1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. DigitalPersona Web Enrollment
  5. Credential Enrollment

Credential Enrollment

Once a user is either selected by a Security Officer or logged in (if self enrollment has been enabled), the Credential Manager page displays.

image dpcredential1 e1524265227120 Credential Enrollment

The Credential Manager page is the central location within Web Enrollment where a user’s credentials can be enrolled and managed. Note that a Bluetooth credential is not available during Web Enrollment. This is because Bluetooth enrollment pairs the associated device directly with the machine where it is being enrolled, and most users will not be using a Bluetooth device to authenticate on the Web Enrollment machine.

The tiles on the page, representing credentials and other information that may be captured by DigitalPersona in relation to a specific user, give access to pages where this information may be provided. Once a credential has been enrolled, the word ADD will be replaced with CHANGE.

The first time, within a browser session, that a user clicks a credential tile, they will be asked to verify their identity by submitting a previously enrolled credential. This may be their password or any other DigitalPersona credential that has been enrolled for their account.

image dpcredential2 Credential Enrollment

Password credential

The Password credential is automatically enrolled for DigitalPersona Non AD users during the initial creation of the user through the Web Administration Console. For AD users, the Password Credential (Windows password) is part of their Active Directory profile.

The Password tile launches the Change password window, where a user can change their password by entering their current password, and then creating and confirming a new password.

image dpcredential3 e1524265132500 Credential Enrollment

Fingerprints credential

If there is a supported fingerprint reader or ten-print scanner built into or connected to your computer, you can enroll and manage a user’s fingerprints. Select the Fingerprints tile to display the Fingerprints page, where you can enroll a user’s fingerprints credential.

image dpcredential4 Credential Enrollment
To enroll a fingerprint

  1. Click the Fingerprints tile to display the Enroll your Fingerprints
  2. Select a finger in the displayed hand images.
    image dpcredential5 Credential Enrollment
  3. Scan the selected finger as many times as necessary to enroll the Successful scans will show a temporary blue background on the fingerprint icon.
    image dpcredential6 Credential Enrollment
  4. When an adequate number of images have been captured, this window will close automatically and the Enroll your Fingerprints window will redisplay. Note that verification by both the Security Officer and the user may be required before the fingerprint credential is saved.
  5. Click Close to return to the Credential Manager

WARNING: If any fingerprint being enrolled during this session, prior to clicking Save, is found to be a duplicate of an existing fingerprint for another user, the other user’s matched fingerprint will be deleted and the current user’s pending fingerprints will not be saved. An error message will display: The fingerprint cannot be enrolled. Contact your administrator for more information.

To delete a single fingerprint

  1. Click any highlighted
  2. Confirm the deletion by clicking Yes in the message box that displays.

To delete the entire fingerprint credential

  1. Once the credential has been enrolled, a Delete All Fingerprints button is added to the Enroll your fingerprints window.
  2. Click Delete All Fingerprints and then click Yes in the message box that displays to confirm the deletion.

Cards credential

This tile provides a means for enrolling a user’s Smart, or Proximity Card credential.

Note that Smart Cards require separate middleware (ActiveClient and ActiveClient hotfix) installation on the enrollment machine. Contactless Cards are not supported in Web Enrollment.

image dpcredential7 Credential Enrollment

To enroll a Smart Card or Proximity Card credential

  1. Click Add or Change on the Cards tile to display the Manage your Cards
  2. Insert a Smart Card into a built-in or attached card reader, or place a Proximity Card very close to the reader.
  3. Click Enroll this Then click Close.

To delete all enrolled cards, click Delete All Cards. Individual enrolled cards cannot be deleted separately.

PIN credential

This tile provides a means for enrolling a user’s PIN credential.

image dpcredential8 Credential Enrollment
To enroll a PIN credential

  1. Click the PIN tile to display the PIN window.
  2. Enter and confirm a four-digit PIN.
  3. Click Save.

One-Time Password credential

A One-Time Password (OTP) credential uses an automatically generated time-sensitive numeric code for authentication.

The OTP credential can be used for authentication to the DigitalPersona Identity Server, providing access to the DigitalPersona Administration Console, DigitalPersona Web Enrollment and the DigitalPersona Application Portal, as well as for verifying one’s identity within Web Enrollment when enrolling or managing one’s credentials.

A QR Code scanner app on your device will greatly simplify the enrollment process by automating the entry of required account information, but is not required as manual entry of the information is also possible.

The verification code may be generated in one of the following ways.

Authenticator app – A software token is generated by a special Authenticator app on a user’s mobile device, and the resulting time-sensitive code is used for authentication.

OTP Push Notification – A software token is generated by DigitalPersona and sent to a mobile device where the user can Accept or Deny its use for authentication. This features is only available through the DigitalPersona authentication app. Although generation of the OTP is supported in third party authentication apps, Push Notification is only available through the DigitalPersona app.

OTP via SMS – A software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to a mobile device through SMS.

Hardware token – A dedicated hardware device generates a time-sensitive code used for authentication. The hardware token must be an OATH-compliant TOTP (Time-based One-Time Password) device.

OTP Enrollment

The steps in the enrollment of an OTP credential differ slightly based on the type of OTP credential described above.

Authenticator app and Push Notification

Enrollment of an OTP credential to be used with an authenticator app will also automatically include the ability to make use of OTP Push Notification, but only if the DigitalPersona administrator has installed and configured the Crossmatch Push Notifications Server. Also, the associated OTP GPO setting must be enabled and configured by a DigitalPersona administrator as described in the Policies and Settings chapter of the DigitalPersona Administrator Guide.

However, during enrollment, you may choose not to use OTP Push Notification by selecting Decline on the Push Authentication page. If both the authenticator app and OTP Push Notification are enrolled, you can use either one for authentication.

From a link in the One-Time Password window, you can download an OTP authentication app from various platform- centric app stores, and then enroll the OTP credential for use with the authenticator app (and OTP Push Notification, if configured and in the DigitalPersona app only) by scanning the QR Code shown on the screen or by manually entering the information required to create a DigitalPersona account in the authentication app.

The steps to enrolling a software-based OTP token to be used with an authenticator app or OTP Push Notification are:

  • Download an authentication
  • Setup a DigitalPersona account on your
  • Sign in to the DigitalPersona app
  • Enroll the credential in the DigitalPersona Console

Download an authenticator app

  1. From the Enroll a One-Time Password window, click the Download phone app link to display the QR Code for downloading and installing an authentication app for your device. The windows will display a new QR Code for downloading the app and a means to choose which app store to download it from.
    image dpcredential9 Credential Enrollment
  2. Select your device’s app store, and then scan the QR code provided or click the corresponding Download link.image dpcredential10 Credential EnrollmentThe DigitalPersona app is currently available in the Apple Store and on Google Play. For the Windows mobile platform, the Microsoft and Google Authenticator apps provide nearly identical functionality, although setup and enrollment steps may vary slightly.
  3. Scanning the QR code with a QR Code scanner app on your device is the simplest It will automatically open your device’s default web browser and display the product page for the selected authentication app so that you can download and install the app.
  4. Clicking the Download link shown above the QR Code will open the selected app store in your computer’s default Some app stores may require signing in and/or downloading the app and copying it to your device.

The instructions that follow are for the DigitalPersona app as installed on an iPhone. Instructions for the use of other authentication apps and devices may differ slightly.

Set up a DigitalPersona account on your device

  1. Launch the authentication app on your The first time the app is launched, the Register screen displays. Click OK to allow the DigitalPersona app to send you notifications.
    image dpcredential11 Credential Enrollment
    Then click Register.
    image dpcredential12 Credential Enrollment
  2. Enter and verify a six-digit passcode.
    image dpcredential13 Credential Enrollment   image dpcredential14 Credential Enrollment
  3. On the Diagnostic and Usage page, accept the defaults or tap an option to deselect it.
    image dpcredential15 Credential Enrollment
  4. On the Accounts screen, click the Plus sign (+). You will be asked for permission to access your device’s camera. Tap OK if you want to use the camera to scan the QR Code for automatically creating your DigitalPersona Mobile account. If you click Don’t Allow, you will need to enter account information manually.
    image dpcredential16 Credential Enrollment
  5. You can create the required account on your device automatically by scanning the QR Code displayed in the Enroll a One-Time Password window, or by entering the account data manually.
  6. Automatic account creation
    • From the Scan QR Code tab, scan the displayed QR Do not scan the QR code that was used to download the app.
      image dpcredential17 Credential Enrollment
    • If the Crossmatch Push Authentication Server has been previously setup by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you choose to Accept the associated Privacy Policy. If you choose to Decline the Privacy Policy, Push Authentication will not be enabled.
      image dpcredential18 Credential Enrollment  image dpcredential19 Credential Enrollment
    • Once the account information is displayed, tap Save. The DigitalPersona Mobile account will be created and the Accounts screen displayed with the new account and your first One-Time Password shown.
      image dpcredential20 Credential Enrollment  image dpcredential21 Credential Enrollment
  7. Manual account creation
    • On your computer, select the Enter Manually tab in the Enroll a One-Time Password window, to display the account information that needs to be entered on your choice.
      image dpcredential22 Credential Enrollment
    • On your device, from the Scan QR Code screen, select Enter Account Manually to display the Account screen.
    • Enter the account information from the One-Time Password page (on your computer) into the corresponding fields on your device. Then tap Save.
      image dpcredential23 Credential Enrollment
      image dpcredential24 Credential Enrollment
    • If the Crossmatch Push Authentication Server has been previously set up by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you choose to Accept the associated Privacy Policy. If you choose to Decline the Privacy Policy, Push Authentication will not be enabled.

Sign in to the DigitalPersona Mobile app

Once you have registered as described in the previous pages, you can sign in to the app as follows.

  1. Launch the DigitalPersona app.
  2. Sign In.
    • Fingerprint enabled devices – You can enable fingerprint authentication to the DigitalPersona Mobile app by selecting Enable Touch ID on the Sign In screen or later in the DigitalPersona Mobile Settings. Then touch the fingerprint sensor to sign in.
      image dpcredential25 Credential Enrollment
    • Non-fingerprint enabled devices – Tap Sign In and then enter your six-digit DigitalPersona Mobile passcode.
      image dpcredential26 Credential Enrollment

Enroll the OTP credential

  1. On your computer, open the Enroll a One-Time Password window.
    image dpcredential27 Credential Enrollment
  2. On your device, sign in to the DigitalPersona Mobile
  3. On your computer, at the bottom of the window, enter the six- digit One-Time Password displayed in the app and click Save.

SMS OTP

On the Credential Manager, One-Time Password page, you can enroll an OTP credential that will transparently generate a time- sensitive code that is sent to your mobile device and display a notification asking you to Allow or Deny its use for authentication.

Note that the OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration (using the SMS GPO) by the administrator.

image dpcredential28 Credential Enrollment
To enroll the OTP via SMS credentialEnrollment of the SMS delivery feature requires that an DigitalPersona administrator has previously created a Nexmo (https://www.nexmo.com) account and entered Nexmo account information into the OTP setting on the DigitalPersona Server, as described in the Policies and Settings chapter.

  1. In the Enroll One-Time Password window, click the SMS OTP tab.
  2. Enter the number (country code and full phone number) for the mobile device where you would like to receive a One-Time Password through SMS delivery.
  3. Click the arrow next to the phone number field.
  4. You will receive an SMS message on your mobile device containing a six-digit One-Time Password.
  5. On your computer, enter the One-Time Password into the One-Time Password field and click Save.
  6. The Credential Manager page will re-display and the One-Time Password tile will now show a Change caption, indicating that a One-Time Password credential has been successfully enrolled.

Hardware token

On the Credential Manager, One-Time Password page, you can enroll a hardware token as an DigitalPersona credential. The hardware device can then be used to generate a code for authentication. Note that hardware tokens must be OATH compliant TOTP (Time-based One-Time Password) devices.

image dpcredential29 Credential Enrollment

  1. From the Enroll a One-Time Password window, select the Hardware TokenEnroll an OTP credential using a hardware token tab.
  2. Enter the serial number for your hardware token, which is usually found on the back of the Note that a vendor supplied file associated with a specific set of hardware tokens must have been previously imported to the DigitalPersona Server before the hardware token can be enrolled. (See the topic Hardware Tokens Management Utility in your DigitalPersona Administrator Guide.
  3. Enter the verification code displayed on your device and click Save.

Authentication with a One-Time Password

  1. To authenticate with your One-Time PasswordDo one of the following, depending on where you are authenticating from.
    • At Windows logon, select Sign-in options and then select the One-Time Password (or OTP) tile to display One- Time Password options.
    • On the DigitalPersona Identity Server or Verify your Identity screen, select the One-Time Password (or OTP) tile.
      image dpconsole loggin Credential Enrollment
      image dpconsole loggin Credential Enrollment
  1. You can use an OTP credential in any of the following ways.
    • Select Send push notification to send a One-Time Password to your enrolled mobile device allowing you to Approve or Deny authentication.
    • Select Send SMS to send an SMS message to your enrolled mobile device with a One-Time Password that you can enter on your computer for authentication.
    • Launch your previously registered authentication app on your mobile device and enter the resulting One-Time Password into the entry field on your computer.
    • Activate the display on an enrolled hardware token, and enter the displayed One-Time Password on your computer.
  2. In most cases, enter your One-Time Password into the One-Time Password field on your workstation screen and select the arrow button. When using push notification, you do not need to enter the code on your computer, as tapping Approve or Deny on your mobile device automatically authenticates to your computer.
  3. Note that the OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration by your

To change or delete your OTP credential

  1. Once the credential has been enrolled, the word CHANGE will display beneath the OTP tile.
  2. On the Credential Manager page, click CHANGE.
  3. Confirm that you want to delete the current OTP credential and enroll a new credential.
  4. Enroll the new OTP credential, or click Cancel to return to the Credential Manager page without enrolling a new OTP credential.

Recovery Questions credential

(AD Users only) The Recovery Questions credential allows a DigitalPersona AD User to regain access to their Windows account by answering a series a questions that have been previously configured.

image dpcredential35 Credential Enrollment

To set up a user’s Recovery Questions

  1. Click the Recovery Questions tile to display the Recovery Questions window.
    image dpcredential36 Credential Enrollment
  2. The user selects their questions from those available from the dropdown menus, and enters their unique They can also write their own Custom questions by selecting the Custom question from the menu.