Fingerprint Recognition with Linux & IBM's T42

Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"

Re:Ahem, PAM

[Libor+Vanek]

PAM is really great thing - you can even have "plaintext" passwords in *SQL database or whatever - so there is no need to change hash or anything. IIRC I've seen some biometric Linux solutions (using PAM) on some CeBIT show...

To answer the question: No.

[Keeper]

Windows has supported biometric authentication (in addition to smart cards) since Win2k. Hell, they've been selling keyboards with fingerprint scanners built in for almost a year now ...

Re:Ahem, PAM

[Libor+Vanek]

AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

Here's a guy that won't be using it!

[Jonti]

Mr Kumaran, a Malaysian accountant, had a Mercedes protected by biometric finfger print recognition. He still lost his car to thieves, tho' -- and the end of his finger as well. You can read about the, uhh, downside, to finger-print recognition here.

OK, so the Merc was worth USD 75,000 to the thieves, a little more than a laptop. But if a dead finger works, a plastic replica would work as well. Before using a system like this, it may be worth considering the value that the data on a laptop might have to unscrupulous rivals ... Is it worth this kind of horror to protect the laptop itself? There are easier and better ways to protect *data*.

Re:Ahem, PAM

[nathanh]

I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

No. For example, the OpenSSH server needs explicit support for GSSAPI to support Kerberos Single Sign On. That could not be done within PAM.

Re:So big brother will run on Linux...

Too late

http://www.kronos.com/uk/profiles/mfi_uk.htm

Re:By the way, biometrics & DRM ?

[ajs318]

Yes, it's dead easy and can be done using readily-available and household materials. You just need some graphite dust and sellotape {from your desk}, photoresist PCB board and processing chemicals {from Maplin or similar; unless electronics is considered bomb-making nowadays}, and plant gelatin {from a health food store}. Dust laptop for {presubably the rightful user's} fingerprints with graphite and lift with sellotape. {Option: enhance image electronically}. Make a printed circuit board using the fingerprint pattern. Ideally use negative working photoresist or take a negative as part of enhancing the image, though in practice negative images are acceptable to fingerprint scanners {which seem to respond to edges in blissful ignorance of actual direction}. Use PCB to cast a gelatin mould of the rightful user's fingerprint. Use artificial gelatin fingerprint {possibly on the end of your own finger} to operate scanner. In the event of a bust, it can be disposed of safely by eating {you did use plant gelatin, didn't you?}

References here and here.

Re:To answer the question: No.

[VE3MTM]

My boss has one of those Microsoft keyboards with the fingerprint scanner. It does not work for Windows logins, only for things like passwords on webpages.

Re:Ipaqs

[Antique+Geekmeister]

It's about the same as the state for speech recognition elsewhere. The systems use way too little data to actually analyze and get at best a 95% or so recognition of the acutal user, and the sensor acuity to defeat even the fake gelatin fingers (Google keyword: gummi fingers) is simply not there, since with a fake finger made from a fingerprint lifted from elsewhere the class that did the Gummi fingers still got better than 80% recognition.

Basically, the ability to detect a fake fingerprint with a casual test has never existed. The sensors just aren't good enough, even if the software authors were willing to invest the resources to store really thorough images of fingerprints, which they're not.

Re:That wouldn't be a first

[porkThreeWays]

Linux uses kernel modules to insert code into a running kernel. Most distributions come shipped with a crapload of modules. They will use an initial ramdisk to do hardware detection and only modprobe modules with hardware present.

To the end user, all they have to do is install their linux distribution and it just works.

I've been using Linux for a while now (Red Hat 6.2 was my first). When I first started, you kinda had to plan your hardware for linux or hope it would work. Today, I don't think twice about linux support. Most times I can plug in my new usb device right out of the box (via hotplug) with no driver disks, update searches, searching HP's website, etc etc.

Obviously there are exceptions, but it's been a looooooooong time that I've bought hardware that doesn't work with Linux.

Re:That wouldn't be a first

[Trelane]

Pardon my ignorance, but aren't you supposed to compile the kernel with that hardware support in Linux, before that hardware is actually supported by Linux?

Generally, what will happen is that a distribution will ship with a somewhat minimal kernel and a bunch of kernel modules that take care of different things, e.g. USB devices, iptables modules (adds functionality to the firewall), drivers, and so on. So no, if you don't want to do things the hard-ish way, there's no need to ever compile a kernel.

So what's the difference for a user between Windows' installable drivers and Linux' kernel-compiled drivers?

Well, the first difference is that not all drivers are kernel-compiled. You can certainly do that if you wish, which has certain advantages (e.g. on a server, it makes it just a little harder to install a kernel-level rootkit if you disable modules and compile everything in). However, most drivers that people will use are just kernel modules, which are loaded as needed. The difference then between Windows and Linux is that Linux's driver support, due to the fact that generally vendors don't believe it to be worth the investement, is mostly available with your distribution because the drivers aren't coming from the vendor. With a few notable exceptions (e.g. video drivers), if you can use it under Linux, its driver is on your distribution's CD or DVD. With Windows' driver support, due to the fact that most vendors don't believe it worth dying not to support Windows, is generally only available from the vendors and much, much fewer drivers come with your Windows CD or DVD. Now a few drivers may well be shipped on the CD/DVD, but not nearly as many as with Linux, in my experience.

Re:Use of finger-prints !=security

[hacker]

"I wish companies and .gov would stop pushing biometrics as the end-all solution to password & user security.

[...]

The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!"

Unfortunately, fingerprint authentication does NOT satisfy government requirements (not to mention the inherent insecurity should you ever be prosecuted).

CFR 21 part 11 (Code of Federal Regulations governing electronic signatures) mandates that you have to have at least 2 out of 3 things to be said to have securely authenticated:

1. Something you HAVE (card key, key fob, etc.)
2. Something you ARE (biometric, iris, fingerprint)
3. Something you KNOW (password, passphrase, etc.)

If any system is compromised, and 2 out of the 3 above are used, then there is a conspiracy (like you gave your keycard and password to someone else).

The issue about security when prosecuted, is that your physical body (fingerprints as well) are subject to "search and seizure" if you are ever arrested (even if 100% innocent). There was a case that went to the Supreme Court (which I can't recall the name of) where a man argued that his fingerprints were "property", and until he waived his rights to his property, he could not be fingerprinted. I'm not sure how that turned out though.

Basically if you're arrested and they fingerprint you, they could just as easily scan in your fingerprints electronically and "replay" those back later to gain access to your biometric laptop or other devices.

Best to use 2 out of the 3 (or 3 out of the 3) above, so they can't gain access to your protected data without your approval or consent.

Re:Ipaqs

[hacker]

Basically, the ability to detect a fake fingerprint with a casual test has never existed. The sensors just aren't good enough, even if the software authors were willing to invest the resources to store really thorough images of fingerprints, which they're not.

The FingerChip(tm) has been doing exactly this since about 1998 or earlier (that's 7+ years). The FingerChip is about 1mm x 8mm in size (about 1/2" long, about the width of a wooden matchstick). I think the company sold its technology to someone else now over the years, but lots of companies are using it... including IBM.

I was investigating their scanners back in 1998 when I was doing biometric authentication on wireless tablets running Citrix Metaframe for $BIG_PHARMA. This was back in 1998!! Technology has, of course, improved considerably since then.

Basically you swipe your finger across the FingerChip and at least 52 separate datapoints are gathered, which include speed of the swipe, pressure, heat, and of course the standard whoops and swirls of your fingerprint itself. We tried using lifting techniques and other things on it (as did the manufacturer), and it was simply not possible.

It is similar to trying to forge a signature. Sure you can forge it so the end result looks identical, but did you press your pen with the same pressure? Did you dot your "I" before you finished the word, or after? Did you cross your "T" from left to right, or right to left?

Any biometric scanner that doesn't measure these kinds of things shouldn't be used.

Incidentally, we tried lots of different kinds of scanners, including voice. The voice biometric scanners had about a 90% failure rate in our tests. I could log in as my colleague, just by repeating his exact intonation and speed... I could not, of course, imitate his fingerprint.

Re:Ahem, PAM

[straybullets]

AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

Yes this true. It depends on the system used but the one i know works like this. Once aquired as a real image, a complex algorithm is invoked to convert the image into a set of coordinates, that represent different interesting points in the fingerprint.

A match is a % of same coordinates between the stored and the scanned print. Interesting to note is that this % is fixed by law and depends on which country you are !

Re:Anyone on breaking the biometric authentication

Short Answer: It depends on the scanner.
Optical scanners work using an image of the print itself. The finger is pressed against glass, so that at a particular angle the print is very clear.

Capacitive scanners work using a grid of electrodes: the higher parts (ridges) disrupt the conductivity of some electrodes, and the lower parts (valleys) don't. This pattern of disrupted capacitance is the print.

The best capactitive scanner will be able to tell from sweat in the pores if the finger is live, or if it has been chopped off. Likewise, glue or images will not work.

An optical scanner is much easier to fool.

If you are simply looking to mess up your fingerprint to avoid identification the 3M liquid bandage stuff is the best.