Fingerprint authentication
IBM® Security Access Manager for Enterprise Single Sign-On supports fingerprint authentication of users in both personal and shared workstations.
How it works
Users can log on,
lock, and
unlock AccessAgent with
fingerprint only. Users must scan their fingerprint into the fingerprint
reader. Users might scan their finger on any of the following screens:
- Welcome screen
- Log on screen
- Sign up screen
- Reset password screen
Note:
- Users cannot change their ISAM ESSO password if they log on using their fingerprint as the only authentication factor.
- Logging on to AccessAgent with fingerprint only does not work with the Terminal Server if the ISAM ESSO password is not synchronized with the Active Directory password.
This process results to a fingerprint registration template and the template is stored in the IMS Server database. This registration template can be cached on the computer running AccessAgent.
When the users scan their registered fingerprints, the fingerprint reference templates are compared to each cached fingerprint registration templates. If the template is not found, the users are prompted for their ISAM ESSO username. The username and reference template are authenticated against the IMS Server database.
Note: The
UI is disabled on a successful fingerprint scan. If the fingerprint
reader is unable to read the fingerprint properly, an error message
is displayed on AccessAgent.
IBM Security
Access Manager for Enterprise Single Sign-On relies
on the third-party biometric software to:
- Integrate with the fingerprint reader and capture the fingerprint reference template (for logon) and fingerprint registration template (for new fingerprint registration).
- Verify a logon fingerprint reference template against the stored fingerprint registration template.
To use fingerprint authentication:
- The users must sign-up with IBM Security Access Manager for Enterprise Single Sign-On with a fingerprint.
- The users must register their fingerprints. Note:
- The users can register 1-10 fingerprints. The users can also delete or replace the existing registered fingerprints.
- You can configure the maximum number of fingerprints that are allowed for each registration by using the pid_fingerprint_registration_max policy.
- The users are prompted to scan their finger several times during registration, depending on the fingerprint reader and the biometric SDK.
- The users must log on to AccessAgent with the registered fingerprint.
Fingerprint tap same and tap different
- Fingerprint tap same
- The fingerprint that is scanned is registered to the logged-in AccessAgent user.
- Fingerprint tap different
- The fingerprint that is scanned is not registered to the logged-in AccessAgent user.