Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprint Recognition with Linux & IBM's T42

Posted by timothy on from the nobody-said-*which*-finger dept.

Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"

15 of 156 comments (clear)

  1. Ahem, PAM by nokilli · · Score: 5, Interesting

    I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

    They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.

    Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?

    The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.

    I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.

    This is a really tricky problem.

    I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.

    Why can't that go into pam_finger.so?

    1. Re:Ahem, PAM by /ASCII · · Score: 5, Insightful
      The reason why making a general purpose API is better than hardcoding for a single use authentication algorithm is that you get:
      • Less lock in, since when the next generation of PAM killer comes along, the switch will be much easier.
      • Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...
      • More uses for the software. Maybe you can use this fingerprinter together with a Firefox plugin to slightly increse the security of your bank transactions?

      If the above reasons are enough to warrant the extra layer of indirection, I do not know. But saying that there are _no_ advantages to making a general purpose API is plainly false. It's a simple tradeoff.
      --
      Try out fish, the friendly interactive shell.
    2. Re:Ahem, PAM by nokilli · · Score: 3, Insightful

      Well, you know, you can even have plaintext passwords stored in world-readable text files you keep in /hack/me/now but why would you use PAM for this?

      The whole point I thought was to create a framework through which it would be impossible to recreate the user's authentication info.

      We do what you're saying and the next thing you know, I have your fingerprint, or even better, I've replaced your fingerprint with mine.

    3. Re:Ahem, PAM by Libor+Vanek · · Score: 4, Informative

      AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

    4. Re:Ahem, PAM by nathanh · · Score: 4, Informative
      I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

      No. For example, the OpenSSH server needs explicit support for GSSAPI to support Kerberos Single Sign On. That could not be done within PAM.

  2. This is great news because... by Linker3000 · · Score: 3, Funny

    Wow, I am really looking forward to giving Linux the finger...er wait..

    --
    AT&ROFLMAO
  3. To answer the question: No. by Keeper · · Score: 3, Informative

    Windows has supported biometric authentication (in addition to smart cards) since Win2k. Hell, they've been selling keyboards with fingerprint scanners built in for almost a year now ...

  4. Finally... by Ranma-sensei · · Score: 3, Insightful

    I think it's great - and time! I really don't like having to remember 20 or so passwords just so because if one of them gets hacked my other data is secure. :(

    --
    Non-supporter of Online Activation and any other draconian DRM
  5. That wouldn't be a first by JohnnyNoSPAM · · Score: 3, Interesting

    Linux frequently supports a lot of hardware out of the box. Some folks argue that there is better hardware support for Windows. And that is true in and of itself. However, how often when installing a Windows operating system do yo need a load of driver CDs to accompany the installation? In my experience: always, especially if there is additional hardware such as a printer. Linux, on the other, is frequently distributed with drivers for suppoorted hardware out of the box. What's better is that as Linux grows in popularity, so will the hardware support.

    --
    Get some.
  6. Anyone on breaking the biometric authentication? by SpaghettiPattern · · Score: 3, Interesting
    Anyone on breaking the biometric authentication?
    • Chopping off finger.
    • Finger print out or finger skin resembling synthetic material.
    • Looks easier that guessing passwds.
    • How long before finger print kits appear in my Gmail->spam box?
    --

    I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
  7. So big brother will run on Linux... by james_gnz · · Score: 3, Interesting

    I am reminded that when I was reading Stallman's The Right To Read (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book), I wondered why it didn't include biometrics. That would have prevented the happy ending.

    Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.

    For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.

  8. *Bah*, fingerprint scanning is yesterdays news... by de+Bois-Guilbert · · Score: 5, Insightful

    ...what I want is retinal scanning!

    I'd imagine the patterns in our eyes are more difficult to duplicate for nefarious purposes than our fingerprints, which (besides the cool factor) would mean increased security... On the other hand, I'd rather have the arch-villain chop off my finger than carve out my eyeball.

  9. Here's a guy that won't be using it! by Jonti · · Score: 3, Informative
    Mr Kumaran, a Malaysian accountant, had a Mercedes protected by biometric finfger print recognition. He still lost his car to thieves, tho' -- and the end of his finger as well. You can read about the, uhh, downside, to finger-print recognition here.

    OK, so the Merc was worth USD 75,000 to the thieves, a little more than a laptop. But if a dead finger works, a plastic replica would work as well. Before using a system like this, it may be worth considering the value that the data on a laptop might have to unscrupulous rivals ... Is it worth this kind of horror to protect the laptop itself? There are easier and better ways to protect *data*.

  10. Password renewal by CaxDot · · Score: 3, Interesting

    How on earth do I change my login data once it has been compromised? How do I randomly regrow a new fingerprint? Or retina?

  11. Re:Use of finger-prints !=security by hacker · · Score: 3, Informative
    "I wish companies and .gov would stop pushing biometrics as the end-all solution to password & user security.

    [...]

    The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!"

    Unfortunately, fingerprint authentication does NOT satisfy government requirements (not to mention the inherent insecurity should you ever be prosecuted).

    CFR 21 part 11 (Code of Federal Regulations governing electronic signatures) mandates that you have to have at least 2 out of 3 things to be said to have securely authenticated:

    1. Something you HAVE (card key, key fob, etc.)
    2. Something you ARE (biometric, iris, fingerprint)
    3. Something you KNOW (password, passphrase, etc.)

    If any system is compromised, and 2 out of the 3 above are used, then there is a conspiracy (like you gave your keycard and password to someone else).

    The issue about security when prosecuted, is that your physical body (fingerprints as well) are subject to "search and seizure" if you are ever arrested (even if 100% innocent). There was a case that went to the Supreme Court (which I can't recall the name of) where a man argued that his fingerprints were "property", and until he waived his rights to his property, he could not be fingerprinted. I'm not sure how that turned out though.

    Basically if you're arrested and they fingerprint you, they could just as easily scan in your fingerprints electronically and "replay" those back later to gain access to your biometric laptop or other devices.

    Best to use 2 out of the 3 (or 3 out of the 3) above, so they can't gain access to your protected data without your approval or consent.