smart card to implement a streamlined version of the .NET Framework.
Building upon this smart card technology, the .NET Bio solution enables the use of fingerprint match-on-card (MoC) user authentication as an alternative or complement to smart card PIN verification.
With .NET Bio, companies can implement a secure two- or three-factor authentication system that is convenient for users, easy to deploy and manage, and fully compatible with the smart card security components in Windows XP. The solution is also
compatible with the vast majority of fingerprint sensors available in the market. This manual explains how to use the .NET Bio solution on Windows XP systems.
Who Should Read This Book
This book is intended for IT administrators who will be deploying the .NET Bio solution across their organization.
It is assumed that the reader of this document has:
an understanding of the Windows XP operating system and the Windows Smart Card Framework.
an understanding of Gemalto .NET smart cards, smart card readers and fingerprint sensors.
Introduction v
Typographical Conventions
This document uses the following typographical conventions:
Table 1: Typographical Conventions
Convention Example Description
Bold Enter libgclib.dylib Actual user input or screen output.
> Select File > Open Indicates a menu selection. In this example you are instructed to select the “Open” option from the “File” menu.
Contact .NET Bio Support
If you do not find the information you need in this manual, or if you find errors, please report them to Gemalto .NET Bio Support: dotnetbiosupport@gemalto.com
Biometric Reader/Sensor Support
If you experience problems with any fingerprint readers or sensors, make sure you have loaded the latest drivers from the appropriate web manufacturer’s web site.
The .NET Solution for Windows Release Notes gives a list of the fingerprint readers and sensors supported by Gemalto for the .NET Bio Solution, and a list of the web sites from where you can find the latest drivers.
1
Overview
Traditionally, smart cards are protected by a PIN intended to verify that the holder of the device is its legitimate owner. .NET Bio implements fingerprint verification on the smart card to provide four alternative card holder verification methods: PIN only; fingerprint only; fingerprint or PIN; and fingerprint and a PIN for the highest level of security.
The following components are required for using the .NET Bio solution: smart card reader, fingerprint sensor for biometric authentication, Gemalto .NET Bio client software, a Gemalto .NET smart card device with the Biometrics assembly loaded on it and Windows XP. The fingerprint sensor and the smart card reader may be integrated with the client system, or they can be external devices connected via USB.
Why Choose the Gemalto .NET Bio Solution?
The .NET Bio solution integrates the best in authentication technologies — smart cards and fingerprint recognition — to deliver unmatched security and flexibility for Windows XP.
Why Biometrics?
Identity: Biometrics allow user authentication based on a unique physical personal characteristic. From a user’s perspective, there is a stronger perception of personal representation compared to user names and passwords or PINs. Security: Depending on the implementation, biometrics (something you are) can
enhance the security of a solution when combined with other authentication factors, such as a smart card or token (something you have) and/or a password or PIN (something you know).
Convenience: Compared to passwords, biometrics can’t be forgotten. Users don’t have to keep track of them. They are always available and always with the user.
Overview 2
Why Biometrics Match-on-Card (MoC)?
Security: By design, smart cards are highly secure and tamper-proof. Because of this, storage and verification of biometric credentials on a smart card are safer than on a non-secure device or network. Combining smart cards with biometrics technology produces a highly secure, three-factor authentication solution. Convenience: Biometrics match-on-card (MoC) technology delivers the ultimate
in portability. Users can log on throughout the corporate network using their smart card or token and biometric credentials.
Privacy: The match is performed on the card. Biometric credentials never leave the card, so users can be assured of their privacy.
Compliance: Some countries have security regulations that prevent the storage of biometric information within any database. Biometrics MoC technology ensures compliance by storing information on the card.
Why Gemalto .NET Bio?
.NET Bio offers an unmatched level of integration with the Windows XP operating system, delivering significant benefits for both corporations and end users.
The .NET Bio solution builds on top of the latest release of the Windows Smart Card Framework (WSF). This provides consistency with the Windows XP environment, while requiring a minimum amount of software to be loaded on the XP client – less than 7 MB. By complying with the WSF architecture, the .NET Bio solution supports not only the XP operating system, but all Microsoft® applications that provide smart card support, as well as third-party applications that support the Windows Smart Card Framework.
Key Features and Benefits
.NET Bio replaces passwords with strong two- or three-factor authentication for secure logon, remote access, encryption and digital signature services. It is compatible with approximately 90% of the fingerprint sensors on the market, and supports enrollment of up to 10 fingerprints.
Some of the key benefits include:
Portability: Biometric credentials and digital certificates are stored on the user’s smart card; thus, these users can freely and securely roam, log on and use any computer on the corporate network.
Convenience: By replacing a password or PIN with their fingerprint, users no longer need to remember — or type in — long, frequently changing passwords. Security:For corporations committed to the deployment of a smart card
infrastructure, .NET Bio enhances security by enabling the use of biometrics as a third factor of authentication. For corporations interested in the deployment of biometric technology for user identification, .NET Bio provides secure storage and verification of the biometric credentials inside the .NET smart card.
Cost Savings: The majority of Help Desk calls are related to forgotten passwords or user PINs. .NET Bio delivers a secure alternative that greatly reduces the need for password resets, helping to lower Help Desk support costs.
Ease of Use: With a straightforward interface for end users, deployment and management of biometric solutions are streamlined for Windows XP.
Overview 3
User Verification Modes
The .NET Bio solution provides a choice of four user verification modes, as shown below:
Table 2: .NET Bio Solution User Verification Modes Input Remarks
PIN only This is the default mechanism for user authentication, as defined by the Windows Smart Card Framework.
Fingerprint only Fingerprints are matched against a template previously stored on the smart card. This replaces the use of a smart card PIN.
PIN or fingerprint For the ultimate in convenience, users can choose to authenticate with their smart card PIN or fingerprint(s).
PIN and fingerprint For maximum security, users must present their fingerprint and enter their smart card PIN. Both are matched against values stored in the smart card. This provides highly secure three-factor authentication – the card, the PIN and the fingerprint(s).
.NET Bio GINA
The Graphical Identification and Authentication (GINA) is a .dll used by Windows Logon. The .NET Bio GINA provides biometric support for classic credential management scenarios, such as:
Smart Card Logon Computer Unlock
Biometrics and PIN Manager
This tool provides an interface to enable you to: Unblock the .NET Bio smart card
Change the user verification mode
Manage user fingerprints, including fingerprint enrollment Manage the user PIN.
Smart Card Enabled Applications
The .NET Bio solution may be used with other smart card-enabled applications, including: Microsoft Office (Word, Excel and PowerPoint) for digital signature of documents Microsoft Outlook for digital signatures and encryption of email
Microsoft Internet Explorer
Other Microsoft applications supporting Windows Smart Card Framework Third-party applications on XP supporting Windows Smart Card Framework For details about the versions of these applications supported by this version of .NET Bio, please refer to the Release Notes. For the latest information about applications supported by .NET Bio, please go to Gemalto’s .NET Bio web site at
2
Installing .NET Bio
Software Requirements
The current version of the .NET Bio Solution works with Windows XP. Windows Server 2003 is not supported.
Before using Gemalto .NET Bio cards, you must install the following software on the PC: Microsoft Base CSP v5. This is already included with Windows XP SP3. If you are using
an earlier version of XP, either install Service Pack 3 or download the Base CSP V5 from
http://support.microsoft.com/kb/909520 .
Microsoft .NET Framework 3.5. This can be downloaded from
http://www.microsoft.com/download/en/details.aspx?id=21 The Gemalto Minidriver .dll. This can be downloaded from
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20net
Instructions on how to do so are in the .NET Smart Card in a Windows Environment Administration and User Guide.
Hardware Requirements
The use of the .NET Bio solution requires the following devices: A smart card reader for the Gemalto .NET smart card A fingerprint sensor for biometric authentication
Compatible Smart Card Readers
The smart card reader may be integrated with the Windows XP system or it can be an external device that is connected via USB. The solution is compatible with any certified Chip Card Interface Device (CCID), USB class or embedded smart card reader.
Installing .NET Bio 5
Compatible Fingerprint Sensors
Both swipe and flatbed fingerprint sensors can be used with the .NET Bio solution. The fingerprint sensor may be integrated into any laptop, or it can be an external device that is connected via USB. For a list of the fingerprint readers and sensors supported by this version of .NET Bio, please refer to the Release Notes.
Note: Gemalto and its partner Precise Biometrics are continuously integrating support for additional fingerprint readers/sensors. Support for new fingerprint readers will be provided through maintenance releases of the .NET Bio solution.
Installation
To install .NET Bio on your computer:
1. Double-click the file Gemalto .NET Biometrics Solution for XP vx.x.x.msi to start installing the .NET Bio software. If you do not have one of the items listed in Software
Requirements on page 4 installed on the computer, a message appears telling you this. 2. When the Welcome dialog box appears, click Next to continue.
3. When the License Agreement dialog box appears, read and accept the terms and click
Next to continue.
Note: You can print the License Agreement from this dialog box.
4. Either accept the default installation directory (recommended) or choose a new location by clicking Change and navigating to a different location. Click Next.
5. When the installation window appears, click Install. A progress bar displays during the installation.
6. When the “completed” window appears, click Finish. 7. Reboot your computer when prompted.
A short-cut icon appears on the Windows desktop for the Biometrics and PIN Manager.
Uninstallation
Normally you should not need to uninstall .NET Bio as this happens automatically when you install a new version. However, if you need to uninstall it manually, the procedure is:
To remove .NET Bio from your computer:
1. Open the Control Panel (Start > Settings > Control Panel). 2. Click Add or Remove Programs.
3. Select .NET Bio in the list and click Remove.
4. Click Yes in the confirmation box that appears. A progress bar displays during the removal. At the end of the removal, the progress bar closes, removal is complete and .NET Bio is removed from your computer.
3
.NET Bio Components
The architecture of the Gemalto .NET Bio solution relies on the Microsoft Base Cryptographic Service Provider v5 (Base CSP v5) component that is native in Windows XP SP3. The .NET Bio solution consists of both on-card and off-card components, as shown in Figure 1. These include two applications that reside on the Gemalto .NET smart card itself, and some libraries that must be installed in the C:\Windows\System 32 directory on the client computer.
Components installed on the client PC enable the user’s biometric credentials to seamlessly interact with the Microsoft operating system and applications.
.NET Bio Components 7
On-Card Components
.NET Bio includes the following on-card components:
.NET operating system and OTP - OATH assembly similar to standard Gemalto .NET smart cards
Minidriver v7 Assembly: Minidriver assembly that is compliant with the Microsoft Minidriver v7 Specification and paired with the off-card minidriver library. It also implements a Bio API for communication with the other on-card application, the Biometrics Assembly
Biometrics Assembly: Stores the biometric credentials and implements the matching algorithm used to verify fingerprints.
Off-Card Components
.NET Bio requires the following client libraries to be installed in the Windows\System32 directory. Three of them implement a User Interface as shown in Figures 2 – 4.
Minidriver DLL: Certified by Microsoft as compliant with the Microsoft Minidriver v7 Specification.
Biometrics and PIN Manager: Integrates options for Biometric Logon, Smart Card Unblock, Change User Verification and Fingerprint Enrollment.This appears as an icon on the Windows Desktop.
Double-Click this icon to start the Biometrics and PIN Manager. Figure 2: Gemalto Biometrics & PIN Manager
8 .NET Bio Components
Fingerprint Enrollment and User Verification Mode Selection UI
Figure 3: .NET Bio Fingerprint Enrollment and User Verification Mode Screens
Verification UI: Provides the interface for user authentication through PIN and/or biometrics for all four user verification modes.
Figure 4: .NET Bio Verification Screens
4
Using the .NET Bio
Solution
This chapter describes how to use the .NET Bio solution.
Warning: You can connect ONE .NET card reader at any one time. This includes hardware devices such as Gemalto’s Smart Enterprise Guardian and Smart Guardian that contain a .NET card.
Using the Gemalto .NET Bio GINA and the Biometrics & PIN Manager tool
Log on to Windows XP.
Change the user verification mode. Initial fingerprint enrollment. Add Biometrics
Delete Biometrics Lock/unlock the system. Unblock biometrics.
Using Gemalto .NET Bio Verification with smart card enabled applications
The following examples are described in this chapter, however, many other applications are possible.
Outlook email signature and / or encryption Microsoft VPN authentication.
10 Using the .NET Bio Solution
Using .NET Bio GINA and Bio & PIN Manager
The following assumptions are used for the purpose of describing the selected use cases in this chapter:
• The person working on the PC is the end-user, and the use cases are described accordingly
• The user is working on PC running under Windows XP
• .NET Bio software has been installed on the user’s PC
• The smart card reader and fingerprint sensor are both connected and working properly
• The .NET smart card is set to its default configuration
• One logon/signature X.509 certificate has been already enrolled on the card
• No fingerprints have been enrolled on the card
Warning: The logon certificate must be specified as the default certificate.
Fingerprint Management Access Condition
The windows that appear for certain operations depend on this configurable parameter.
If set to admin, the user’s rights are limited. He or she needs support from the Administrator (the response to a 16-digit challenge) for the Unblock User Fingerprints and Change User Verification Mode operations.
The Change User Fingerprints option is not available. The user would have to perform a Unblock User Fingerprints operation and request a response to the challenge from the Administrator.
If set to pin, the user can perform most operations just by authenticating him/her self according to the active User Verification Mode. However the Unblock User Fingerprints operation does still require a response to the 16-digit challenge from the Administrator.
Using the .NET Bio Solution 11
Logging on to Windows XP in
PIN-only
mode
1. Start the PC and wait for the Welcome to Windows window as shown in Figure 5:
Figure 5: Welcome to Windows
2. Insert the smart card into your smart card reader.
3. In the Log On to Windows window, type your PIN, and click OK. If the PIN matches the one stored on the card, your Windows XP desktop starts.
12 Using the .NET Bio Solution
Changing the User Verification Mode
Once logged into an XP session, you can access the Biometrics & PIN Manager to change the mode of user verification to “Fingerprint Only” and to enroll fingerprints on the Gemalto .NET smart cards:
This section describes the procedure to change the user verification mode from the user’s perspective.
To change the user verification mode from PIN Only to Fingerprint Only:
1. Double-click the icon to start the Biometrics & PIN Manager as shown in Figure 7:
Figure 7: Biometrics & PIN Manager (PIN Mode)
2. Click Set Card Mode.
3. The next step depends on whether the Fingerprint Management Access Condition
parameter is set to admin or pin.
If set to admin: The Administrator Authentication dialog appears, displaying a 16-digit challenge. Ask the administrator for the corresponding 16-digit response and enter it as shown in the following figure, then click OK.
Using the .NET Bio Solution 13
Figure 8: Admin Authentication (Challenge-Response)
If set to pin: You are presented with the current user verification (PIN only) in our example. Authenticate yourself and click OK.
4. The Change User Verification Mode window (Figure 9) appears. Choose
Fingerprint.
Figure 9: Change User Verification Mode
5. Click Next, and then Finish.
6. In our example, we do not yet have any fingerprints enrolled on the card. In this case, the Enrollment Wizard starts automatically (Figure 11: Fingerprint
Enrollment Wizard). The rest of the procedure is as described after Figure 11 on page 15.
16-digit challenge provided by the card
16-digit response presented by user
14 Using the .NET Bio Solution
Enrolling Fingerprints for Biometric Authentication
Before you can begin using fingerprint recognition with the .NET Bio solution, you first need to enroll one or more fingerprints onto the card. The fingerprint information is written to and stored on the card. You can enroll up to 10 fingerprints and then select which ones are used for verification.
The .NET Bio solution works with both swipe and flatbed fingerprint sensors. Fingers should be clean before scanning them. The following tips can also help ensure an optimal enrollment.
Note: The card must not be in UVM1 (PIN only) mode.
Tips for Using a Fingerprint Sensor
Swipe Sensor: To help ensure successful readings with a swipe fingerprint sensor:
• Swipe your finger flat on the sensor with constant speed.
• Make sure the whole area marked in orange is scanned.
• Do not use your fingertip.
• Do not rotate your finger while swiping.
• Do not lift your finger while swiping.
Flatbed Sensor: To help ensure successful readings with a flatbed fingerprint sensor:
• Place your finger flat on the sensor.
• Make sure that the whole area marked on the orange zone is scanned.
• Make sure you position your finger so that your cuticle is level with the center of the sensor.
• Make sure your finger is placed straight, not rotated.
• Do not place your finger too far down on the sensor.
• Avoid skewed or misaligned finger placement.
Enrolling Fingerprints
To enroll one or more fingerprints for biometric authentication with the .NET Bio solution:
1. Double-click the icon to start the Biometrics & PIN Manager.
2. Note that the Biometrics & PIN Manager now offers 2 options. Click Unblock Biometrics.
Using the .NET Bio Solution 15
Figure 10: Biometric and PIN Manager (Fingerprint only mode)
3. The Administrator Authentication dialog appears again as in Figure 8, displaying a digit challenge. Ask the administrator for the corresponding 16-digit response and enter it in Response.
4. Click OK. Once the response is presented and validated, the Fingerprint Enrollment wizard (Figure 11)appears.
Figure 11: Fingerprint Enrollment Wizard
5. Click Next in the Welcome screen. This opens the Fingerprint Selection
16 Using the .NET Bio Solution
Figure 12: Fingerprint Selection
6. Select the fingertip to enroll.You are asked to scan the selected finger.
Using the .NET Bio Solution 17
7. Place (or swipe) your finger on the fingerprint sensor when prompted by the
Fingerprint Enrollment Window (Figure 13). You are prompted to do it again to get a 2nd sample. If both samples have enough points in common, the quality
check will be positive. Otherwise you will be asked to provide 2 new samples (resampling).
Note: If you have problems getting the swipe samples to succeed, you may find it useful to click Guidelines for fingerprint scanning.
When successful, the arrow points to Done, and the Next button is enabled as shown in Figure 14.
Figure 14: Successful Fingerprint Capture
8. Click Next. This returns you to the Fingerprint Selection window (Figure 12). If you want to enroll more fingerprints, repeat steps 6 & 7.
9. When you have finished, click Next. The newly enrolled fingerprints will be stored on the card.
18 Using the .NET Bio Solution
Adding or Deleting Biometrics
After you enroll one or more fingerprints on the smart card, you can add new ones later, or delete them as described here.
Note: You cannot delete a fingerprint if this means you would have less than the “minimum number of FPs required” value (determined during card personalization). If you try to do this, your attempted deletion simply has no effect.
Caution: Before attempting to delete fingerprints, be aware that there is a situation where you could accidentally block the card. This situation occurs only in the following scenario:
The minimum number of fingerprints allowed is 0 AND you are using UVM2 or UVM4
AND the Fingerprint Management Access Condition (described on page 10) mode is
pin.
If in this scenario you delete the last fingerprint and exit the FMA before enrolling a new one, the card is blocked (because you cannot re-authenticate yourself). This is equally true of course for this scenario if you exit the FMA before you have enrolled any fingerprints in the first place.
By default, the Fingerprint Management Access Condition is configured as admin, which does not cause this problem.
1. Double-click the icon to start the Biometrics & PIN Manager.
The procedure to add fingerprints depends on whether the configurable parameter
Fingerprint Management Access Condition is set to admin (default value) or pin. Both possible scenarios are described here:
2. Î If Fingerprint Management Access Condition is set to Admin
In this case, the Biometrics & PIN Manager does not present a Change Biometrics
option (Figure 10). Click Unblock Biometrics instead. The Administrator Authentication dialog displays.
Ask the administrator for the corresponding 16-digit response and enter it as shown. Figure 15: Admin Authentication (Challenge-Response)
16-digit challenge provided by the card
16-digit response presented by user
Using the .NET Bio Solution 19
After successful presentation of the response, the Welcome to Fingerprint Enrollment
window displays (Figure 11 on page 15).
Î If Fingerprint Management Access Condition is set to PIN
Click Change Biometrics. The verification window corresponding to the current active mode appears (Figure 4 on page 8). After successful authentication, the Welcome to Fingerprint Enrollment window displays (Figure 11 on page 15).
3. Click Next to display the Fingerprint Selection window.
4. To add a new fingerprint, select it and scan it as described in steps 6 to 8 of Enrolling Fingerprints.
To delete a fingerprint, select it and click Next as shown in Figure 16.
Note: You can only add or delete ONE fingerprint at a time before clicking Next to return to the Fingerprint Selection window.
Figure 16: Fingerprint Selection (Fingerprints Already Enrolled)
5. When you have finished, click Next without selecting a fingerprint 6. Click Finish, then OK to close the enrollment wizard.
20 Using the .NET Bio Solution
Logging on to Windows XP in
Fingerprint-Only
Mode
Now that the card is set to operate in Fingerprint only mode, and you have already enrolled fingerprints on the card, the logon process is as follows:
1. Insert the smart card into your smart card reader. The Fingerprint Verification
window appears as shown in the following figure:
Figure 17: Fingerprint Verification
2. Swipe your finger on your fingerprint sensor for verification.
3. The fingerprint captured is matched against the one previously enrolled on the card. If the match is positive, the logon proceeds. If the match is unsuccessful, an error message is returned and you are prompted to retry.
Using the .NET Bio Solution 21
Logging on to Windows XP in
PIN-or-Fingerprint
Mode
To change to this mode, follow the instructions in Changing the User Verification Mode on page 12.
If the card is set to operate in PIN OR Fingerprint mode, the logon process is as follows:
1. Insert the smart card into your smart card reader. The PIN or Fingerprint Verification window appears as shown in the following figure:
Figure 18: PIN or Fingerprint Verification
2. You can either choose to swipe your finger on the fingerprint sensor or enter the smart card PIN through the keyboard.
3. The credential presented – PIN or fingerprint – is matched against the one previously enrolled on the card. If the match is positive, the logon proceeds. If the match is unsuccessful, an error message is returned and you are prompted to retry.
Note: In PIN or Fingerprint mode, if one of the user verification methods is blocked, you can still authenticate using the other method.
22 Using the .NET Bio Solution
Logging on to Windows XP in
PIN-and-Fingerprint
Mode
To change to this mode, follow the instructions in Changing the User Verification Mode on page 12.
If the card is set to operate in PIN AND Fingerprint mode, the logon process is as follows:
1. Insert the smart card into your smart card reader. The PIN AND Fingerprint Verification window appears as shown in the following figure:
Figure 19: PIN or Fingerprint Verification
2. In this scenario, both the smart card PIN and a fingerprint are presented. The fingerprint is presented first. Once the fingerprint is captured, the PIN prompt is displayed. Type the PIN using the keyboard and click OK).
3. The PIN and fingerprint are matched against those previously enrolled on the card. If the matches are positive, the logon proceeds. If the match is unsuccessful, an error message is returned and you are prompted to retry.
Note: In PIN or Fingerprint mode, if one of the user verification methods is blocked, you cannot authenticate using the other method. You must unblock the blocked method first.
Using the .NET Bio Solution 23
Locking/Unlocking the System
The .NET Bio solution can also be used to unlock the system. To lock a computer (instead of logging off), press Ctrl+Alt+Del to display the Windows Security window (see following figure), and then select Lock Computer.
Figure 20 Secure Desktop (Windows Security Window)
Removal of the smart card can also lock the computer if this option has been set as global policy or local computer Policy (Control Panel > Administration Tools >
Local Security Policy > Local Policies > Security Options / interactive Logon: Smart Card removal behavior)
Unlocking your computer with the .NET Bio solution works the same way as a secure logon. Upon successful verification of the smart card PIN, fingerprint(s) or both, the session is unlocked and you return to the XP desktop in its previous state.
24 Using the .NET Bio Solution
Unblocking Biometrics
The card manages 2 separate counters for consecutive unsuccessful PIN verification attempts and for consecutive unsuccessful fingerprint verification attempts. It also manages 2 of the configurable parameters of the .NET Bio solution: the maximum values that each counter can reach. The .NET Bio verification interface informs the user of the remaining attempts after each unsuccessful try.
Figure 21: Retry counter
After a successful authentication, the corresponding counter is reset. However, if you perform too many unsuccessful consecutive attempts, the corresponding
authentication method is blocked.
To unblock the fingerprint counter:
1. Double-click the icon to start the Biometrics & PIN Manager as shown in Figure 7.
2. In the Biometrics & PIN Manager, click Unblock Biometrics.
In the Administrator Authentication dialog, ask the administrator for the corresponding 16-digit response and enter it as shown in Figure 22.
Figure 22: Admin Authentication (Challenge-Response)
16-digit challenge provided by the card
16-digit response presented by user
Using the .NET Bio Solution 25
3. After successful presentation of the response, you are asked to reenroll fingerprints (Figure 12).
Note: You are always asked to provide a response to the 16-digit challenge,
regardless of whether the Fingerprint Management Access Condition parameter is set to admin or pin.
Unblocking Biometrics via the PIN
From version 7.1.0.1 of the minidriver onwards, an option is available where
unblocking the PIN automatically unblocks the biometrics authentication at the same time. This is done by setting the configurable “Unblock FP when unblock PIN” parameter to 1.
Using .NET Bio Verification with Smart
Card-enabled Applications
.NET Bio can be used by many applications that run in the XP desktop, including MS Outlook for email signature and encryption, and MS Word and Excel for digital signature of documents. It can also be used with VPN clients for secure remote authentication.
Digital signatures are valuable for proving that you signed the contents of a document or message and that the contents have not been altered in transit. This is called “non-repudiation.” For additional privacy, you can also encrypt documents and messages. The message contents are encrypted using the shared digital certificates of both the sender and the recipient.
If an application works on XP and provides support for Microsoft’s Smart Card
Cryptographic Service Provider architecture, then the standard smart card PIN prompt can be replaced by the corresponding .NET Bio fingerprint verification prompt. For detailed information on using smart cards for two-factor authentication, digital signatures and encryption with different applications, refer to the application documentation.
The following examples show how .NET Bio can be used for digital signature of email in Outlook, and secure remote access with a VPN.
Applying a Digital Signature to an email using MS
Outlook
To digitally sign an email message with the .NET Bio solution:
1. When creating the email message, go to Message Options / Security Settings and select “Add digital signature to this message”. Then select the digital certificate stored on the card as the one to use to sign the message.
2. Complete your message and click Send. The security dialog box corresponding to the current user verification mode of your card appears.
26 Using the .NET Bio Solution
Figure 23: MS Outlook - Sign Email
3. Swipe your finger and/or enter your PIN, and then click OK. If the credentials match the ones stored on the card, your digitally signed message is sent to the recipient(s).
Accessing a VPN Network
The .NET Bio solution can be used with many VPN clients for certificate-based authentication with remote access systems. Using the VPN client interface, the location of the digital certificate — on the Gemalto .NET Bio smart card — is specified first.
To access a VPN network using the .NET Bio solution:
1. Using your VPN client software, connect to the VPN network as follows. (The smart card should already be in the smart card reader.)
¾ From the Start, choose Settings > Control Panel > Network and Internet Connections > Network Connections to display the Network Connections
Using the .NET Bio Solution 27
Figure 24: Network Connections Window
2. In Virtual Private Network, double-click the VPN to which you want to connect (Gemalto in this example)
3. Swipe your finger and/or enter your PIN according to the active user verification mode (Figure 4 on page 8) then click OK. The PC connects to the VPN as shown.
4. When Windows XP confirms that you have made a secure VPN connection. Click
