Biometric Framework overview

Every individual has unique characteristics that can be used for identification. Typically these characteristics are physical and include traits such as fingerprints and iris patterns, but they can also include behavioral traits such as gait and typing rhythm. The term biometrics encompasses both meanings. Biometric information is increasingly replacing passwords to identify and verify users. It is more secure and often more convenient for both user and administrator.

Sensors are used to capture biometric information. The information is captured by the sensor as a biometric sample. A single sample contains data that represents a single biometric characteristic for one individual. Multiple samples are averaged to create a biometric template, and the template is securely stored. Later, a sample from an unknown user is compared to the stored templates to establish and verify user identity. The Windows Biometric service, part of the Windows Biometric Framework (WBF), provides the following functionality. You can use the Windows Biometric Framework API to leverage this functionality.

  • Captures biometric samples and uses them to create a template.
  • Securely saves and retrieves biometric templates.
  • Maps each template to a unique identifier such as a GUID or SID.

You can also use this API to extend the framework and create biometric sensor adapters, matching engines, and storage components. For more information about creating sensor adapters, matching engines, and storage components, see Creating Adapter Plug-ins.

Terminology

The following terms are used throughout the Windows Biometric Framework API documentation.

TermDefinition

Windows Biometric Framework (WBF)

A framework architecture in Windows that provides a consistent management interface and user experience for biometric devices.

Windows Biometric Service

A privileged service that manages all biometric devices by using Windows Biometric Driver Interface (WBDI) compliant device drivers.

Windows Biometric Driver Interface

An interface standard for drivers that manage fingerprint sensors.

Windows Biometric Service Provider (WBSP)

A component of the Windows Biometric Service that manages a specific category of biometric technology such as a fingerprint reader. WBSPs are built into the Windows Biometric Service. They are not plug-ins and third party BSPs are not supported.

Biometric factor

A personal characteristic that can be measured and used for identification. Examples include fingerprints and hand geometry.

Biometric sub-factor

A qualifying characteristic that can be used to further define a biometric factor. For example, to completely identify a fingerprint (biometric factor) it's necessary to specify which finger the print came from (biometric sub-factor).

Biometric sample

The data that results from the measurement of a single characteristic from a single individual, for example the image of one fingerprint.

Biometric template

A statistical average generated by collecting multiple biometric samples of a single characteristic for a single individual. A template typically contains only the features that are necessary to determine whether a new sample matches.

Biometric unit

A software object that represents a biometric device and can be used to capture and process biometric samples and create, save, and match biometric templates.

Sensor adapter

A biometric unit plug-in component that provides a standard interface for configuring the sensor, capturing samples, and controlling the flow of biometric data to the engine adapter.

Engine adapter

A biometric unit plug-in component that processes a sample by normalizing data, extracting features, and matching sample data to existing templates.

Storage adapter

A biometric unit plug-in component that stores, manages, and retrieves templates.

Biometric information record (BIR)

A data structure that contains raw or processed biometric information.

Sensor pool

A collection of biometric units that share a common management policy.

Liveness testing

A process that verifies that a biometric sample is not being spoofed or replayed from a sample that was previously collected.

 

Core platform components

Windows Biometric Driver Interface (WBDI)

WBDI is a programming interface that a biometric driver can use to expose the biometric device through the Windows Biometric Service (WBS). You can implement a WBDI driver by using any supported driver technology, including the following. We recommend, however, that you use UMDF when possible to improve driver quality and system stability.

  • User Mode Driver Framework (UMDF)
  • Kernel Mode Driver Framework (KMDF)
  • Windows Driver Model (WDM)

A WBDI biometric driver must also support the WBDI driver interface GUID and all mandatory I/O controls (IOCTLs). Driver developers should review the documentation and sample code in the Windows Driver Kit (WDK).

Windows Biometric Service (WBS)

The Windows Biometric Service manages installed biometric drivers and supports the Windows Biometric Framework API to provide device access to client applications. WBS performs the following functions:

  • It protects user confidentiality by separating client applications from biometric data.
  • It protects biometric data from unprivileged client applications by requiring that applications gain access to data by using unique identifiers.
  • It uses a software component called a Biometric Unit to expose the capabilities of a particular biometric device through a standardized interface.
  • It manages biometric units by grouping them into system, private, or unassigned Sensor Pools.
  • It supports the use of biometric unit Adapters for physical devices that lack onboard processing or storage capabilities.

Windows Biometric Framework API

The Windows Biometric Framework API enables you to create client applications that can interact with the Windows Biometric Service to perform the following actions:

  • Identify and verify users.
  • Locate biometric devices and query their capabilities.
  • Manage sessions and monitor events.

User Experience Components

Discovery Points

End users can locate biometric devices by any of the following means:

  • Typing the words biometrics, fingerprint, face, or other related phrases into the Start Search text box to start the biometric devices control panel. The results list for biometrics can contain items such as the following on a Windows 10 image.
    • Setup fingerprint sign-in
    • Setup face sign-in
  • Examining the biometrics devices category in Device Manager to find all installed WBDI biometric devices.

Supported Scenarios

The following scenarios are supported:

  • Users can log on to a local computer, a workgroup, or to a domain by using a fingerprint reader, or IR camera focused on the face.
  • A user with administrative privileges can elevate applications through User Account Control (UAC) by using a fingerprint or face.

Management components

A biometric device can be managed by using the Biometric Device Control Panel and a biometric system can be managed by using Group Policy.

Biometric System Management

The Biometric Device Control Panel enables management of biometric capabilities on a local computer. The same policies can be set in a domain by using Group Policy. Group Policy can further be used to perform the following actions:

  • Specify the timeout period for fast user switching, if implemented by the ISV.
  • Prevent biometric device installation.
  • Force the removal of drivers for biometric devices.
  • Disable the biometric service.

Fingerprint management application workflow

 

 

Show: