Fingerprint Recognition with Linux & IBM's T42

Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"

Ahem, PAM

[nokilli]

I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.

Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?

The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.

I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.

This is a really tricky problem.

I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.

Why can't that go into pam_finger.so?

Re:Ahem, PAM

[Libor+Vanek]

PAM is really great thing - you can even have "plaintext" passwords in *SQL database or whatever - so there is no need to change hash or anything. IIRC I've seen some biometric Linux solutions (using PAM) on some CeBIT show...

Re:Ahem, PAM

[/ASCII]

The reason why making a general purpose API is better than hardcoding for a single use authentication algorithm is that you get:

• Less lock in, since when the next generation of PAM killer comes along, the switch will be much easier.
  
• Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...
  
• More uses for the software. Maybe you can use this fingerprinter together with a Firefox plugin to slightly increse the security of your bank transactions?
  

If the above reasons are enough to warrant the extra layer of indirection, I do not know. But saying that there are _no_ advantages to making a general purpose API is plainly false. It's a simple tradeoff.

Re:Ahem, PAM

[nokilli]

Well, you know, you can even have plaintext passwords stored in world-readable text files you keep in /hack/me/now but why would you use PAM for this?

The whole point I thought was to create a framework through which it would be impossible to recreate the user's authentication info.

We do what you're saying and the next thing you know, I have your fingerprint, or even better, I've replaced your fingerprint with mine.

Re:Ahem, PAM

[/ASCII]

Keeping the password file in a non-standard location like /hack/me/now is simple security through obscurity. Kind of like using ROT13 to encrypt your DRMed ebooks. This is a very common security technology used through out the IT industry. It's just a question of time before Bezos patents it!

Re:Ahem, PAM

[Libor+Vanek]

AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

Re:Ahem, PAM

[nathanh]

I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

No. For example, the OpenSSH server needs explicit support for GSSAPI to support Kerberos Single Sign On. That could not be done within PAM.

Re:Ahem, PAM

[nathanh]

Yes it can.

I do it. (well more accurately I've done it. Having Openssh take care of it is better, IMO)

Silly person.

No, you just don't understand what is being discussed here.

auth required pam_nologin.so
auth sufficient pam_krb5.so forwardable
#auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_pass
auth required pam_deny.so

That is not Kerberos Single Sign On. Read the man page for sshd_config, in particular the section on GSSAPI authentication.

Re:Ahem, PAM

[straybullets]

AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

Yes this true. It depends on the system used but the one i know works like this. Once aquired as a real image, a complex algorithm is invoked to convert the image into a set of coordinates, that represent different interesting points in the fingerprint.

A match is a % of same coordinates between the stored and the scanned print. Interesting to note is that this % is fixed by law and depends on which country you are !

This is great news because...

[Linker3000]

Wow, I am really looking forward to giving Linux the finger...er wait..

By the way, biometrics & DRM ?

[Arthur+B.]

Put now your finger on the scanner to play this drm-protected wma. Well... kinda better than hardware fingerprinting anyway. But way more spooky.

Re:By the way, biometrics & DRM ?

[dancallaghan]

Mod parent insightful! DRMing content according to the buyer's fingerprint pattern is an excellent way to make sure they are the only person using the content. Oh and as a side effect, M$ and [insert other evil DRM proponents here] would get to see your fingerprint ...

Spooky indeed.

Re:By the way, biometrics & DRM ?

[ajs318]

Yes, it's dead easy and can be done using readily-available and household materials. You just need some graphite dust and sellotape {from your desk}, photoresist PCB board and processing chemicals {from Maplin or similar; unless electronics is considered bomb-making nowadays}, and plant gelatin {from a health food store}. Dust laptop for {presubably the rightful user's} fingerprints with graphite and lift with sellotape. {Option: enhance image electronically}. Make a printed circuit board using the fingerprint pattern. Ideally use negative working photoresist or take a negative as part of enhancing the image, though in practice negative images are acceptable to fingerprint scanners {which seem to respond to edges in blissful ignorance of actual direction}. Use PCB to cast a gelatin mould of the rightful user's fingerprint. Use artificial gelatin fingerprint {possibly on the end of your own finger} to operate scanner. In the event of a bust, it can be disposed of safely by eating {you did use plant gelatin, didn't you?}

References here and here.

To answer the question: No.

[Keeper]

Windows has supported biometric authentication (in addition to smart cards) since Win2k. Hell, they've been selling keyboards with fingerprint scanners built in for almost a year now ...

Finally...

[Ranma-sensei]

I think it's great - and time! I really don't like having to remember 20 or so passwords just so because if one of them gets hacked my other data is secure. :(

That wouldn't be a first

[JohnnyNoSPAM]

Linux frequently supports a lot of hardware out of the box. Some folks argue that there is better hardware support for Windows. And that is true in and of itself. However, how often when installing a Windows operating system do yo need a load of driver CDs to accompany the installation? In my experience: always, especially if there is additional hardware such as a printer. Linux, on the other, is frequently distributed with drivers for suppoorted hardware out of the box. What's better is that as Linux grows in popularity, so will the hardware support.

Re:That wouldn't be a first

[porkThreeWays]

Linux uses kernel modules to insert code into a running kernel. Most distributions come shipped with a crapload of modules. They will use an initial ramdisk to do hardware detection and only modprobe modules with hardware present.

To the end user, all they have to do is install their linux distribution and it just works.

I've been using Linux for a while now (Red Hat 6.2 was my first). When I first started, you kinda had to plan your hardware for linux or hope it would work. Today, I don't think twice about linux support. Most times I can plug in my new usb device right out of the box (via hotplug) with no driver disks, update searches, searching HP's website, etc etc.

Obviously there are exceptions, but it's been a looooooooong time that I've bought hardware that doesn't work with Linux.

Re:That wouldn't be a first

[Trelane]

Pardon my ignorance, but aren't you supposed to compile the kernel with that hardware support in Linux, before that hardware is actually supported by Linux?

Generally, what will happen is that a distribution will ship with a somewhat minimal kernel and a bunch of kernel modules that take care of different things, e.g. USB devices, iptables modules (adds functionality to the firewall), drivers, and so on. So no, if you don't want to do things the hard-ish way, there's no need to ever compile a kernel.

So what's the difference for a user between Windows' installable drivers and Linux' kernel-compiled drivers?

Well, the first difference is that not all drivers are kernel-compiled. You can certainly do that if you wish, which has certain advantages (e.g. on a server, it makes it just a little harder to install a kernel-level rootkit if you disable modules and compile everything in). However, most drivers that people will use are just kernel modules, which are loaded as needed. The difference then between Windows and Linux is that Linux's driver support, due to the fact that generally vendors don't believe it to be worth the investement, is mostly available with your distribution because the drivers aren't coming from the vendor. With a few notable exceptions (e.g. video drivers), if you can use it under Linux, its driver is on your distribution's CD or DVD. With Windows' driver support, due to the fact that most vendors don't believe it worth dying not to support Windows, is generally only available from the vendors and much, much fewer drivers come with your Windows CD or DVD. Now a few drivers may well be shipped on the CD/DVD, but not nearly as many as with Linux, in my experience.

Anyone on breaking the biometric authentication?

[SpaghettiPattern]

Anyone on breaking the biometric authentication?

• Chopping off finger.
• Finger print out or finger skin resembling synthetic material.
• Looks easier that guessing passwds.
• How long before finger print kits appear in my Gmail->spam box?

Re:To answer the question: No.

[stevey]

But this is OPEN SORES!

The combination of open sores and a finger scanner doesn't sound too hygenic to me.

I guess if I had a fingerprint scanner I'd want to clean it regularly if people are going to start trying to use it randomly...

So big brother will run on Linux...

[james_gnz]

I am reminded that when I was reading Stallman's The Right To Read (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book), I wondered why it didn't include biometrics. That would have prevented the happy ending.

Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.

For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.

*Bah*, fingerprint scanning is yesterdays news...

[de+Bois-Guilbert]

...what I want is retinal scanning!

I'd imagine the patterns in our eyes are more difficult to duplicate for nefarious purposes than our fingerprints, which (besides the cool factor) would mean increased security... On the other hand, I'd rather have the arch-villain chop off my finger than carve out my eyeball.

Re:Finally...

[dancallaghan]

Except you couldn't switch to using only biometric authentication (not until they get a little DNA blood pinprick scanner thingy, anyway), so the best place for biometric authentication is as an added layer of protection on top of the 20 regularly-rotated random passwords stored in your brain.

Yes, my tin foil hat fits very nicely thankyouverymuch.

Here's a guy that won't be using it!

[Jonti]

Mr Kumaran, a Malaysian accountant, had a Mercedes protected by biometric finfger print recognition. He still lost his car to thieves, tho' -- and the end of his finger as well. You can read about the, uhh, downside, to finger-print recognition here.

OK, so the Merc was worth USD 75,000 to the thieves, a little more than a laptop. But if a dead finger works, a plastic replica would work as well. Before using a system like this, it may be worth considering the value that the data on a laptop might have to unscrupulous rivals ... Is it worth this kind of horror to protect the laptop itself? There are easier and better ways to protect *data*.

Password renewal

[CaxDot]

How on earth do I change my login data once it has been compromised? How do I randomly regrow a new fingerprint? Or retina?

Wouldn't a password be better?

[EMIce]

At least you can change them.

http://www.theregister.co.uk/2002/05/16/gummi_bear s_defeat_fingerprint_sensors/

Re:To answer the question: No.

[VE3MTM]

My boss has one of those Microsoft keyboards with the fingerprint scanner. It does not work for Windows logins, only for things like passwords on webpages.

Re:Ipaqs

[Antique+Geekmeister]

It's about the same as the state for speech recognition elsewhere. The systems use way too little data to actually analyze and get at best a 95% or so recognition of the acutal user, and the sensor acuity to defeat even the fake gelatin fingers (Google keyword: gummi fingers) is simply not there, since with a fake finger made from a fingerprint lifted from elsewhere the class that did the Gummi fingers still got better than 80% recognition.

Basically, the ability to detect a fake fingerprint with a casual test has never existed. The sensors just aren't good enough, even if the software authors were willing to invest the resources to store really thorough images of fingerprints, which they're not.

How it works on Windows XP

[brunogirin]

I currently have a T42 on my desk running Windows XP and I set up the fingerprint authentication. It took about 5 minutes. Here's how it works:

When configuring the system, you provide original prints from any number of your fingers. It suggests you provide 2 of them. Then, you just have to slowly pass any of the fingers on the sensor for it to authenticate you. So for instance, you could make sure you have an electronic print of your right index finger and of your left ring finger. I suppose the redundancy is meant to make sure you have a back-up the day you nicked you finger doing DIY during the week-end.

If you want to change the print (the same way as you would change password), you just remove some existing prints from the authentication DB and replace them with new ones. Then you just have to remember what finger to use this week.

Finally, there is always the solution to press CTRL-ATL-DEL to get a normal password prompt.

So, all in all, the way it is implemented in Windows is not as a substitute to the standard password authentication but as an extension that makes it easier for you, the owner of the machine, to log in but not more difficult for a third party to do so.

I quite like the way it's implemented on Windows but it would be nice if its use could be extended to provide digital signatures and authentication to other systems, such as a Firefox plug-in.

I forgot to mention: the Windows XP implementation doesn't come out of the box. It's an IBM extension that is provided with the T42.

Re:Use of finger-prints !=security

[hacker]

"I wish companies and .gov would stop pushing biometrics as the end-all solution to password & user security.

[...]

The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!"

Unfortunately, fingerprint authentication does NOT satisfy government requirements (not to mention the inherent insecurity should you ever be prosecuted).

CFR 21 part 11 (Code of Federal Regulations governing electronic signatures) mandates that you have to have at least 2 out of 3 things to be said to have securely authenticated:

1. Something you HAVE (card key, key fob, etc.)
2. Something you ARE (biometric, iris, fingerprint)
3. Something you KNOW (password, passphrase, etc.)

If any system is compromised, and 2 out of the 3 above are used, then there is a conspiracy (like you gave your keycard and password to someone else).

The issue about security when prosecuted, is that your physical body (fingerprints as well) are subject to "search and seizure" if you are ever arrested (even if 100% innocent). There was a case that went to the Supreme Court (which I can't recall the name of) where a man argued that his fingerprints were "property", and until he waived his rights to his property, he could not be fingerprinted. I'm not sure how that turned out though.

Basically if you're arrested and they fingerprint you, they could just as easily scan in your fingerprints electronically and "replay" those back later to gain access to your biometric laptop or other devices.

Best to use 2 out of the 3 (or 3 out of the 3) above, so they can't gain access to your protected data without your approval or consent.

Re:Ipaqs

[hacker]

Basically, the ability to detect a fake fingerprint with a casual test has never existed. The sensors just aren't good enough, even if the software authors were willing to invest the resources to store really thorough images of fingerprints, which they're not.

The FingerChip(tm) has been doing exactly this since about 1998 or earlier (that's 7+ years). The FingerChip is about 1mm x 8mm in size (about 1/2" long, about the width of a wooden matchstick). I think the company sold its technology to someone else now over the years, but lots of companies are using it... including IBM.

I was investigating their scanners back in 1998 when I was doing biometric authentication on wireless tablets running Citrix Metaframe for $BIG_PHARMA. This was back in 1998!! Technology has, of course, improved considerably since then.

Basically you swipe your finger across the FingerChip and at least 52 separate datapoints are gathered, which include speed of the swipe, pressure, heat, and of course the standard whoops and swirls of your fingerprint itself. We tried using lifting techniques and other things on it (as did the manufacturer), and it was simply not possible.

It is similar to trying to forge a signature. Sure you can forge it so the end result looks identical, but did you press your pen with the same pressure? Did you dot your "I" before you finished the word, or after? Did you cross your "T" from left to right, or right to left?

Any biometric scanner that doesn't measure these kinds of things shouldn't be used.

Incidentally, we tried lots of different kinds of scanners, including voice. The voice biometric scanners had about a 90% failure rate in our tests. I could log in as my colleague, just by repeating his exact intonation and speed... I could not, of course, imitate his fingerprint.

Digital Persona Support

[sonixtwo]

I have had a Digital Persona Biometric Fingerprint scanner that I have been trying to get working for ages now. It works great in Windows, but I havent yet found a program to get it to actually perform in Linux. It is USB, and does get identified by hotplug. Digital Persona does provide an SDK for their devices. My opinion is Biometric authentication will be a pretty regular standard in the future.

use the foot luke

[sgt+scrub]

Am I the only one thinking outside of the shoe? We leave fingerprints all over the place -- drinking glass, doornobs, eyeglasses. When they create a device that you can stick your foot in for authentication.

ewe sorry, this is going in the wrong direction.

Biometrics are not as secure as most think!

[markdj]

Those who think biometrics are better than password systems, ought to think twice. While passwords can be changed when compromised, biometrics cannot.

There is a scene in a James Bond movie where JB uses a glass eyeball that has someone's retina pattern in it to gain access to a secure building. Also, all biometrics must be converted to some digital pattern. How long will it be before some malicious person gets these digital patterns and figures out how to plug them into the software that authenticates the biometrics thereby bypassing the reader?

Once compromised, you can't change your fingerprint or retina!

re: "the day you nicked you finger doing DIY"

[TheLoneGundam]

"You know, you've gotta watch it with those circular saws," Tom said off-handedly.